hi Todd and David,
the use of Time::Local module and timelocal() is probably the best way to
accomplish the task, but to make things a bit more efficient, a perlfunc
pattern could be employed which would parse the event and calculate the
time difference in one Perl function without an external regular expression
match. This approach also allows to obtain the actual time difference
through a match variable:
type=single
ptype=perlfunc
pattern=sub { use Time::Local; \
if ($_[0] !~ /^(([A-Z][a-z]{2}) {1,2}(\d{1,2})
(\d{2}):(\d{2}):(\d{2})) .*sec temporal probe/) { return 0; } \
my ($timestamp, $lmon, $lmday, $lhour, $lmin, $lsec) = ($1, $2,
$3, $4, $5, $6); \
my %months = qw(Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7
Sep 8 Oct 9 Nov 10 Dec 11); \
my $month = $months{$lmon}; \
my($ctime) = time(); my($year) = (localtime($ctime))[5]; \
my $ltime = timelocal($lsec, $lmin, $lhour, $lmday, $month,
$year); \
my $diff = $ctime - $ltime; \
if ($diff > 60) { return ($diff, $timestamp); } else { return 0; }
}
desc=time difference is $1 seconds (log timestamp is $2)
action=write - %s
If the time difference is greater than 60 seconds, the perlfunc pattern
matches "sec temporal probe" event and sets two match variables:
$1 - time difference in seconds
$2 - textual timestamp from the "sec temporal probe" event
kind regards,
risto
2016-01-04 21:25 GMT+02:00 Todd M. Hall <t...@msstate.edu>:
> We looked into this and did indeed find a solution. You don't want to
> check the
> timestamp of all of the syslogs as it would be too much effort and could
> impact
> the performance of SEC. The solution we came up with is to send a syslog
> message from the localhost via a cron job. This puts it in the queue like
> any
> other syslog but guarantees that the timestamp would be in sync. So then
> all
> you need is an SEC rule to calculate the unix timestamp of the current
> time and
> the syslog message. The final rule is kinda ugly, but it works.
>
> ############################ Begin Rule ############################
> type=Single
> continue=TakeNext
> ptype=RegExp
> context=$1 -> ( sub { use Time::Local; \
> my $timestring = $_[0]; \
> my %months = qw(Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7
> Sep 8 Oct 9 Nov 10 Dec 11); \
> my ($csec, $cmin, $chour, $cmday, $cmon, $year) =
> localtime(time); \
> $timestring =~ /^([A-Z][a-z]+)\s+(\d+)\s(\d+):(\d+):(\d+)/; \
> my ($lmon, $lmday, $lhour, $lmin, $lsec) = ($1, $2, $3, $4, $5); \
> my $month = $months{$lmon}; \
> my $ltime = timelocal($lsec, $lmin, $lhour, $lmday, $month,
> $year); \
> my $ctime = time; \
> my $diff = $ctime - $ltime; \
> return 1 if ($ctime - $ltime > 60); \
> } )
> pattern=^([A-Z][a-z]{2}\s+\d+ \d+:\d+:\d+) \S+.*sec temporal probe
> desc=SEC_behind
> action=pipe 'SEC is behind 1+ minutes. Log time: $1' /bin/mailx -s "SEC:
> %t SEC
> is behind 1+ minutes." u...@somewhere.edu
> ############################ End Rule ############################
>
> This rule triggers if the time is over 60 seconds off. This could be
> easily
> adjusted. The only problem is that the email doesn't show exactly how far
> off
> it is. Hopefully someone else on this list will have a more elegant
> solution to
> this problem.
>
>
> On Mon, 4 Jan 2016, David Lang wrote:
>
> > Date: Mon, 4 Jan 2016 12:45:07 -0600
> > From: David Lang <da...@lang.hm>
> > To: simple-evcorr-users@lists.sourceforge.net
> > Subject: [Simple-evcorr-users] detecting 'old' logs
> >
> > has anyone put together the code that would be needed to detect if sec
> or log
> > delivery is falling behind? something along the order of 'if the
> timestamp in
> > the logs is > X min behind current, alert'?
> >
> > David Lang
> >
> >
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
>
> --
> Todd M. Hall
> Sr. Network Analyst
> Information Technology Services
> Mississippi State University
> t...@msstate.edu
> 662-325-9311 (phone)
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
