We looked into this and did indeed find a solution. You don't want to check
the
timestamp of all of the syslogs as it would be too much effort and could impact
the performance of SEC. The solution we came up with is to send a syslog
message from the localhost via a cron job. This puts it in the queue like any
other syslog but guarantees that the timestamp would be in sync. So then all
you need is an SEC rule to calculate the unix timestamp of the current time and
the syslog message. The final rule is kinda ugly, but it works.
############################ Begin Rule ############################
type=Single
continue=TakeNext
ptype=RegExp
context=$1 -> ( sub { use Time::Local; \
my $timestring = $_[0]; \
my %months = qw(Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7 Sep 8
Oct 9 Nov 10 Dec 11); \
my ($csec, $cmin, $chour, $cmday, $cmon, $year) = localtime(time); \
$timestring =~ /^([A-Z][a-z]+)\s+(\d+)\s(\d+):(\d+):(\d+)/; \
my ($lmon, $lmday, $lhour, $lmin, $lsec) = ($1, $2, $3, $4, $5); \
my $month = $months{$lmon}; \
my $ltime = timelocal($lsec, $lmin, $lhour, $lmday, $month, $year); \
my $ctime = time; \
my $diff = $ctime - $ltime; \
return 1 if ($ctime - $ltime > 60); \
} )
pattern=^([A-Z][a-z]{2}\s+\d+ \d+:\d+:\d+) \S+.*sec temporal probe
desc=SEC_behind
action=pipe 'SEC is behind 1+ minutes. Log time: $1' /bin/mailx -s "SEC: %t SEC
is behind 1+ minutes." u...@somewhere.edu
############################ End Rule ############################
This rule triggers if the time is over 60 seconds off. This could be easily
adjusted. The only problem is that the email doesn't show exactly how far off
it is. Hopefully someone else on this list will have a more elegant solution
to
this problem.
On Mon, 4 Jan 2016, David Lang wrote:
> Date: Mon, 4 Jan 2016 12:45:07 -0600
> From: David Lang <da...@lang.hm>
> To: simple-evcorr-users@lists.sourceforge.net
> Subject: [Simple-evcorr-users] detecting 'old' logs
>
> has anyone put together the code that would be needed to detect if sec or log
> delivery is falling behind? something along the order of 'if the timestamp in
> the logs is > X min behind current, alert'?
>
> David Lang
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
--
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
t...@msstate.edu
662-325-9311 (phone)
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
