Just to make sure: Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:04 server program: This is really bad
[Note the last timestamp!] would still make up for "three in a row"? Now, syslog contains not only timestamps, but also hostnames. So how about Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server2 program: This is really bad Jul 31 13:45:03 server program: This is really bad And what about this: Jul 31 13:45:03 server program2: This is really bad Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server program: This is really bad And would that trigger any alert at all: Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server2 program: This is really bad Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server program2: This is really bad Jul 31 13:45:03 server program: This is really bad Finally, does "three in a row" time out? So what would happen in the case below. Watch the timestamps and let's assume there are no other records inside the log: Jul 29 13:45:03 server program: This is really bad Jul 30 13:45:03 server program: This is really bad Jul 31 13:45:04 server program: This is really bad And a related question. You write: > So then is could be $msg == 'This is really bad' or perhaps $msg > contains 'really bad'. But for me, matching the exact $msg would be > fine. :P Does this imply you would like to do the "if $msg == 'this is really bad'" check? So far, I assume you do NOT do this but expect an alert to be raised whenever ANY messages fulfills the identity criterion n times in a row. Please explain. Thanks, Rainer > -----Original Message----- > From: Julian Yap [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2008 1:50 AM > To: Rainer Gerhards > Cc: [email protected] > Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are found > > Yes, this would be correct. > > In my example, a particular message string would be the same. > > Example: > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server program: This is really bad > > So then is could be $msg == 'This is really bad' or perhaps $msg > contains 'really bad'. But for me, matching the exact $msg would be > fine. :P > > > On Thu, Jul 31, 2008 at 10:38 AM, Rainer Gerhards > <[EMAIL PROTECTED]> wrote: > > To clarify: be "a" the event in question and "b" any other event. Two > samples of an event sequence: > > > > 1. a - a - a - b > > 2. a - a - b - a > > > > Result: in case 1 an alert is triggered, in case 2 not. > > > > Is this understanding correct? > > > > rainer > > > > ----- Ursprüngliche Nachricht ----- > > Von: "Julian Yap" <[EMAIL PROTECTED]> > > An: "rsyslog-users" <[email protected]> > > Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>; > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > Gesendet: 31.07.08 21:59 > > Betreff: Re: [rsyslog] Alert when multiple repeated lines are found > > > > That's pretty much it for now. I've written Alerts for single line > > events. But for one particular event, it's only really a factor if > it > > happens tree times in a row. > > > > > > On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards > > <[EMAIL PROTECTED]> wrote: > >> What exactly do you need to do except the "three in a row" alert? > >> > >> ----- Ursprüngliche Nachricht ----- > >> Von: "Julian Yap" <[EMAIL PROTECTED]> > >> An: "rsyslog-users" <[email protected]> > >> Gesendet: 31.07.08 20:27 > >> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found > >> > >> Hmm, Nagios is a pain to set up. Looking for something more light > >> weight... Was hoping that I could have consolidated lots of Alerts > >> under Rsyslog. > >> > >> Any other suggestions besides Swatch? > >> > >> > >> > >> On 7/31/08, (private) HKS <[EMAIL PROTECTED]> wrote: > >>> Not in rsyslogd itself, but you could do this with Swatch, Nagios, > or > >>> some other monitoring-type software. > >>> > >>> -HKS > >>> > >>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <[EMAIL PROTECTED]> > wrote: > >>>> Is there a way to set an Alert when multiple repeated lines are > found in a > >>>> log? > >>>> > >>>> I want to spawn an email Alert if a message is received 3 times. > >>>> > >>>> Example log lines: > >>>> Jul 30 04:19:29 localhost program: Error detected > >>>> Jul 30 05:19:29 localhost program: Error detected > >>>> Jul 30 06:19:29 localhost program: Error detected > >>>> > >>>> Thanks, > >>>> Julian > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
