Mailing List Archive

Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
some other monitoring-type software.

-HKS

On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
> Is there a way to set an Alert when multiple repeated lines are found in a log?
>
> I want to spawn an email Alert if a message is received 3 times.
>
> Example log lines:
> Jul 30 04:19:29 localhost program: Error detected
> Jul 30 05:19:29 localhost program: Error detected
> Jul 30 06:19:29 localhost program: Error detected
>
> Thanks,
> Julian
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Hmm, Nagios is a pain to set up. Looking for something more light
weight... Was hoping that I could have consolidated lots of Alerts
under Rsyslog.

Any other suggestions besides Swatch?



On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
> some other monitoring-type software.
>
> -HKS
>
> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
>> Is there a way to set an Alert when multiple repeated lines are found in a
>> log?
>>
>> I want to spawn an email Alert if a message is received 3 times.
>>
>> Example log lines:
>> Jul 30 04:19:29 localhost program: Error detected
>> Jul 30 05:19:29 localhost program: Error detected
>> Jul 30 06:19:29 localhost program: Error detected
>>
>> Thanks,
>> Julian
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

What exactly do you need to do except the "three in a row" alert?

----- Urspr?ngliche Nachricht -----
Von: "Julian Yap" <julianokyap at gmail.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 31.07.08 20:27
Betreff: Re: [rsyslog] Alert when multiple repeated lines are found

Hmm, Nagios is a pain to set up. Looking for something more light
weight... Was hoping that I could have consolidated lots of Alerts
under Rsyslog.

Any other suggestions besides Swatch?



On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
> some other monitoring-type software.
>
> -HKS
>
> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
>> Is there a way to set an Alert when multiple repeated lines are found in a
>> log?
>>
>> I want to spawn an email Alert if a message is received 3 times.
>>
>> Example log lines:
>> Jul 30 04:19:29 localhost program: Error detected
>> Jul 30 05:19:29 localhost program: Error detected
>> Jul 30 06:19:29 localhost program: Error detected
>>
>> Thanks,
>> Julian
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

That's pretty much it for now. I've written Alerts for single line
events. But for one particular event, it's only really a factor if it
happens tree times in a row.


On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> What exactly do you need to do except the "three in a row" alert?
>
> ----- Urspr?ngliche Nachricht -----
> Von: "Julian Yap" <julianokyap at gmail.com>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Gesendet: 31.07.08 20:27
> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Hmm, Nagios is a pain to set up. Looking for something more light
> weight... Was hoping that I could have consolidated lots of Alerts
> under Rsyslog.
>
> Any other suggestions besides Swatch?
>
>
>
> On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
>> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
>> some other monitoring-type software.
>>
>> -HKS
>>
>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
>>> Is there a way to set an Alert when multiple repeated lines are found in a
>>> log?
>>>
>>> I want to spawn an email Alert if a message is received 3 times.
>>>
>>> Example log lines:
>>> Jul 30 04:19:29 localhost program: Error detected
>>> Jul 30 05:19:29 localhost program: Error detected
>>> Jul 30 06:19:29 localhost program: Error detected
>>>
>>> Thanks,
>>> Julian
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

To clarify: be "a" the event in question and "b" any other event. Two samples of an event sequence:

1. a - a - a - b
2. a - a - b - a

Result: in case 1 an alert is triggered, in case 2 not.

Is this understanding correct?

rainer

----- Urspr?ngliche Nachricht -----
Von: "Julian Yap" <julianokyap at gmail.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Cc: "rgerhards at hq.adiscon.com" <rgerhards at hq.adiscon.com>; "hks.private at gmail.com" <hks.private at gmail.com>
Gesendet: 31.07.08 21:59
Betreff: Re: [rsyslog] Alert when multiple repeated lines are found

That's pretty much it for now. I've written Alerts for single line
events. But for one particular event, it's only really a factor if it
happens tree times in a row.


On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> What exactly do you need to do except the "three in a row" alert?
>
> ----- Urspr?ngliche Nachricht -----
> Von: "Julian Yap" <julianokyap at gmail.com>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Gesendet: 31.07.08 20:27
> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Hmm, Nagios is a pain to set up. Looking for something more light
> weight... Was hoping that I could have consolidated lots of Alerts
> under Rsyslog.
>
> Any other suggestions besides Swatch?
>
>
>
> On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
>> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
>> some other monitoring-type software.
>>
>> -HKS
>>
>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
>>> Is there a way to set an Alert when multiple repeated lines are found in a
>>> log?
>>>
>>> I want to spawn an email Alert if a message is received 3 times.
>>>
>>> Example log lines:
>>> Jul 30 04:19:29 localhost program: Error detected
>>> Jul 30 05:19:29 localhost program: Error detected
>>> Jul 30 06:19:29 localhost program: Error detected
>>>
>>> Thanks,
>>> Julian
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Oh, and one thing i forgot: what makes an event identical? Same message except timestamp - or what (eg same host, same tag, ...)

rainer

----- Urspr?ngliche Nachricht -----
Von: "Rainer Gerhards" <rgerhards at hq.adiscon.com>
An: "Julian Yap" <julianokyap at gmail.com>
Cc: "rsyslog at lists.adiscon.com" <rsyslog at lists.adiscon.com>
Gesendet: 31.07.08 22:39
Betreff: Re: [rsyslog] Alert when multiple repeated lines are found

To clarify: be "a" the event in question and "b" any other event. Two samples of an event sequence:

1. a - a - a - b
2. a - a - b - a

Result: in case 1 an alert is triggered, in case 2 not.

Is this understanding correct?

rainer

----- Urspr?ngliche Nachricht -----
Von: "Julian Yap" <julianokyap at gmail.com>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Cc: "rgerhards at hq.adiscon.com" <rgerhards at hq.adiscon.com>; "hks.private at gmail.com" <hks.private at gmail.com>
Gesendet: 31.07.08 21:59
Betreff: Re: [rsyslog] Alert when multiple repeated lines are found

That's pretty much it for now. I've written Alerts for single line
events. But for one particular event, it's only really a factor if it
happens tree times in a row.


