Do you use $ActionExecOnlyEveryNthTimeTimeout? Rainer
> -----Original Message----- > From: Julian Yap [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2008 12:32 PM > To: Rainer Gerhards > Cc: [email protected] > Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are found > > It's kind of strange but I've had this running for about a week now... > I seem to have had 2 false alerts for no apparent reason. > > > On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards > <[EMAIL PROTECTED]> wrote: > > Thanks for the feedback, it will now be part of the next devel > release, > > I think some time next week :) > > > > Rainer > > > >> -----Original Message----- > >> From: Julian Yap [mailto:[EMAIL PROTECTED] > >> Sent: Friday, August 08, 2008 1:55 AM > >> To: Rainer Gerhards > >> Cc: [email protected] > >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are > > found > >> > >> Yep, after further testing this works great! Thanks Rainer. > >> > >> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap <[EMAIL PROTECTED]> > >> wrote: > >> > Rainer, > >> > > >> > Initial testing looks fine. I'll try some more to see if I can > > break > >> it. > >> > > >> > - Julian > >> > > >> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards > >> > <[EMAIL PROTECTED]> wrote: > >> >> Julian, > >> >> > >> >> as you have probably seen in my other post, I have implemented > the > >> >> functionality. I have now also created a test tarball. I'd > >> appreciate if > >> >> you could obtain it from > >> >> > >> >> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz > >> >> > >> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to > >> >> $ActionExecOnlyEveryNthTime and > $ActionExecOnlyEveryNthTimeTimeout. > >> For > >> >> what you intend to do, this should work: > >> >> > >> >> $ActionExecOnlyEveryNthTime 3 > >> >> *.* ..your action.. > >> >> > >> >> You don't need the timeout, but I have included it for > > completeness. > >> >> Well, actually if I were you I'd think if you really don't need > it. > >> Is > >> >> it really OK that "three in a row" means one each day? > >> >> > >> >> Please provide feedback on this feature. > >> >> > >> >> Thanks, > >> >> Rainer > >> >> > >> >>> -----Original Message----- > >> >>> From: Julian Yap [mailto:[EMAIL PROTECTED] > >> >>> Sent: Friday, August 01, 2008 12:14 PM > >> >>> To: Rainer Gerhards > >> >>> Cc: [email protected] > >> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines > are > >> >> found > >> >>> > >> >>> Roger that Rainer. > >> >>> > >> >>> Thanks, > >> >>> Julian > >> >>> > >> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards > >> >>> <[EMAIL PROTECTED]> wrote: > >> >>> > OK, that greatly simplifies things. Actually, it now boils > down > >> to > >> >>> > "execute an action only on the n-the time the filter evaluates > > to > >> >>> true". > >> >>> > I think this is quite easy to implement, but I must verify > >> that... > >> >>> > > >> >>> > Rainer > >> >>> > > >> >>> >> -----Original Message----- > >> >>> >> From: Julian Yap [mailto:[EMAIL PROTECTED] > >> >>> >> Sent: Friday, August 01, 2008 11:03 AM > >> >>> >> To: Rainer Gerhards > >> >>> >> Cc: [email protected] > >> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines > >> are > >> >>> > found > >> >>> >> > >> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards > >> >>> >> <[EMAIL PROTECTED]> wrote: > >> >>> >> > Just one more re-confirmation: > >> >>> >> > > >> >>> >> >> What I'm looking for: > >> >>> >> >> if $msg == 'This is really bad' happens 3 times in a row > > then > >> >>> >> >> :ommail:;mailBody > >> >>> >> >> > >> >>> >> >> This would be nice but is not required since the 'This is > >> really > >> >>> >> bad' > >> >>> >> >> message in my case is very unique: > >> >>> >> >> if ($msg == 'This is really bad' and $server == 'server' > and > >> >>> >> $program > >> >>> >> >> == 'program') happens 3 times in a row then > > :ommail:;mailBody > >> >>> >> > > >> >>> >> > So you would actually use such a rule. If "this other thing > > is > >> >>> > really > >> >>> >> > bad" happened three times, the rule shall not trigger. Is > > this > >> >>> > right? > >> >>> >> > >> >>> >> Yes, I would use such a rule. It would make what is already > an > >> >>> >> awesome application even more awesome. :P I am also willing > to > >> >> test > >> >>> >> it out and run the latest development version... Which I'm > >> doing > >> >>> >> anyway. > >> >>> >> > >> >>> >> And yes, what you just wrote is correct. > >> >>> >> > >> >>> >> - Julian > >> >>> > > >> >> > >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
