Consider the following log string that comes from Bind9 query
transaction logs.
(queries: info: client (\d+\.\d+\.\d+\.\d+)\#\d+: \S+ \S+ IN \S+ \S+)
The exact format of the log string doesn't really matter. How can I count
a) The absolute query arrival rate for $1
b) The query arrival rate for $2 - effectively per host tracking.
I believe I would set and reset contexts with SingleWith2Thresholds, and
I presume that if you set a long time for the context you can manage a
'water level' or intensity state indicator.
# rule 1# count loglines and threshold at 100
type=SingleWith2Thresholds
continue=TakeNext
ptype=RegExp
pattern=(queries: info: client (\d+\.\d+\.\d+\.\d+)\#\d+: \S+ \S+
IN \S+ \S+)
desc=%Hostname greater than 100qps
action=logonly %s at %t; delete %Hostname_50qps ; create
%Hostname_100qps 86400
window=1
thresh=100
desc2=%Hostname below 100qps
action2=logonly %s at %t; delete %Hostname_100qps;
window2=1
thresh2=99
#rule 2# count loglines for particular client and threhold at 100
type=SingleWith2Thresholds
continue=TakeNext
ptype=RegExp
pattern=(queries: info: client (\d+\.\d+\.\d+\.\d+)\#\d+: \S+ \S+
IN \S+ \S+)
desc=%Hostname $2 flow is greater than 100qps
action=logonly %s at %t ; delete %Hostname_$2_50qps ; create
%Hostname_$2_100qps 86400
window=1
thresh=100
desc2=%Hostname $2 flow is below 100qps
action2=logonly %s at %t; delete "%Hostname_$2_100qps" ; create
%Hostname_$2_50qps
window2=1
thresh2=99
# repeat for graduated less thresholds
# rule 1# count loglines and threshold at 50
type=SingleWith2Thresholds
continue=TakeNext
ptype=RegExp
pattern=(queries: info: client (\d+\.\d+\.\d+\.\d+)\#\d+: \S+ \S+
IN \S+ \S+)
desc=%Hostname greater than 50qps
context=!%Hostname_100qps
action=logonly %s ; create %Hostname_50qps 86400
window=1
thresh=50
desc2=%Hostname below 50qps
action2=logonly %s at %t; delete %Hostname_50qps
window2=1
thresh2=49
#rule 2# count loglines for particular client and threhold at 100
type=SingleWith2Thresholds
continue=TakeNext
ptype=RegExp
pattern=(queries: info: client (\d+\.\d+\.\d+\.\d+)\#\d+: \S+ \S+
IN \S+ \S+)
desc=%Hostname $2 flow is greater than 100qps
context=!Hostname_$2_100qps
action=logonly %s ; event % 60
window=1
thresh=100
desc2=%Hostname $2 flow is below 100qps
action2=logonly %s
window2=1
thresh2=99
The above should work, but I am uncomfortable with the overhead of
maintaining contexts in a fast moving environment. I am also
uncomfortable scaling up to environments where I have a number of
arrival rate intensities that I need to track.
Please advise,
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
