On Tue, 16 Feb 2016, singh.janmejay wrote:
@David: As of now, I am thinking of end-of-the-day style measurement
(basically report number of messages lost at a good-enough
granularity, say host x severity).
I am thinking of this as something independent of frequency of outages
and unrelated to maintenance windows. Im thinking of it as a report
that captures extent of loss, where one can pull down several months
of this data and verify loss was never beyond a acceptable level,
compare it across days when load profile was very different (the day
when too many circuit-breakers engaged etc).
I haven't thought through this, but reset may not be required.
Basically let the counter count-up and wrap-around (as long as
wrap-around is well defined behavior which is accounted for during
measurement).
I have my central server produce a daily report of how many logs it got from
each source[1], and my significant traffic generators generate a similar report.
I can then spot check them, or put them on the same graph, etc.
David Lang
[1] Well, actually, what I do is a abit fancier, with redundancies because I
haven't cleaned things up yet :-)
My first thing is that I make a file that collects 'useful' info about logs that
arrive
$template sources,"%hostname% %fromhost-ip% %programname%
%timegenerated:::date-rfc3339% %$.len%\n"
set $.len = strlen($rawmsg);
/var/log/sources-messages;sources
This gives me a one-line-per-message file that I can easily do things like
cut -f 1 -d ' ' sources-messages |sort |uniq -c
to get a per-host log count
or
cut -f 2 -d ' ' sources-messages |sort |uniq -c
to get a report of the relay servers that send me logs
rotate this file on a regular basis, and you have the ability to get stats on
arbitrary times
I'm slowly tweaking this to run things through SEC and have SEC produce per-min
stats that are summaries of the data, making it much faster to summarize. I also
have SEC dumping some of these stats to my monitoring system.
you can do similar stuff with the pstats output, set it to a reasonable
granularity and capture the count that the sender claims they are sending in
your monitoring system, and then capture the count that you see on the other
end. compare the two and if there is a significant difference, alert.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
