Thanks for the suggestion Risto, I rewrote it using a perlfunc pattern which
shows me exactly how far behind SEC is.
On Mon, 4 Jan 2016, Risto Vaarandi wrote:
> Date: Mon, 4 Jan 2016 15:57:37 -0600
> From: Risto Vaarandi <risto.vaara...@gmail.com>
> To: Todd M. Hall <t...@msstate.edu>
> Cc: David Lang <da...@lang.hm>, simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] detecting 'old' logs
>
> hi Todd and David,
> the use of Time::Local module and timelocal() is probably the best way to
> accomplish the task, but to make things a bit more efficient, a perlfunc
> pattern could be employed which would parse the event and calculate the
> time difference in one Perl function without an external regular expression
> match. This approach also allows to obtain the actual time difference
> through a match variable:
>
> type=single
> ptype=perlfunc
> pattern=sub { use Time::Local; \
> if ($_[0] !~ /^(([A-Z][a-z]{2}) {1,2}(\d{1,2})
> (\d{2}):(\d{2}):(\d{2})) .*sec temporal probe/) { return 0; } \
> my ($timestamp, $lmon, $lmday, $lhour, $lmin, $lsec) = ($1, $2,
> $3, $4, $5, $6); \
> my %months = qw(Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7
> Sep 8 Oct 9 Nov 10 Dec 11); \
> my $month = $months{$lmon}; \
> my($ctime) = time(); my($year) = (localtime($ctime))[5]; \
> my $ltime = timelocal($lsec, $lmin, $lhour, $lmday, $month,
> $year); \
> my $diff = $ctime - $ltime; \
> if ($diff > 60) { return ($diff, $timestamp); } else { return 0; }
> }
> desc=time difference is $1 seconds (log timestamp is $2)
> action=write - %s
>
> If the time difference is greater than 60 seconds, the perlfunc pattern
> matches "sec temporal probe" event and sets two match variables:
> $1 - time difference in seconds
> $2 - textual timestamp from the "sec temporal probe" event
>
> kind regards,
> risto
>
>
> 2016-01-04 21:25 GMT+02:00 Todd M. Hall <t...@msstate.edu>:
>
>> We looked into this and did indeed find a solution. You don't want to
>> check the
>> timestamp of all of the syslogs as it would be too much effort and could
>> impact
>> the performance of SEC. The solution we came up with is to send a syslog
>> message from the localhost via a cron job. This puts it in the queue like
>> any
>> other syslog but guarantees that the timestamp would be in sync. So then
>> all
>> you need is an SEC rule to calculate the unix timestamp of the current
>> time and
>> the syslog message. The final rule is kinda ugly, but it works.
>>
>> ############################ Begin Rule ############################
>> type=Single
>> continue=TakeNext
>> ptype=RegExp
>> context=$1 -> ( sub { use Time::Local; \
>> my $timestring = $_[0]; \
>> my %months = qw(Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug 7
>> Sep 8 Oct 9 Nov 10 Dec 11); \
>> my ($csec, $cmin, $chour, $cmday, $cmon, $year) =
>> localtime(time); \
>> $timestring =~ /^([A-Z][a-z]+)\s+(\d+)\s(\d+):(\d+):(\d+)/; \
>> my ($lmon, $lmday, $lhour, $lmin, $lsec) = ($1, $2, $3, $4, $5); \
>> my $month = $months{$lmon}; \
>> my $ltime = timelocal($lsec, $lmin, $lhour, $lmday, $month,
>> $year); \
>> my $ctime = time; \
>> my $diff = $ctime - $ltime; \
>> return 1 if ($ctime - $ltime > 60); \
>> } )
>> pattern=^([A-Z][a-z]{2}\s+\d+ \d+:\d+:\d+) \S+.*sec temporal probe
>> desc=SEC_behind
>> action=pipe 'SEC is behind 1+ minutes. Log time: $1' /bin/mailx -s "SEC:
>> %t SEC
>> is behind 1+ minutes." u...@somewhere.edu
>> ############################ End Rule ############################
>>
>> This rule triggers if the time is over 60 seconds off. This could be
>> easily
>> adjusted. The only problem is that the email doesn't show exactly how far
>> off
>> it is. Hopefully someone else on this list will have a more elegant
>> solution to
>> this problem.
>>
>>
>> On Mon, 4 Jan 2016, David Lang wrote:
>>
>>> Date: Mon, 4 Jan 2016 12:45:07 -0600
>>> From: David Lang <da...@lang.hm>
>>> To: simple-evcorr-users@lists.sourceforge.net
>>> Subject: [Simple-evcorr-users] detecting 'old' logs
>>>
>>> has anyone put together the code that would be needed to detect if sec
>> or log
>>> delivery is falling behind? something along the order of 'if the
>> timestamp in
>>> the logs is > X min behind current, alert'?
>>>
>>> David Lang
>>>
>>>
>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>> --
>> Todd M. Hall
>> Sr. Network Analyst
>> Information Technology Services
>> Mississippi State University
>> t...@msstate.edu
>> 662-325-9311 (phone)
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
--
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
t...@msstate.edu
662-325-9311 (phone)
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