On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> What exactly do you need to do except the "three in a row" alert?
>
> ----- Urspr?ngliche Nachricht -----
> Von: "Julian Yap" <julianokyap at gmail.com>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Gesendet: 31.07.08 20:27
> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Hmm, Nagios is a pain to set up. Looking for something more light
> weight... Was hoping that I could have consolidated lots of Alerts
> under Rsyslog.
>
> Any other suggestions besides Swatch?
>
>
>
> On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
>> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
>> some other monitoring-type software.
>>
>> -HKS
>>
>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
>>> Is there a way to set an Alert when multiple repeated lines are found in a
>>> log?
>>>
>>> I want to spawn an email Alert if a message is received 3 times.
>>>
>>> Example log lines:
>>> Jul 30 04:19:29 localhost program: Error detected
>>> Jul 30 05:19:29 localhost program: Error detected
>>> Jul 30 06:19:29 localhost program: Error detected
>>>
>>> Thanks,
>>> Julian
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Yes, this would be correct.

In my example, a particular message string would be the same.

Example:
Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server program: This is really bad

So then is could be $msg == 'This is really bad' or perhaps $msg
contains 'really bad'. But for me, matching the exact $msg would be
fine. :P


On Thu, Jul 31, 2008 at 10:38 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> To clarify: be "a" the event in question and "b" any other event. Two samples of an event sequence:
>
> 1. a - a - a - b
> 2. a - a - b - a
>
> Result: in case 1 an alert is triggered, in case 2 not.
>
> Is this understanding correct?
>
> rainer
>
> ----- Urspr?ngliche Nachricht -----
> Von: "Julian Yap" <julianokyap at gmail.com>
> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> Cc: "rgerhards at hq.adiscon.com" <rgerhards at hq.adiscon.com>; "hks.private at gmail.com" <hks.private at gmail.com>
> Gesendet: 31.07.08 21:59
> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
>
> That's pretty much it for now. I've written Alerts for single line
> events. But for one particular event, it's only really a factor if it
> happens tree times in a row.
>
>
> On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
>> What exactly do you need to do except the "three in a row" alert?
>>
>> ----- Urspr?ngliche Nachricht -----
>> Von: "Julian Yap" <julianokyap at gmail.com>
>> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
>> Gesendet: 31.07.08 20:27
>> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
>>
>> Hmm, Nagios is a pain to set up. Looking for something more light
>> weight... Was hoping that I could have consolidated lots of Alerts
>> under Rsyslog.
>>
>> Any other suggestions besides Swatch?
>>
>>
>>
>> On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
>>> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or
>>> some other monitoring-type software.
>>>
>>> -HKS
>>>
>>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com> wrote:
>>>> Is there a way to set an Alert when multiple repeated lines are found in a
>>>> log?
>>>>
>>>> I want to spawn an email Alert if a message is received 3 times.
>>>>
>>>> Example log lines:
>>>> Jul 30 04:19:29 localhost program: Error detected
>>>> Jul 30 05:19:29 localhost program: Error detected
>>>> Jul 30 06:19:29 localhost program: Error detected
>>>>
>>>> Thanks,
>>>> Julian
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
>

Just to make sure:

Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:04 server program: This is really bad

[Note the last timestamp!] would still make up for "three in a row"?

Now, syslog contains not only timestamps, but also hostnames. So how about

Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server2 program: This is really bad
Jul 31 13:45:03 server program: This is really bad

And what about this:

Jul 31 13:45:03 server program2: This is really bad
Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server program: This is really bad

And would that trigger any alert at all:

Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server2 program: This is really bad
Jul 31 13:45:03 server program: This is really bad
Jul 31 13:45:03 server program2: This is really bad
Jul 31 13:45:03 server program: This is really bad

Finally, does "three in a row" time out? So what would happen in the case below. Watch the timestamps and let's assume there are no other records inside the log:

Jul 29 13:45:03 server program: This is really bad
Jul 30 13:45:03 server program: This is really bad
Jul 31 13:45:04 server program: This is really bad

And a related question. You write:

> So then is could be $msg == 'This is really bad' or perhaps $msg
> contains 'really bad'. But for me, matching the exact $msg would be
> fine. :P

Does this imply you would like to do the "if $msg == 'this is really bad'" check? So far, I assume you do NOT do this but expect an alert to be raised whenever ANY messages fulfills the identity criterion n times in a row. Please explain.

Thanks,
Rainer

> -----Original Message-----
> From: Julian Yap [mailto:julianokyap at gmail.com]
> Sent: Friday, August 01, 2008 1:50 AM
> To: Rainer Gerhards
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Yes, this would be correct.
>
> In my example, a particular message string would be the same.
>
> Example:
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server program: This is really bad
>
> So then is could be $msg == 'This is really bad' or perhaps $msg
> contains 'really bad'. But for me, matching the exact $msg would be
> fine. :P
>
>
> On Thu, Jul 31, 2008 at 10:38 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > To clarify: be "a" the event in question and "b" any other event. Two
> samples of an event sequence:
> >
> > 1. a - a - a - b
> > 2. a - a - b - a
> >
> > Result: in case 1 an alert is triggered, in case 2 not.
> >
> > Is this understanding correct?
> >
> > rainer
> >
> > ----- Urspr?ngliche Nachricht -----
> > Von: "Julian Yap" <julianokyap at gmail.com>
> > An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> > Cc: "rgerhards at hq.adiscon.com" <rgerhards at hq.adiscon.com>;
> "hks.private at gmail.com" <hks.private at gmail.com>
> > Gesendet: 31.07.08 21:59
> > Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
> >
> > That's pretty much it for now. I've written Alerts for single line
> > events. But for one particular event, it's only really a factor if
> it
> > happens tree times in a row.
> >
> >
> > On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards
> > <rgerhards at hq.adiscon.com> wrote:
> >> What exactly do you need to do except the "three in a row" alert?
> >>
> >> ----- Urspr?ngliche Nachricht -----
> >> Von: "Julian Yap" <julianokyap at gmail.com>
> >> An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> >> Gesendet: 31.07.08 20:27
> >> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found
> >>
> >> Hmm, Nagios is a pain to set up. Looking for something more light
> >> weight... Was hoping that I could have consolidated lots of Alerts
> >> under Rsyslog.
> >>
> >> Any other suggestions besides Swatch?
> >>
> >>
> >>
> >> On 7/31/08, (private) HKS <hks.private at gmail.com> wrote:
> >>> Not in rsyslogd itself, but you could do this with Swatch, Nagios,
> or
> >>> some other monitoring-type software.
> >>>
> >>> -HKS
> >>>
> >>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <julianokyap at gmail.com>
> wrote:
> >>>> Is there a way to set an Alert when multiple repeated lines are
> found in a
> >>>> log?
> >>>>
> >>>> I want to spawn an email Alert if a message is received 3 times.
> >>>>
> >>>> Example log lines:
> >>>> Jul 30 04:19:29 localhost program: Error detected
> >>>> Jul 30 05:19:29 localhost program: Error detected
> >>>> Jul 30 06:19:29 localhost program: Error detected
> >>>>
> >>>> Thanks,
> >>>> Julian
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>
> >

Hi Rainer,

Thanks for taking the time to work on my issue. I'll approach this
from my situation.

