impstats
Ok. I'll have a look
define 'too fast'. And how do you tell the difference between your
logging system having a problem and generating so many messages and
the systems you are collecting logs from generating the messages?
If you setup thresholds and start throwing away messages that arrive
faster than that, I will guarantee that one day you will find that you
are throwing away legitimate logs that you care about as a result.
It's also rather tricky to define such threshold criteria, and
expensive to track.
much better to just report the stats to your existing monitoring
system and use it to decide that something is wrong.
During tests, as omelasticsearch is not v5 fully-compatible, it started
to write warnings for each indexing operation. As we were making
high-traffic tests, our /var/log/messages filled with "deprecated:
blablabla" and we're now thinking how to handle those situations.
As we "can't" change how applications log (hence, elastic will continue
to write those warnings), and considering we would like to get notified
about errors on certain procedures (eg: error when creating indexes) I
was wondering if theres something like flags/counters:
1.rsyslog gets message
2.if it's a notifiable error
if it's already "notified", increase notify counter
drop message (don't log it)
else #not "notified"
notify error
log message
3.if it's a recovery
log recovery
notify recovered
4.otherwise, log normally
In the above, notification could be a snmptrap to our monitoring system,
and "if notified" could be a "global" errorCount variable or something
similar...
Hope explained properly...
Regards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
