Hi Rainer, Thanks for taking the time to work on my issue. I'll approach this from my situation.
On Thu, Jul 31, 2008 at 7:45 PM, Rainer Gerhards <[EMAIL PROTECTED]> wrote: > Just to make sure: > > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:04 server program: This is really bad > > [Note the last timestamp!] would still make up for "three in a row"? Yes. Something that would be nice would be 'three in a row in the last x minutes'... But let's keep things simple for now :) > Now, syslog contains not only timestamps, but also hostnames. So how about > > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server2 program: This is really bad > Jul 31 13:45:03 server program: This is really bad In my particular case, it would only come from the one server. But if I had 2 servers logging to the same log file, it should have the option to filter based on server and/or message. > And what about this: > > Jul 31 13:45:03 server program2: This is really bad > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server program: This is really bad > > And would that trigger any alert at all: In my particular case, it would only come from the one program. But if I had 2 programs logging to the same log file, it should have the option to filter based on program and/or message. > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server2 program: This is really bad > Jul 31 13:45:03 server program: This is really bad > Jul 31 13:45:03 server program2: This is really bad > Jul 31 13:45:03 server program: This is really bad > > Finally, does "three in a row" time out? So what would happen in the case > below. Watch the timestamps and let's assume there are no other records > inside the log: In my particular case, 'three in a row' wouldn't time out. I would use ActionMail so I would use a corresponding $ActionExecOnlyOnceEveryInterval value. For my particular case, it happens when a process totally locks up. A very rare instance which requires manually restarting a process... So the 'This is really bad' messages would eventually stop. > Jul 29 13:45:03 server program: This is really bad > Jul 30 13:45:03 server program: This is really bad > Jul 31 13:45:04 server program: This is really bad > > And a related question. You write: > >> So then is could be $msg == 'This is really bad' or perhaps $msg >> contains 'really bad'. But for me, matching the exact $msg would be >> fine. :P > > Does this imply you would like to do the "if $msg == 'this is really bad'" > check? So far, I assume you do NOT do this but expect an alert to be raised > whenever ANY messages fulfills the identity criterion n times in a row. > Please explain. Yes, you assume correctly. What I'm looking for: if $msg == 'This is really bad' happens 3 times in a row then :ommail:;mailBody This would be nice but is not required since the 'This is really bad' message in my case is very unique: if ($msg == 'This is really bad' and $server == 'server' and $program == 'program') happens 3 times in a row then :ommail:;mailBody - Julian > Thanks, > Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