On Thu, Jul 31, 2008 at 7:45 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Just to make sure:
>
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:04 server program: This is really bad
>
> [Note the last timestamp!] would still make up for "three in a row"?

Yes. Something that would be nice would be 'three in a row in the
last x minutes'... But let's keep things simple for now :)

> Now, syslog contains not only timestamps, but also hostnames. So how about
>
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server2 program: This is really bad
> Jul 31 13:45:03 server program: This is really bad

In my particular case, it would only come from the one server. But if
I had 2 servers logging to the same log file, it should have the
option to filter based on server and/or message.

> And what about this:
>
> Jul 31 13:45:03 server program2: This is really bad
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server program: This is really bad
>
> And would that trigger any alert at all:

In my particular case, it would only come from the one program. But
if I had 2 programs logging to the same log file, it should have the
option to filter based on program and/or message.

> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server2 program: This is really bad
> Jul 31 13:45:03 server program: This is really bad
> Jul 31 13:45:03 server program2: This is really bad
> Jul 31 13:45:03 server program: This is really bad
>
> Finally, does "three in a row" time out? So what would happen in the case below. Watch the timestamps and let's assume there are no other records inside the log:

In my particular case, 'three in a row' wouldn't time out. I would
use ActionMail so I would use a corresponding
$ActionExecOnlyOnceEveryInterval value.

For my particular case, it happens when a process totally locks up. A
very rare instance which requires manually restarting a process... So
the 'This is really bad' messages would eventually stop.

> Jul 29 13:45:03 server program: This is really bad
> Jul 30 13:45:03 server program: This is really bad
> Jul 31 13:45:04 server program: This is really bad
>
> And a related question. You write:
>
>> So then is could be $msg == 'This is really bad' or perhaps $msg
>> contains 'really bad'. But for me, matching the exact $msg would be
>> fine. :P
>
> Does this imply you would like to do the "if $msg == 'this is really bad'" check? So far, I assume you do NOT do this but expect an alert to be raised whenever ANY messages fulfills the identity criterion n times in a row. Please explain.

Yes, you assume correctly.

What I'm looking for:
if $msg == 'This is really bad' happens 3 times in a row then :ommail:;mailBody

This would be nice but is not required since the 'This is really bad'
message in my case is very unique:
if ($msg == 'This is really bad' and $server == 'server' and $program
== 'program') happens 3 times in a row then :ommail:;mailBody

- Julian

> Thanks,
> Rainer

Just one more re-confirmation:

> What I'm looking for:
> if $msg == 'This is really bad' happens 3 times in a row then
> :ommail:;mailBody
>
> This would be nice but is not required since the 'This is really bad'
> message in my case is very unique:
> if ($msg == 'This is really bad' and $server == 'server' and $program
> == 'program') happens 3 times in a row then :ommail:;mailBody

So you would actually use such a rule. If "this other thing is really
bad" happened three times, the rule shall not trigger. Is this right?

Rainer

On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Just one more re-confirmation:
>
>> What I'm looking for:
>> if $msg == 'This is really bad' happens 3 times in a row then
>> :ommail:;mailBody
>>
>> This would be nice but is not required since the 'This is really bad'
>> message in my case is very unique:
>> if ($msg == 'This is really bad' and $server == 'server' and $program
>> == 'program') happens 3 times in a row then :ommail:;mailBody
>
> So you would actually use such a rule. If "this other thing is really
> bad" happened three times, the rule shall not trigger. Is this right?

Yes, I would use such a rule. It would make what is already an
awesome application even more awesome. :P I am also willing to test
it out and run the latest development version... Which I'm doing
anyway.

And yes, what you just wrote is correct.

- Julian

OK, that greatly simplifies things. Actually, it now boils down to
"execute an action only on the n-the time the filter evaluates to true".
I think this is quite easy to implement, but I must verify that...

Rainer

> -----Original Message-----
> From: Julian Yap [mailto:julianokyap at gmail.com]
> Sent: Friday, August 01, 2008 11:03 AM
> To: Rainer Gerhards
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
found
>
> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > Just one more re-confirmation:
> >
> >> What I'm looking for:
> >> if $msg == 'This is really bad' happens 3 times in a row then
> >> :ommail:;mailBody
> >>
> >> This would be nice but is not required since the 'This is really
> bad'
> >> message in my case is very unique:
> >> if ($msg == 'This is really bad' and $server == 'server' and
> $program
> >> == 'program') happens 3 times in a row then :ommail:;mailBody
> >
> > So you would actually use such a rule. If "this other thing is
really
> > bad" happened three times, the rule shall not trigger. Is this
right?
>
> Yes, I would use such a rule. It would make what is already an
> awesome application even more awesome. :P I am also willing to test
> it out and run the latest development version... Which I'm doing
> anyway.
>
> And yes, what you just wrote is correct.
>
> - Julian

Roger that Rainer.

Thanks,
Julian

On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> OK, that greatly simplifies things. Actually, it now boils down to
> "execute an action only on the n-the time the filter evaluates to true".
> I think this is quite easy to implement, but I must verify that...
>
> Rainer
>
>> -----Original Message-----
>> From: Julian Yap [mailto:julianokyap at gmail.com]
>> Sent: Friday, August 01, 2008 11:03 AM
>> To: Rainer Gerhards
>> Cc: rsyslog at lists.adiscon.com
>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> found
>>
>> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
>> <rgerhards at hq.adiscon.com> wrote:
>> > Just one more re-confirmation:
>> >
>> >> What I'm looking for:
>> >> if $msg == 'This is really bad' happens 3 times in a row then
>> >> :ommail:;mailBody
>> >>
>> >> This would be nice but is not required since the 'This is really
>> bad'
>> >> message in my case is very unique:
>> >> if ($msg == 'This is really bad' and $server == 'server' and
>> $program
>> >> == 'program') happens 3 times in a row then :ommail:;mailBody
>> >
>> > So you would actually use such a rule. If "this other thing is
> really
>> > bad" happened three times, the rule shall not trigger. Is this
> right?
>>
>> Yes, I would use such a rule. It would make what is already an
>> awesome application even more awesome. :P I am also willing to test
>> it out and run the latest development version... Which I'm doing
>> anyway.
>>
>> And yes, what you just wrote is correct.
>>
>> - Julian
>

This may be a silly question, but is the syslog daemon the proper
place for something like this?

