Rainer, Yes, after looking at it some more, I guess I do need to have the $ActionExecOnlyEveryNthTimeTimeout setting. Your explanation below clarifies things a lot.
I guess I was confused with my existing $ActionExecOnlyOnceEveryInterval setting and thinking that was similar. That should fix my issue. - Julian On Wed, Aug 13, 2008 at 11:31 PM, Rainer Gerhards <[EMAIL PROTECTED]> wrote: > Just to keep everyone update. I got a private mail with some details not > to be posted publically. However, Julian stated that he does not use > $ActionExecOnlyEveryNthTimeTimeout. > > With that (and the non-public) info, I think that the missing > $ActionExecOnlyEveryNthTimeTimeout is the culprit. I have not asked how > often the receiving syslogd is restarted or huped. Julian, please let me > know. If it is sufficiently seldom, I think it could be an "old" > message. > > I think about this scenario: a message comes it at, eg., 10am. That's > count 1. Then, nothing happens for the next 10 hours. At 8pm, the next > one occurs. That's count 2. Another 5 hours later, the next message > occurs, bringing the total count to 3. Thus, this message now triggers > the rule. > > The question is if this is desired behavior? Or should the rule only be > triggered if the messages occur within an e.g. 20 minute window? If the > later is the case, you need a > > $ActionExecOnlyEveryNthTimeTimeout 1200 > > This directive will timeout previous messages seen if they are older > than 20 minutes. In the example above, the count would now be always 1 > and consequently no rule would ever be triggered (and that's the reason > why this directive is present;)). > > Does this make sense? Does it match what you see? > > Rainer > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:rsyslog- >> [EMAIL PROTECTED] On Behalf Of Rainer Gerhards >> Sent: Wednesday, August 13, 2008 12:48 PM >> To: Julian Yap >> Cc: [email protected] >> Subject: Re: [rsyslog] Alert when multiple repeated lines are found >> >> Do you use $ActionExecOnlyEveryNthTimeTimeout? >> >> Rainer >> >> >> > -----Original Message----- >> > From: Julian Yap [mailto:[EMAIL PROTECTED] >> > Sent: Wednesday, August 13, 2008 12:32 PM >> > To: Rainer Gerhards >> > Cc: [email protected] >> > Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are >> found >> > >> > It's kind of strange but I've had this running for about a week >> now... >> > I seem to have had 2 false alerts for no apparent reason. >> > >> > >> > On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards >> > <[EMAIL PROTECTED]> wrote: >> > > Thanks for the feedback, it will now be part of the next devel >> > release, >> > > I think some time next week :) >> > > >> > > Rainer >> > > >> > >> -----Original Message----- >> > >> From: Julian Yap [mailto:[EMAIL PROTECTED] >> > >> Sent: Friday, August 08, 2008 1:55 AM >> > >> To: Rainer Gerhards >> > >> Cc: [email protected] >> > >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are >> > > found >> > >> >> > >> Yep, after further testing this works great! Thanks Rainer. >> > >> >> > >> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap >> <[EMAIL PROTECTED]> >> > >> wrote: >> > >> > Rainer, >> > >> > >> > >> > Initial testing looks fine. I'll try some more to see if I can >> > > break >> > >> it. >> > >> > >> > >> > - Julian >> > >> > >> > >> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards >> > >> > <[EMAIL PROTECTED]> wrote: >> > >> >> Julian, >> > >> >> >> > >> >> as you have probably seen in my other post, I have implemented >> > the >> > >> >> functionality. I have now also created a test tarball. I'd >> > >> appreciate if >> > >> >> you could obtain it from >> > >> >> >> > >> >> > http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz >> > >> >> >> > >> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to >> > >> >> $ActionExecOnlyEveryNthTime and >> > $ActionExecOnlyEveryNthTimeTimeout. >> > >> For >> > >> >> what you intend to do, this should work: >> > >> >> >> > >> >> $ActionExecOnlyEveryNthTime 3 >> > >> >> *.* ..your action.. >> > >> >> >> > >> >> You don't need the timeout, but I have included it for >> > > completeness. >> > >> >> Well, actually if I were you I'd think if you really don't > need >> > it. >> > >> Is >> > >> >> it really OK that "three in a row" means one each day? >> > >> >> >> > >> >> Please provide feedback on this feature. >> > >> >> >> > >> >> Thanks, >> > >> >> Rainer >> > >> >> >> > >> >>> -----Original Message----- >> > >> >>> From: Julian Yap [mailto:[EMAIL PROTECTED] >> > >> >>> Sent: Friday, August 01, 2008 12:14 PM >> > >> >>> To: Rainer Gerhards >> > >> >>> Cc: [email protected] >> > >> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines >> > are >> > >> >> found >> > >> >>> >> > >> >>> Roger that Rainer. >> > >> >>> >> > >> >>> Thanks, >> > >> >>> Julian >> > >> >>> >> > >> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards >> > >> >>> <[EMAIL PROTECTED]> wrote: >> > >> >>> > OK, that greatly simplifies things. Actually, it now boils >> > down >> > >> to >> > >> >>> > "execute an action only on the n-the time the filter >> evaluates >> > > to >> > >> >>> true". >> > >> >>> > I think this is quite easy to implement, but I must verify >> > >> that... >> > >> >>> > >> > >> >>> > Rainer >> > >> >>> > >> > >> >>> >> -----Original Message----- >> > >> >>> >> From: Julian Yap [mailto:[EMAIL PROTECTED] >> > >> >>> >> Sent: Friday, August 01, 2008 11:03 AM >> > >> >>> >> To: Rainer Gerhards >> > >> >>> >> Cc: [email protected] >> > >> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated >> lines >> > >> are >> > >> >>> > found >> > >> >>> >> >> > >> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards >> > >> >>> >> <[EMAIL PROTECTED]> wrote: >> > >> >>> >> > Just one more re-confirmation: >> > >> >>> >> > >> > >> >>> >> >> What I'm looking for: >> > >> >>> >> >> if $msg == 'This is really bad' happens 3 times in a > row >> > > then >> > >> >>> >> >> :ommail:;mailBody >> > >> >>> >> >> >> > >> >>> >> >> This would be nice but is not required since the 'This >> is >> > >> really >> > >> >>> >> bad' >> > >> >>> >> >> message in my case is very unique: >> > >> >>> >> >> if ($msg == 'This is really bad' and $server == > 'server' >> > and >> > >> >>> >> $program >> > >> >>> >> >> == 'program') happens 3 times in a row then >> > > :ommail:;mailBody >> > >> >>> >> > >> > >> >>> >> > So you would actually use such a rule. If "this other >> thing >> > > is >> > >> >>> > really >> > >> >>> >> > bad" happened three times, the rule shall not trigger. > Is >> > > this >> > >> >>> > right? >> > >> >>> >> >> > >> >>> >> Yes, I would use such a rule. It would make what is >> already >> > an >> > >> >>> >> awesome application even more awesome. :P I am also >> willing >> > to >> > >> >> test >> > >> >>> >> it out and run the latest development version... Which > I'm >> > >> doing >> > >> >>> >> anyway. >> > >> >>> >> >> > >> >>> >> And yes, what you just wrote is correct. >> > >> >>> >> >> > >> >>> >> - Julian >> > >> >>> > >> > >> >> >> > >> > >> > > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
