hi David,
the problem you are experiencing is related to the action-on-expire field
of the heartbeat_$1 context. When this context is created, its
action-on-expire field is set to the following list:
create heartbeat_$1 14400 (shellcmd /usr/local/bin/sec/notifiy.sh $1 '2+
hours' ); \
shellcmd /usr/local/bin/sec/notify.sh $1 '4 min'
This action list is executed when the heartbeat_$1 context expires,
immediately before heartbeat_$1 is deleted and dropped from memory. As a
result, the following things happen when heartbeat_$1 expires:
1) expiration of heartbeat_$1 forces the execution of the above action list
which is always followed by context deletion
2) 'create' action changes context lifetime and action-on-expire -- but
these changes have no effect to the currently running action list and
context deletion procedure
3) 'shellcmd' action runs /usr/local/bin/sec/notify.sh
4) now that the action list has completed, the heartbeat_$1 is dropped from
memory.
In other words, changing context lifetime (and taking other measures for
preventing context deletion) will have no effect when invoked from
action-on-expire action list.
One possible solution would be the use of two distinct contexts for
alerting (such as heartbeat_$1 and heartbeat2_$1):
type=single
ptype=regexp
pattern=(\S+)
context=[!SEC_INTERNAL_EVENT]
desc=heartbeat_$1
action=create heartbeat_$1 10 ( create heartbeat2_$1 20 \
(shellcmd /usr/local/bin/sec/notifiy.sh $1 '2+ hours' ); \
shellcmd /usr/local/bin/sec/notify.sh $1 '4 min'); \
delete heartbeat2_$1
This rule will produce a debug-level message about non-existing
heartbeat2_$1 when heartbeat messages regularly arrive. If you don't want
to see this message (even though its level is 'debug'), you can replace
'delete heartbeat2_$1' with the following two actions:
exists %e heartbeat2_$1; if %e ( delete heartbeat2_$1 )
The first action checks if the heartbeat2_$1 context exists, and the second
action invokes the 'delete' action only for existing context.
kind regards,
risto
2015-03-31 4:10 GMT+03:00 David Lang <[email protected]>:
> I'm trying to do an alert when a device stops sending logs.
>
> This works well (all that's fed to sec is the hostname)
>
> type=single
> ptype=regexp
> pattern=(\S+)
> context=[!SEC_INTERNAL_EVENT]
> desc=heartbeat_$1
> action=create heartbeat_$1 240 (shellcmd /usr/local/bin/sec/notify.sh $1
> '4 min')
>
> now I want to modify this so what if it doesn't start reporting again,
> I'll get
> another alert in 2 hours. so I try to do:
>
> type=single
> ptype=regexp
> pattern=(\S+)
> context=[!SEC_INTERNAL_EVENT]
> desc=heartbeat_$1
> action=create heartbeat_$1 240 ( create heartbeat_$1 14400 \
> (shellcmd /usr/local/bin/sec/notifiy.sh $1 '2+ hours' ); \
> shellcmd /usr/local/bin/sec/notify.sh $1 '4 min')
>
> (wrapped to fit the e-mail)
>
> but after the first timeout expires, it doesn't recreate it with the longer
> timeout.
>
> Ideally, I'd like to have it continue to re-arm and fire every 2 hours, but
> until I can get the simple version working, trying to extend it beyond that
> isn't happening.
>
> David Lang
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