-HKS

On Fri, Aug 1, 2008 at 6:13 AM, Julian Yap <julianokyap at gmail.com> wrote:
> Roger that Rainer.
>
> Thanks,
> Julian
>
> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
>> OK, that greatly simplifies things. Actually, it now boils down to
>> "execute an action only on the n-the time the filter evaluates to true".
>> I think this is quite easy to implement, but I must verify that...
>>
>> Rainer

That's not a silly one ;) And it is coming up every now and then. The
last time it came up, I was smart enough to write a blogpost:
http://blog.gerhards.net/2008/03/on-rsyslog-design-philosophy-plugins.ht
ml

In short, and to this questions: there are different schools of thought.
If you think about a plain ole syslogd shuffling data to disk files, you
do not need that. My vision of the syslogd (actually the "event logging
and alerting") subsystem is much broader. IMHO, it should support
anything that is needed to gather, process and persistently store
events. Also note that I say "events" for a reason - syslog messages are
just a subset of the potential set of events.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of (private) HKS
> Sent: Friday, August 01, 2008 4:25 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
>
> This may be a silly question, but is the syslog daemon the proper
> place for something like this?
>
> -HKS
>
> On Fri, Aug 1, 2008 at 6:13 AM, Julian Yap <julianokyap at gmail.com>
> wrote:
> > Roger that Rainer.
> >
> > Thanks,
> > Julian
> >
> > On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> > <rgerhards at hq.adiscon.com> wrote:
> >> OK, that greatly simplifies things. Actually, it now boils down to
> >> "execute an action only on the n-the time the filter evaluates to
> true".
> >> I think this is quite easy to implement, but I must verify that...
> >>
> >> Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Thanks for the link, that post makes a lot of sense. I interpreted
this discussion as moving towards adding alert functionality to the
rsyslogd core - but your stance of keeping the rsyslogd core lean and
efficient while plugins provide a full suite of event handling
processes is reassuring.

I'm looking forward to seeing where you take this plugin architecture.

-HKS

On Fri, Aug 1, 2008 at 11:02 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> That's not a silly one ;) And it is coming up every now and then. The
> last time it came up, I was smart enough to write a blogpost:
> http://blog.gerhards.net/2008/03/on-rsyslog-design-philosophy-plugins.ht
> ml
>
> In short, and to this questions: there are different schools of thought.
> If you think about a plain ole syslogd shuffling data to disk files, you
> do not need that. My vision of the syslogd (actually the "event logging
> and alerting") subsystem is much broader. IMHO, it should support
> anything that is needed to gather, process and persistently store
> events. Also note that I say "events" for a reason - syslog messages are
> just a subset of the potential set of events.
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of (private) HKS
>> Sent: Friday, August 01, 2008 4:25 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
>>
>> This may be a silly question, but is the syslog daemon the proper
>> place for something like this?
>>
>> -HKS
>>
>> On Fri, Aug 1, 2008 at 6:13 AM, Julian Yap <julianokyap at gmail.com>
>> wrote:
>> > Roger that Rainer.
>> >
>> > Thanks,
>> > Julian
>> >
>> > On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
>> > <rgerhards at hq.adiscon.com> wrote:
>> >> OK, that greatly simplifies things. Actually, it now boils down to
>> >> "execute an action only on the n-the time the filter evaluates to
>> true".
>> >> I think this is quite easy to implement, but I must verify that...
>> >>
>> >> Rainer
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Actually, in this case the (limited) functionality will go into the
core. But that's not because we need it for alerting but it is something
that was scheduled for the core engine at all (because there are other
use cases besides alerting where you need it, e.g. start some corrective
action only after the n-th error indication). Plus, it will be very
limited code. There are some other things, namely the enhanced rate
limiter, which will go to the core. I have some ways to do that via
plug-ins too, but given the expected complexity of this functionality vs
the expected complexity of pluginizing them, the choice to go to core is
really obvious. Another point where one could debate is enhanced
queuing. This, in the long term, is a candidate for being moved to a
plugin because many installations do never use disk-based (or assisted)
queues.

Now comes the important difference: if a generic, any message let me
know when it happens n times in the row filter would have been needed,
that would NOT go into the core. Because it does not belong there. It is
quite complex and even performance intense. For that, future version
will have customer (RainerScript) functions which can be provided by
library plugins. I have plans to implement such a beast (much later),
but it will come as a function that you provide the message to and that
is only loaded on an as-needed basis.

I hope this clarifies.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of (private) HKS
> Sent: Friday, August 01, 2008 5:17 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Thanks for the link, that post makes a lot of sense. I interpreted
> this discussion as moving towards adding alert functionality to the
> rsyslogd core - but your stance of keeping the rsyslogd core lean and
> efficient while plugins provide a full suite of event handling
> processes is reassuring.
>
> I'm looking forward to seeing where you take this plugin architecture.
>
> -HKS
>
> On Fri, Aug 1, 2008 at 11:02 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > That's not a silly one ;) And it is coming up every now and then.
The
> > last time it came up, I was smart enough to write a blogpost:
> > http://blog.gerhards.net/2008/03/on-rsyslog-design-philosophy-
> plugins.ht
> > ml
> >
> > In short, and to this questions: there are different schools of
> thought.
> > If you think about a plain ole syslogd shuffling data to disk files,
> you
> > do not need that. My vision of the syslogd (actually the "event
> logging
> > and alerting") subsystem is much broader. IMHO, it should support
> > anything that is needed to gather, process and persistently store
> > events. Also note that I say "events" for a reason - syslog messages
> are
> > just a subset of the potential set of events.
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of (private) HKS
> >> Sent: Friday, August 01, 2008 4:25 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
> >>
> >> This may be a silly question, but is the syslog daemon the proper
> >> place for something like this?
> >>
> >> -HKS
> >>
> >> On Fri, Aug 1, 2008 at 6:13 AM, Julian Yap <julianokyap at gmail.com>
> >> wrote:
> >> > Roger that Rainer.
> >> >
> >> > Thanks,
> >> > Julian
> >> >
> >> > On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> >> > <rgerhards at hq.adiscon.com> wrote:
> >> >> OK, that greatly simplifies things. Actually, it now boils down
> to
> >> >> "execute an action only on the n-the time the filter evaluates
to
> >> true".
> >> >> I think this is quite easy to implement, but I must verify
> that...
> >> >>
> >> >> Rainer
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Just to prove the point: I have now implemented it. As expected, it is a
very small code change (once you know where to apply it ;)). Have a look
at the primary patch:

http://git.adiscon.com/?p=rsyslog.git;a=blobdiff;f=action.c;h=3a2584de0f
24fdf3f1af0c35748d29fe5e3a3845;hp=f72194059d41f011ae6daf6b6aa1a61d147255
3e;hb=1480263b026984a3d48a7f750a78911777464797;hpb=0a7f964436af73f2e7fbd
403b563f8d5a743f4a5

and note that most is comment. The amount of code actually executed each
time is rater limited and does neither bear a large memory footprint,
nor execution footprint. If the feature is not used, it is one simple
branch. Even if it is used, the performance effects are very limited.
Most importantly, a costly call to time() could be avoided by using the
value that was already present (but needed a bit of reordering).

