On 8/2/11 12:47 PM, Marc MERLIN wrote:
I couldn't find this in the man page.
I'd like to write a rule that looks for a log line and alerts me if it's not
been seen in the last hour.
Is that possible?
Thanks,
Marc
Marc,
Read John Rouillard's paper to the LISA2004 conference. Look for 'missing
events'. John's example is with Sendmail, but it can be done
with most any log. I implemented against DNS query transaction logs.
Ref: "Real-time log file analysis using the Simple Event Correlator (SEC)"
(http://www.cs.umb.edu/~rouilj/sec/ <http://www.cs.umb.edu/%7Erouilj/sec/>) by John P.
Rouillard - a paper with SEC ruleset examples that was presented at USENIX LISA'2004.
You will need to create a calendar event to provide regular marking of
time (Set/Arm) against the event stream (Reset/Disarm). You would then
use a PairWithWindow to time the state. After the set event, if a the
event stream fails to reset in time, a new event is creates the 'missing
event'.
Regards,
Tim Peiffer
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
+1 612 626-7884 (desk)
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
