Thanks, this helps.
I'm wanting to check if SEC is behind, but also check if the overall log flow
(which involves 3 rsyslog servers I can monitor, and a logstash server I can't)
is keeping up.
As for including the delta in the message, you can do something like:
action=lcall %o -> (sub {perl code here});pipe 'SEC is behind %o minutes. Log
time: $1' /bin/mailx -s "SEC: %t > SEC is behind 1+ minutes." u...@somewhere.edu
David Lang
On Mon, 4 Jan 2016, Todd M. Hall wrote:
> Date: Mon, 4 Jan 2016 13:25:26 -0600 (CST)
> From: Todd M. Hall <t...@msstate.edu>
> To: David Lang <da...@lang.hm>
> Cc: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] detecting 'old' logs
>
> We looked into this and did indeed find a solution. You don't want to check
> the timestamp of all of the syslogs as it would be too much effort and could
> impact the performance of SEC. The solution we came up with is to send a
> syslog message from the localhost via a cron job. This puts it in the queue
> like any other syslog but guarantees that the timestamp would be in sync. So
> then all you need is an SEC rule to calculate the unix timestamp of the
> current time and the syslog message. The final rule is kinda ugly, but it
> works.
>
> ############################ Begin Rule ############################
> type=Single
> continue=TakeNext
> ptype=RegExp
> context=$1 -> ( sub { use Time::Local; \
> my $timestring = $_[0]; \
> my %months = qw(Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7 Sep 8
> Oct 9 Nov 10 Dec 11); \
> my ($csec, $cmin, $chour, $cmday, $cmon, $year) = localtime(time); \
> $timestring =~ /^([A-Z][a-z]+)\s+(\d+)\s(\d+):(\d+):(\d+)/; \
> my ($lmon, $lmday, $lhour, $lmin, $lsec) = ($1, $2, $3, $4, $5); \
> my $month = $months{$lmon}; \
> my $ltime = timelocal($lsec, $lmin, $lhour, $lmday, $month, $year); \
> my $ctime = time; \
> my $diff = $ctime - $ltime; \
> return 1 if ($ctime - $ltime > 60); \
> } )
> pattern=^([A-Z][a-z]{2}\s+\d+ \d+:\d+:\d+) \S+.*sec temporal probe
> desc=SEC_behind
> action=pipe 'SEC is behind 1+ minutes. Log time: $1' /bin/mailx -s "SEC: %t
> SEC is behind 1+ minutes." u...@somewhere.edu
> ############################ End Rule ############################
>
> This rule triggers if the time is over 60 seconds off. This could be easily
> adjusted. The only problem is that the email doesn't show exactly how far
> off it is. Hopefully someone else on this list will have a more elegant
> solution to this problem.
>
>
> On Mon, 4 Jan 2016, David Lang wrote:
>
>> Date: Mon, 4 Jan 2016 12:45:07 -0600
>> From: David Lang <da...@lang.hm>
>> To: simple-evcorr-users@lists.sourceforge.net
>> Subject: [Simple-evcorr-users] detecting 'old' logs
>>
>> has anyone put together the code that would be needed to detect if sec or
>> log
>> delivery is falling behind? something along the order of 'if the timestamp
>> in
>> the logs is > X min behind current, alert'?
>>
>> David Lang
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