I am going to this detail just to explain the fine difference between
what belongs into the core (even though it is not "real core
functionality") compared to what must not get into it.

For example, if I had implemented that via a plugin, I would have needed
at least one (indirectly addressed) procedure call branch, still an if,
plus a return branch. Not good for speculative execution. Also, the
plumbing would probably have required more code than the full patch
shown (what means bad from a maintenance point of view as well a bad
from a CPU memory cache point of view ;)).

It remains the argument that if the code would not have been introduced,
the core would be a little more slim. That's right ;) An easy solution
would have been conditional compilation, but I have not applied it as I
think the few extra bytes and CPU cycles really don't matter (that
much).

Just for you info...

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, August 01, 2008 5:24 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Actually, in this case the (limited) functionality will go into the
> core. But that's not because we need it for alerting but it is
> something
> that was scheduled for the core engine at all (because there are other
> use cases besides alerting where you need it, e.g. start some
> corrective
> action only after the n-th error indication). Plus, it will be very
> limited code. There are some other things, namely the enhanced rate
> limiter, which will go to the core. I have some ways to do that via
> plug-ins too, but given the expected complexity of this functionality
> vs
> the expected complexity of pluginizing them, the choice to go to core
> is
> really obvious. Another point where one could debate is enhanced
> queuing. This, in the long term, is a candidate for being moved to a
> plugin because many installations do never use disk-based (or
assisted)
> queues.
>
> Now comes the important difference: if a generic, any message let me
> know when it happens n times in the row filter would have been needed,
> that would NOT go into the core. Because it does not belong there. It
> is
> quite complex and even performance intense. For that, future version
> will have customer (RainerScript) functions which can be provided by
> library plugins. I have plans to implement such a beast (much later),
> but it will come as a function that you provide the message to and
that
> is only loaded on an as-needed basis.
>
> I hope this clarifies.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of (private) HKS
> > Sent: Friday, August 01, 2008 5:17 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] Alert when multiple repeated lines are found
> >
> > Thanks for the link, that post makes a lot of sense. I interpreted
> > this discussion as moving towards adding alert functionality to the
> > rsyslogd core - but your stance of keeping the rsyslogd core lean
and
> > efficient while plugins provide a full suite of event handling
> > processes is reassuring.
> >
> > I'm looking forward to seeing where you take this plugin
> architecture.
> >
> > -HKS
> >
> > On Fri, Aug 1, 2008 at 11:02 AM, Rainer Gerhards
> > <rgerhards at hq.adiscon.com> wrote:
> > > That's not a silly one ;) And it is coming up every now and then.
> The
> > > last time it came up, I was smart enough to write a blogpost:
> > > http://blog.gerhards.net/2008/03/on-rsyslog-design-philosophy-
> > plugins.ht
> > > ml
> > >
> > > In short, and to this questions: there are different schools of
> > thought.
> > > If you think about a plain ole syslogd shuffling data to disk
> files,
> > you
> > > do not need that. My vision of the syslogd (actually the "event
> > logging
> > > and alerting") subsystem is much broader. IMHO, it should support
> > > anything that is needed to gather, process and persistently store
> > > events. Also note that I say "events" for a reason - syslog
> messages
> > are
> > > just a subset of the potential set of events.
> > >
> > > Rainer
> > >
> > >> -----Original Message-----
> > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > >> bounces at lists.adiscon.com] On Behalf Of (private) HKS
> > >> Sent: Friday, August 01, 2008 4:25 PM
> > >> To: rsyslog-users
> > >> Subject: Re: [rsyslog] Alert when multiple repeated lines are
> found
> > >>
> > >> This may be a silly question, but is the syslog daemon the proper
> > >> place for something like this?
> > >>
> > >> -HKS
> > >>
> > >> On Fri, Aug 1, 2008 at 6:13 AM, Julian Yap
<julianokyap at gmail.com>
> > >> wrote:
> > >> > Roger that Rainer.
> > >> >
> > >> > Thanks,
> > >> > Julian
> > >> >
> > >> > On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> > >> > <rgerhards at hq.adiscon.com> wrote:
> > >> >> OK, that greatly simplifies things. Actually, it now boils
down
> > to
> > >> >> "execute an action only on the n-the time the filter evaluates
> to
> > >> true".
> > >> >> I think this is quite easy to implement, but I must verify
> > that...
> > >> >>
> > >> >> Rainer
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Julian,

as you have probably seen in my other post, I have implemented the
functionality. I have now also created a test tarball. I'd appreciate if
you could obtain it from

http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz

and give it a try. Read ./doc/rsyslog_conf.html in regard to
$ActionExecOnlyEveryNthTime and $ActionExecOnlyEveryNthTimeTimeout. For
what you intend to do, this should work:

$ActionExecOnlyEveryNthTime 3
*.* ..your action..

You don't need the timeout, but I have included it for completeness.
Well, actually if I were you I'd think if you really don't need it. Is
it really OK that "three in a row" means one each day?

Please provide feedback on this feature.

