Just to keep everyone update. I got a private mail with some details not to be posted publically. However, Julian stated that he does not use $ActionExecOnlyEveryNthTimeTimeout.
With that (and the non-public) info, I think that the missing $ActionExecOnlyEveryNthTimeTimeout is the culprit. I have not asked how often the receiving syslogd is restarted or huped. Julian, please let me know. If it is sufficiently seldom, I think it could be an "old" message. I think about this scenario: a message comes it at, eg., 10am. That's count 1. Then, nothing happens for the next 10 hours. At 8pm, the next one occurs. That's count 2. Another 5 hours later, the next message occurs, bringing the total count to 3. Thus, this message now triggers the rule. The question is if this is desired behavior? Or should the rule only be triggered if the messages occur within an e.g. 20 minute window? If the later is the case, you need a $ActionExecOnlyEveryNthTimeTimeout 1200 This directive will timeout previous messages seen if they are older than 20 minutes. In the example above, the count would now be always 1 and consequently no rule would ever be triggered (and that's the reason why this directive is present;)). Does this make sense? Does it match what you see? Rainer > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:rsyslog- > [EMAIL PROTECTED] On Behalf Of Rainer Gerhards > Sent: Wednesday, August 13, 2008 12:48 PM > To: Julian Yap > Cc: [email protected] > Subject: Re: [rsyslog] Alert when multiple repeated lines are found > > Do you use $ActionExecOnlyEveryNthTimeTimeout? > > Rainer > > > > -----Original Message----- > > From: Julian Yap [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 13, 2008 12:32 PM > > To: Rainer Gerhards > > Cc: [email protected] > > Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are > found > > > > It's kind of strange but I've had this running for about a week > now... > > I seem to have had 2 false alerts for no apparent reason. > > > > > > On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards > > <[EMAIL PROTECTED]> wrote: > > > Thanks for the feedback, it will now be part of the next devel > > release, > > > I think some time next week :) > > > > > > Rainer > > > > > >> -----Original Message----- > > >> From: Julian Yap [mailto:[EMAIL PROTECTED] > > >> Sent: Friday, August 08, 2008 1:55 AM > > >> To: Rainer Gerhards > > >> Cc: [email protected] > > >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are > > > found > > >> > > >> Yep, after further testing this works great! Thanks Rainer. > > >> > > >> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap > <[EMAIL PROTECTED]> > > >> wrote: > > >> > Rainer, > > >> > > > >> > Initial testing looks fine. I'll try some more to see if I can > > > break > > >> it. > > >> > > > >> > - Julian > > >> > > > >> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards > > >> > <[EMAIL PROTECTED]> wrote: > > >> >> Julian, > > >> >> > > >> >> as you have probably seen in my other post, I have implemented > > the > > >> >> functionality. I have now also created a test tarball. I'd > > >> appreciate if > > >> >> you could obtain it from > > >> >> > > >> >> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz > > >> >> > > >> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to > > >> >> $ActionExecOnlyEveryNthTime and > > $ActionExecOnlyEveryNthTimeTimeout. > > >> For > > >> >> what you intend to do, this should work: > > >> >> > > >> >> $ActionExecOnlyEveryNthTime 3 > > >> >> *.* ..your action.. > > >> >> > > >> >> You don't need the timeout, but I have included it for > > > completeness. > > >> >> Well, actually if I were you I'd think if you really don't need > > it. > > >> Is > > >> >> it really OK that "three in a row" means one each day? > > >> >> > > >> >> Please provide feedback on this feature. > > >> >> > > >> >> Thanks, > > >> >> Rainer > > >> >> > > >> >>> -----Original Message----- > > >> >>> From: Julian Yap [mailto:[EMAIL PROTECTED] > > >> >>> Sent: Friday, August 01, 2008 12:14 PM > > >> >>> To: Rainer Gerhards > > >> >>> Cc: [email protected] > > >> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines > > are > > >> >> found > > >> >>> > > >> >>> Roger that Rainer. > > >> >>> > > >> >>> Thanks, > > >> >>> Julian > > >> >>> > > >> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards > > >> >>> <[EMAIL PROTECTED]> wrote: > > >> >>> > OK, that greatly simplifies things. Actually, it now boils > > down > > >> to > > >> >>> > "execute an action only on the n-the time the filter > evaluates > > > to > > >> >>> true". > > >> >>> > I think this is quite easy to implement, but I must verify > > >> that... > > >> >>> > > > >> >>> > Rainer > > >> >>> > > > >> >>> >> -----Original Message----- > > >> >>> >> From: Julian Yap [mailto:[EMAIL PROTECTED] > > >> >>> >> Sent: Friday, August 01, 2008 11:03 AM > > >> >>> >> To: Rainer Gerhards > > >> >>> >> Cc: [email protected] > > >> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated > lines > > >> are > > >> >>> > found > > >> >>> >> > > >> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards > > >> >>> >> <[EMAIL PROTECTED]> wrote: > > >> >>> >> > Just one more re-confirmation: > > >> >>> >> > > > >> >>> >> >> What I'm looking for: > > >> >>> >> >> if $msg == 'This is really bad' happens 3 times in a row > > > then > > >> >>> >> >> :ommail:;mailBody > > >> >>> >> >> > > >> >>> >> >> This would be nice but is not required since the 'This > is > > >> really > > >> >>> >> bad' > > >> >>> >> >> message in my case is very unique: > > >> >>> >> >> if ($msg == 'This is really bad' and $server == 'server' > > and > > >> >>> >> $program > > >> >>> >> >> == 'program') happens 3 times in a row then > > > :ommail:;mailBody > > >> >>> >> > > > >> >>> >> > So you would actually use such a rule. If "this other > thing > > > is > > >> >>> > really > > >> >>> >> > bad" happened three times, the rule shall not trigger. Is > > > this > > >> >>> > right? > > >> >>> >> > > >> >>> >> Yes, I would use such a rule. It would make what is > already > > an > > >> >>> >> awesome application even more awesome. :P I am also > willing > > to > > >> >> test > > >> >>> >> it out and run the latest development version... Which I'm > > >> doing > > >> >>> >> anyway. > > >> >>> >> > > >> >>> >> And yes, what you just wrote is correct. > > >> >>> >> > > >> >>> >> - Julian > > >> >>> > > > >> >> > > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
