Hi there,
I am trying to make sure I keep receiving a constant stream of events coming in
from syslog and alert me in case it stops. The trivial approach I think would
be to create a context and keep recreating it for every event I get. Something
like this in the beginning of a ruleset:
type=Single
ptype=RegExp
pattern=^\S+ (?<host>\S+)
continue=TakeNext
desc=$0
action=create KEEPALIVE_$+{host} 15 ( event 0 HOST STOPED REPORTING: $+{host} )
Now, I am a little bit worried about the performance impact this might have. I
have a couple of dozen hosts that report about 20 million events per day all
together. Wouldn’t this negatively affect the overall performance, since I’ll
be re-creating a context for each event.
Is there a better approach to make sure syslog events keep flowing?
Thanks,
Eli
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