Thanks,
Rainer

> -----Original Message-----
> From: Julian Yap [mailto:julianokyap at gmail.com]
> Sent: Friday, August 01, 2008 12:14 PM
> To: Rainer Gerhards
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
found
>
> Roger that Rainer.
>
> Thanks,
> Julian
>
> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > OK, that greatly simplifies things. Actually, it now boils down to
> > "execute an action only on the n-the time the filter evaluates to
> true".
> > I think this is quite easy to implement, but I must verify that...
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: Julian Yap [mailto:julianokyap at gmail.com]
> >> Sent: Friday, August 01, 2008 11:03 AM
> >> To: Rainer Gerhards
> >> Cc: rsyslog at lists.adiscon.com
> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> > found
> >>
> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
> >> <rgerhards at hq.adiscon.com> wrote:
> >> > Just one more re-confirmation:
> >> >
> >> >> What I'm looking for:
> >> >> if $msg == 'This is really bad' happens 3 times in a row then
> >> >> :ommail:;mailBody
> >> >>
> >> >> This would be nice but is not required since the 'This is really
> >> bad'
> >> >> message in my case is very unique:
> >> >> if ($msg == 'This is really bad' and $server == 'server' and
> >> $program
> >> >> == 'program') happens 3 times in a row then :ommail:;mailBody
> >> >
> >> > So you would actually use such a rule. If "this other thing is
> > really
> >> > bad" happened three times, the rule shall not trigger. Is this
> > right?
> >>
> >> Yes, I would use such a rule. It would make what is already an
> >> awesome application even more awesome. :P I am also willing to
test
> >> it out and run the latest development version... Which I'm doing
> >> anyway.
> >>
> >> And yes, what you just wrote is correct.
> >>
> >> - Julian
> >

Rainer,

Initial testing looks fine. I'll try some more to see if I can break it.

- Julian

On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Julian,
>
> as you have probably seen in my other post, I have implemented the
> functionality. I have now also created a test tarball. I'd appreciate if
> you could obtain it from
>
> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
>
> and give it a try. Read ./doc/rsyslog_conf.html in regard to
> $ActionExecOnlyEveryNthTime and $ActionExecOnlyEveryNthTimeTimeout. For
> what you intend to do, this should work:
>
> $ActionExecOnlyEveryNthTime 3
> *.* ..your action..
>
> You don't need the timeout, but I have included it for completeness.
> Well, actually if I were you I'd think if you really don't need it. Is
> it really OK that "three in a row" means one each day?
>
> Please provide feedback on this feature.
>
> Thanks,
> Rainer
>
>> -----Original Message-----
>> From: Julian Yap [mailto:julianokyap at gmail.com]
>> Sent: Friday, August 01, 2008 12:14 PM
>> To: Rainer Gerhards
>> Cc: rsyslog at lists.adiscon.com
>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> found
>>
>> Roger that Rainer.
>>
>> Thanks,
>> Julian
>>
>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
>> <rgerhards at hq.adiscon.com> wrote:
>> > OK, that greatly simplifies things. Actually, it now boils down to
>> > "execute an action only on the n-the time the filter evaluates to
>> true".
>> > I think this is quite easy to implement, but I must verify that...
>> >
>> > Rainer
>> >
>> >> -----Original Message-----
>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
>> >> Sent: Friday, August 01, 2008 11:03 AM
>> >> To: Rainer Gerhards
>> >> Cc: rsyslog at lists.adiscon.com
>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
>> > found
>> >>
>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
>> >> <rgerhards at hq.adiscon.com> wrote:
>> >> > Just one more re-confirmation:
>> >> >
>> >> >> What I'm looking for:
>> >> >> if $msg == 'This is really bad' happens 3 times in a row then
>> >> >> :ommail:;mailBody
>> >> >>
>> >> >> This would be nice but is not required since the 'This is really
>> >> bad'
>> >> >> message in my case is very unique:
>> >> >> if ($msg == 'This is really bad' and $server == 'server' and
>> >> $program
>> >> >> == 'program') happens 3 times in a row then :ommail:;mailBody
>> >> >
>> >> > So you would actually use such a rule. If "this other thing is
>> > really
>> >> > bad" happened three times, the rule shall not trigger. Is this
>> > right?
>> >>
>> >> Yes, I would use such a rule. It would make what is already an
>> >> awesome application even more awesome. :P I am also willing to
> test
>> >> it out and run the latest development version... Which I'm doing
>> >> anyway.
>> >>
>> >> And yes, what you just wrote is correct.
>> >>
>> >> - Julian
>> >
>

Yep, after further testing this works great! Thanks Rainer.

On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap <julianokyap at gmail.com> wrote:
> Rainer,
>
> Initial testing looks fine. I'll try some more to see if I can break it.
>
> - Julian
>
> On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
>> Julian,
>>
>> as you have probably seen in my other post, I have implemented the
>> functionality. I have now also created a test tarball. I'd appreciate if
>> you could obtain it from
>>
>> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
>>
>> and give it a try. Read ./doc/rsyslog_conf.html in regard to
>> $ActionExecOnlyEveryNthTime and $ActionExecOnlyEveryNthTimeTimeout. For
>> what you intend to do, this should work:
>>
>> $ActionExecOnlyEveryNthTime 3
>> *.* ..your action..
>>
>> You don't need the timeout, but I have included it for completeness.
>> Well, actually if I were you I'd think if you really don't need it. Is
>> it really OK that "three in a row" means one each day?
>>
>> Please provide feedback on this feature.
>>
>> Thanks,
>> Rainer
>>
>>> -----Original Message-----
>>> From: Julian Yap [mailto:julianokyap at gmail.com]
>>> Sent: Friday, August 01, 2008 12:14 PM
>>> To: Rainer Gerhards
>>> Cc: rsyslog at lists.adiscon.com
>>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
>> found
>>>
>>> Roger that Rainer.
>>>
>>> Thanks,
>>> Julian
>>>
>>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
>>> <rgerhards at hq.adiscon.com> wrote:
>>> > OK, that greatly simplifies things. Actually, it now boils down to
>>> > "execute an action only on the n-the time the filter evaluates to
>>> true".
>>> > I think this is quite easy to implement, but I must verify that...
>>> >
>>> > Rainer
>>> >
>>> >> -----Original Message-----
>>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
>>> >> Sent: Friday, August 01, 2008 11:03 AM
>>> >> To: Rainer Gerhards
>>> >> Cc: rsyslog at lists.adiscon.com
>>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
>>> > found
>>> >>
>>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
>>> >> <rgerhards at hq.adiscon.com> wrote:
>>> >> > Just one more re-confirmation:
>>> >> >
>>> >> >> What I'm looking for:
>>> >> >> if $msg == 'This is really bad' happens 3 times in a row then
>>> >> >> :ommail:;mailBody
>>> >> >>
>>> >> >> This would be nice but is not required since the 'This is really
>>> >> bad'
>>> >> >> message in my case is very unique:
>>> >> >> if ($msg == 'This is really bad' and $server == 'server' and
>>> >> $program
>>> >> >> == 'program') happens 3 times in a row then :ommail:;mailBody
>>> >> >
>>> >> > So you would actually use such a rule. If "this other thing is
>>> > really
>>> >> > bad" happened three times, the rule shall not trigger. Is this
>>> > right?
>>> >>
>>> >> Yes, I would use such a rule. It would make what is already an
>>> >> awesome application even more awesome. :P I am also willing to
>> test
>>> >> it out and run the latest development version... Which I'm doing
>>> >> anyway.
>>> >>
>>> >> And yes, what you just wrote is correct.
>>> >>
>>> >> - Julian
>>> >
>>
>

