Background:
* SEC is used to monitor syslog messages from a large number of
machines on a centralized syslog server.
* We have an in-house application logging messages that I want to
report to the developer when we see a certain threshold hit.
Sample Syslog messages:
Jan 19 16:10:02 cto975 logger[11579]: CVGALERT: Liberty app at vm972:5260 is
not responding.
Jan 19 16:10:04 labb04 logger[8814]: CVGALERT: Liberty app at
labb04.dev.sabre.com:28000 is not responding.
Jan 19 16:11:01 vm975 logger[11590]: CVGALERT: Liberty app at vm972:5260 is not
responding.
Jan 19 16:11:01 labb04 logger[12037]: CVGALERT: Liberty app at
labb04.dev.sabre.com:28000 is not responding.
Jan 19 16:11:01 vm973 logger[11640]: CVGALERT: Liberty app at vm972:5260 is not
responding.
Jan 19 16:11:01 vm974 logger[11675]: CVGALERT: Liberty app at vm972:5260 is not
responding.
Jan 19 16:11:01 vm976 logger[11575]: CVGALERT: Liberty app at vm972:5260 is not
responding.
Jan 19 16:11:01 vm977 logger[11661]: CVGALERT: Liberty app at vm972:5260 is not
responding.
Listed below are the two rules I use to capture syslog messages and report them
when a threshold of 20 messages is reached.
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
desc=Liberty at host:port $1 reporting $2
action=report liberty_$1 /usr/bin/mailx -s "%s" [email protected]
[email protected]; \
delete liberty_$1
window=21600
thresh=20
type=single
ptype=regexp
pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
desc=Liberty error messages
action=add liberty_$1 $0
My question(s) are this:
1. Is there a better way to handle this? I referenced the examples from
the man page to put this together and it works... But I'm just thinking it
seems redundant. I have one rule to monitor & trigger the threshold and a
wholly separate, but very similar rule used to capture the messages into an
event store. Thus, the syslog message must be evaluated twice by SEC. Is
there some way that I can combine these steps into one rule?
2. I usually create rules more like the one below so that I can put in
some explanation into the email message so that the developer will know what to
do. The following example works fine when/if I have one event I want to
report, however I don't understand how to embed or expand an event store in
this kind of rule:
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
desc=Liberty at host:port $1 reporting $2
action=pipe 'Alert:\
The following error has been reported:\
\
$0\
\
Please log into $1 and fix.\
\
Thanks' /usr/bin/mailx -s "%s" [email protected]
window=21600
thresh=20
Thanks Again!
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