Thanks for the feedback, it will now be part of the next devel release,
I think some time next week :)

Rainer

> -----Original Message-----
> From: Julian Yap [mailto:julianokyap at gmail.com]
> Sent: Friday, August 08, 2008 1:55 AM
> To: Rainer Gerhards
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
found
>
> Yep, after further testing this works great! Thanks Rainer.
>
> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap <julianokyap at gmail.com>
> wrote:
> > Rainer,
> >
> > Initial testing looks fine. I'll try some more to see if I can
break
> it.
> >
> > - Julian
> >
> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
> > <rgerhards at hq.adiscon.com> wrote:
> >> Julian,
> >>
> >> as you have probably seen in my other post, I have implemented the
> >> functionality. I have now also created a test tarball. I'd
> appreciate if
> >> you could obtain it from
> >>
> >> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
> >>
> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to
> >> $ActionExecOnlyEveryNthTime and $ActionExecOnlyEveryNthTimeTimeout.
> For
> >> what you intend to do, this should work:
> >>
> >> $ActionExecOnlyEveryNthTime 3
> >> *.* ..your action..
> >>
> >> You don't need the timeout, but I have included it for
completeness.
> >> Well, actually if I were you I'd think if you really don't need it.
> Is
> >> it really OK that "three in a row" means one each day?
> >>
> >> Please provide feedback on this feature.
> >>
> >> Thanks,
> >> Rainer
> >>
> >>> -----Original Message-----
> >>> From: Julian Yap [mailto:julianokyap at gmail.com]
> >>> Sent: Friday, August 01, 2008 12:14 PM
> >>> To: Rainer Gerhards
> >>> Cc: rsyslog at lists.adiscon.com
> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> >> found
> >>>
> >>> Roger that Rainer.
> >>>
> >>> Thanks,
> >>> Julian
> >>>
> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> >>> <rgerhards at hq.adiscon.com> wrote:
> >>> > OK, that greatly simplifies things. Actually, it now boils down
> to
> >>> > "execute an action only on the n-the time the filter evaluates
to
> >>> true".
> >>> > I think this is quite easy to implement, but I must verify
> that...
> >>> >
> >>> > Rainer
> >>> >
> >>> >> -----Original Message-----
> >>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
> >>> >> Sent: Friday, August 01, 2008 11:03 AM
> >>> >> To: Rainer Gerhards
> >>> >> Cc: rsyslog at lists.adiscon.com
> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines
> are
> >>> > found
> >>> >>
> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
> >>> >> <rgerhards at hq.adiscon.com> wrote:
> >>> >> > Just one more re-confirmation:
> >>> >> >
> >>> >> >> What I'm looking for:
> >>> >> >> if $msg == 'This is really bad' happens 3 times in a row
then
> >>> >> >> :ommail:;mailBody
> >>> >> >>
> >>> >> >> This would be nice but is not required since the 'This is
> really
> >>> >> bad'
> >>> >> >> message in my case is very unique:
> >>> >> >> if ($msg == 'This is really bad' and $server == 'server' and
> >>> >> $program
> >>> >> >> == 'program') happens 3 times in a row then
:ommail:;mailBody
> >>> >> >
> >>> >> > So you would actually use such a rule. If "this other thing
is
> >>> > really
> >>> >> > bad" happened three times, the rule shall not trigger. Is
this
> >>> > right?
> >>> >>
> >>> >> Yes, I would use such a rule. It would make what is already an
> >>> >> awesome application even more awesome. :P I am also willing to
> >> test
> >>> >> it out and run the latest development version... Which I'm
> doing
> >>> >> anyway.
> >>> >>
> >>> >> And yes, what you just wrote is correct.
> >>> >>
> >>> >> - Julian
> >>> >
> >>
> >

It's kind of strange but I've had this running for about a week now...
I seem to have had 2 false alerts for no apparent reason.


On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Thanks for the feedback, it will now be part of the next devel release,
> I think some time next week :)
>
> Rainer
>
>> -----Original Message-----
>> From: Julian Yap [mailto:julianokyap at gmail.com]
>> Sent: Friday, August 08, 2008 1:55 AM
>> To: Rainer Gerhards
>> Cc: rsyslog at lists.adiscon.com
>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> found
>>
>> Yep, after further testing this works great! Thanks Rainer.
>>
>> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap <julianokyap at gmail.com>
>> wrote:
>> > Rainer,
>> >
>> > Initial testing looks fine. I'll try some more to see if I can
> break
>> it.
>> >
>> > - Julian
>> >
>> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
>> > <rgerhards at hq.adiscon.com> wrote:
>> >> Julian,
>> >>
>> >> as you have probably seen in my other post, I have implemented the
>> >> functionality. I have now also created a test tarball. I'd
>> appreciate if
>> >> you could obtain it from
>> >>
>> >> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
>> >>
>> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to
>> >> $ActionExecOnlyEveryNthTime and $ActionExecOnlyEveryNthTimeTimeout.
>> For
>> >> what you intend to do, this should work:
>> >>
>> >> $ActionExecOnlyEveryNthTime 3
>> >> *.* ..your action..
>> >>
>> >> You don't need the timeout, but I have included it for
> completeness.
>> >> Well, actually if I were you I'd think if you really don't need it.
>> Is
>> >> it really OK that "three in a row" means one each day?
>> >>
>> >> Please provide feedback on this feature.
>> >>
>> >> Thanks,
>> >> Rainer
>> >>
>> >>> -----Original Message-----
>> >>> From: Julian Yap [mailto:julianokyap at gmail.com]
>> >>> Sent: Friday, August 01, 2008 12:14 PM
>> >>> To: Rainer Gerhards
>> >>> Cc: rsyslog at lists.adiscon.com
>> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
>> >> found
>> >>>
>> >>> Roger that Rainer.
>> >>>
>> >>> Thanks,
>> >>> Julian
>> >>>
>> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
>> >>> <rgerhards at hq.adiscon.com> wrote:
>> >>> > OK, that greatly simplifies things. Actually, it now boils down
>> to
>> >>> > "execute an action only on the n-the time the filter evaluates
> to
>> >>> true".
>> >>> > I think this is quite easy to implement, but I must verify
>> that...
>> >>> >
>> >>> > Rainer
>> >>> >
>> >>> >> -----Original Message-----
>> >>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
>> >>> >> Sent: Friday, August 01, 2008 11:03 AM
>> >>> >> To: Rainer Gerhards
>> >>> >> Cc: rsyslog at lists.adiscon.com
>> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines
>> are
>> >>> > found
>> >>> >>
>> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
>> >>> >> <rgerhards at hq.adiscon.com> wrote:
>> >>> >> > Just one more re-confirmation:
>> >>> >> >
>> >>> >> >> What I'm looking for:
>> >>> >> >> if $msg == 'This is really bad' happens 3 times in a row
> then
>> >>> >> >> :ommail:;mailBody
>> >>> >> >>
>> >>> >> >> This would be nice but is not required since the 'This is
>> really
>> >>> >> bad'
>> >>> >> >> message in my case is very unique:
>> >>> >> >> if ($msg == 'This is really bad' and $server == 'server' and
>> >>> >> $program
>> >>> >> >> == 'program') happens 3 times in a row then
> :ommail:;mailBody
>> >>> >> >
>> >>> >> > So you would actually use such a rule. If "this other thing
> is
>> >>> > really
>> >>> >> > bad" happened three times, the rule shall not trigger. Is
> this
>> >>> > right?
>> >>> >>
>> >>> >> Yes, I would use such a rule. It would make what is already an
>> >>> >> awesome application even more awesome. :P I am also willing to
>> >> test
>> >>> >> it out and run the latest development version... Which I'm
>> doing
>> >>> >> anyway.
>> >>> >>
>> >>> >> And yes, what you just wrote is correct.
>> >>> >>
>> >>> >> - Julian
>> >>> >
>> >>
>> >
>

Do you use $ActionExecOnlyEveryNthTimeTimeout?

Rainer


> -----Original Message-----
> From: Julian Yap [mailto:julianokyap at gmail.com]
> Sent: Wednesday, August 13, 2008 12:32 PM
> To: Rainer Gerhards
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
found
>
> It's kind of strange but I've had this running for about a week now...
> I seem to have had 2 false alerts for no apparent reason.
>
>
> On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > Thanks for the feedback, it will now be part of the next devel
> release,
> > I think some time next week :)
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: Julian Yap [mailto:julianokyap at gmail.com]
> >> Sent: Friday, August 08, 2008 1:55 AM
> >> To: Rainer Gerhards
> >> Cc: rsyslog at lists.adiscon.com
> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> > found
> >>
> >> Yep, after further testing this works great! Thanks Rainer.
> >>
> >> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap <julianokyap at gmail.com>
> >> wrote:
> >> > Rainer,
> >> >
> >> > Initial testing looks fine. I'll try some more to see if I can
> > break
> >> it.
> >> >
> >> > - Julian
> >> >
> >> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
> >> > <rgerhards at hq.adiscon.com> wrote:
> >> >> Julian,
> >> >>
> >> >> as you have probably seen in my other post, I have implemented
> the
> >> >> functionality. I have now also created a test tarball. I'd
> >> appreciate if
> >> >> you could obtain it from
> >> >>
> >> >> http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
> >> >>
> >> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to
> >> >> $ActionExecOnlyEveryNthTime and
> $ActionExecOnlyEveryNthTimeTimeout.
> >> For
> >> >> what you intend to do, this should work:
> >> >>
> >> >> $ActionExecOnlyEveryNthTime 3
> >> >> *.* ..your action..
> >> >>
> >> >> You don't need the timeout, but I have included it for
> > completeness.
> >> >> Well, actually if I were you I'd think if you really don't need
> it.
> >> Is
> >> >> it really OK that "three in a row" means one each day?
> >> >>
> >> >> Please provide feedback on this feature.
> >> >>
> >> >> Thanks,
> >> >> Rainer
> >> >>
> >> >>> -----Original Message-----
> >> >>> From: Julian Yap [mailto:julianokyap at gmail.com]
> >> >>> Sent: Friday, August 01, 2008 12:14 PM
> >> >>> To: Rainer Gerhards
> >> >>> Cc: rsyslog at lists.adiscon.com
> >> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines
> are
> >> >> found
> >> >>>
> >> >>> Roger that Rainer.
> >> >>>
> >> >>> Thanks,
> >> >>> Julian
> >> >>>
> >> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> >> >>> <rgerhards at hq.adiscon.com> wrote:
> >> >>> > OK, that greatly simplifies things. Actually, it now boils
> down
> >> to
> >> >>> > "execute an action only on the n-the time the filter
evaluates
> > to
> >> >>> true".
> >> >>> > I think this is quite easy to implement, but I must verify
> >> that...
> >> >>> >
> >> >>> > Rainer
> >> >>> >
> >> >>> >> -----Original Message-----
> >> >>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
> >> >>> >> Sent: Friday, August 01, 2008 11:03 AM
> >> >>> >> To: Rainer Gerhards
> >> >>> >> Cc: rsyslog at lists.adiscon.com
> >> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated
lines
> >> are
> >> >>> > found
> >> >>> >>
> >> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
> >> >>> >> <rgerhards at hq.adiscon.com> wrote:
> >> >>> >> > Just one more re-confirmation:
> >> >>> >> >
> >> >>> >> >> What I'm looking for:
> >> >>> >> >> if $msg == 'This is really bad' happens 3 times in a row
> > then
> >> >>> >> >> :ommail:;mailBody
> >> >>> >> >>
> >> >>> >> >> This would be nice but is not required since the 'This is
> >> really
> >> >>> >> bad'
> >> >>> >> >> message in my case is very unique:
> >> >>> >> >> if ($msg == 'This is really bad' and $server == 'server'
> and
> >> >>> >> $program
> >> >>> >> >> == 'program') happens 3 times in a row then
> > :ommail:;mailBody
> >> >>> >> >
> >> >>> >> > So you would actually use such a rule. If "this other
thing
> > is
> >> >>> > really
> >> >>> >> > bad" happened three times, the rule shall not trigger. Is
> > this
> >> >>> > right?
> >> >>> >>
> >> >>> >> Yes, I would use such a rule. It would make what is already
> an
> >> >>> >> awesome application even more awesome. :P I am also willing
> to
> >> >> test
> >> >>> >> it out and run the latest development version... Which I'm
> >> doing
> >> >>> >> anyway.
> >> >>> >>
> >> >>> >> And yes, what you just wrote is correct.
> >> >>> >>
> >> >>> >> - Julian
> >> >>> >
> >> >>
> >> >
> >