Just to keep everyone update. I got a private mail with some details not
to be posted publically. However, Julian stated that he does not use
$ActionExecOnlyEveryNthTimeTimeout.
With that (and the non-public) info, I think that the missing
$ActionExecOnlyEveryNthTimeTimeout is the culprit. I have not asked how
often the receiving syslogd is restarted or huped. Julian, please let me
know. If it is sufficiently seldom, I think it could be an "old"
message.
I think about this scenario: a message comes it at, eg., 10am. That's
count 1. Then, nothing happens for the next 10 hours. At 8pm, the next
one occurs. That's count 2. Another 5 hours later, the next message
occurs, bringing the total count to 3. Thus, this message now triggers
the rule.
The question is if this is desired behavior? Or should the rule only be
triggered if the messages occur within an e.g. 20 minute window? If the
later is the case, you need a
$ActionExecOnlyEveryNthTimeTimeout 1200
This directive will timeout previous messages seen if they are older
than 20 minutes. In the example above, the count would now be always 1
and consequently no rule would ever be triggered (and that's the reason
why this directive is present;)).
Does this make sense? Does it match what you see?
Rainer
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, August 13, 2008 12:48 PM
> To: Julian Yap
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Do you use $ActionExecOnlyEveryNthTimeTimeout?
>
> Rainer
>
>
> > -----Original Message-----
> > From: Julian Yap [mailto:julianokyap at gmail.com]
> > Sent: Wednesday, August 13, 2008 12:32 PM
> > To: Rainer Gerhards
> > Cc: rsyslog at lists.adiscon.com
> > Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> found
> >
> > It's kind of strange but I've had this running for about a week
> now...
> > I seem to have had 2 false alerts for no apparent reason.
> >
> >
> > On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards
> > <rgerhards at hq.adiscon.com> wrote:
> > > Thanks for the feedback, it will now be part of the next devel
> > release,
> > > I think some time next week :)
> > >
> > > Rainer
> > >
> > >> -----Original Message-----
> > >> From: Julian Yap [mailto:julianokyap at gmail.com]
> > >> Sent: Friday, August 08, 2008 1:55 AM
> > >> To: Rainer Gerhards
> > >> Cc: rsyslog at lists.adiscon.com
> > >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> > > found
> > >>
> > >> Yep, after further testing this works great! Thanks Rainer.
> > >>
> > >> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap
> <julianokyap at gmail.com>
> > >> wrote:
> > >> > Rainer,
> > >> >
> > >> > Initial testing looks fine. I'll try some more to see if I can
> > > break
> > >> it.
> > >> >
> > >> > - Julian
> > >> >
> > >> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
> > >> > <rgerhards at hq.adiscon.com> wrote:
> > >> >> Julian,
> > >> >>
> > >> >> as you have probably seen in my other post, I have implemented
> > the
> > >> >> functionality. I have now also created a test tarball. I'd
> > >> appreciate if
> > >> >> you could obtain it from
> > >> >>
> > >> >>
http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
> > >> >>
> > >> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to
> > >> >> $ActionExecOnlyEveryNthTime and
> > $ActionExecOnlyEveryNthTimeTimeout.
> > >> For
> > >> >> what you intend to do, this should work:
> > >> >>
> > >> >> $ActionExecOnlyEveryNthTime 3
> > >> >> *.* ..your action..
> > >> >>
> > >> >> You don't need the timeout, but I have included it for
> > > completeness.
> > >> >> Well, actually if I were you I'd think if you really don't
need
> > it.
> > >> Is
> > >> >> it really OK that "three in a row" means one each day?
> > >> >>
> > >> >> Please provide feedback on this feature.
> > >> >>
> > >> >> Thanks,
> > >> >> Rainer
> > >> >>
> > >> >>> -----Original Message-----
> > >> >>> From: Julian Yap [mailto:julianokyap at gmail.com]
> > >> >>> Sent: Friday, August 01, 2008 12:14 PM
> > >> >>> To: Rainer Gerhards
> > >> >>> Cc: rsyslog at lists.adiscon.com
> > >> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines
> > are
> > >> >> found
> > >> >>>
> > >> >>> Roger that Rainer.
> > >> >>>
> > >> >>> Thanks,
> > >> >>> Julian
> > >> >>>
> > >> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> > >> >>> <rgerhards at hq.adiscon.com> wrote:
> > >> >>> > OK, that greatly simplifies things. Actually, it now boils
> > down
> > >> to
> > >> >>> > "execute an action only on the n-the time the filter
> evaluates
> > > to
> > >> >>> true".
> > >> >>> > I think this is quite easy to implement, but I must verify
> > >> that...
> > >> >>> >
> > >> >>> > Rainer
> > >> >>> >
> > >> >>> >> -----Original Message-----
> > >> >>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
> > >> >>> >> Sent: Friday, August 01, 2008 11:03 AM
> > >> >>> >> To: Rainer Gerhards
> > >> >>> >> Cc: rsyslog at lists.adiscon.com
> > >> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated
> lines
> > >> are
> > >> >>> > found
> > >> >>> >>
> > >> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
> > >> >>> >> <rgerhards at hq.adiscon.com> wrote:
> > >> >>> >> > Just one more re-confirmation:
> > >> >>> >> >
> > >> >>> >> >> What I'm looking for:
> > >> >>> >> >> if $msg == 'This is really bad' happens 3 times in a
row
> > > then
> > >> >>> >> >> :ommail:;mailBody
> > >> >>> >> >>
> > >> >>> >> >> This would be nice but is not required since the 'This
> is
> > >> really
> > >> >>> >> bad'
> > >> >>> >> >> message in my case is very unique:
> > >> >>> >> >> if ($msg == 'This is really bad' and $server ==
'server'
> > and
> > >> >>> >> $program
> > >> >>> >> >> == 'program') happens 3 times in a row then
> > > :ommail:;mailBody
> > >> >>> >> >
> > >> >>> >> > So you would actually use such a rule. If "this other
> thing
> > > is
> > >> >>> > really
> > >> >>> >> > bad" happened three times, the rule shall not trigger.
Is
> > > this
> > >> >>> > right?
> > >> >>> >>
> > >> >>> >> Yes, I would use such a rule. It would make what is
> already
> > an
> > >> >>> >> awesome application even more awesome. :P I am also
> willing
> > to
> > >> >> test
> > >> >>> >> it out and run the latest development version... Which
I'm
> > >> doing
> > >> >>> >> anyway.
> > >> >>> >>
> > >> >>> >> And yes, what you just wrote is correct.
> > >> >>> >>
> > >> >>> >> - Julian
> > >> >>> >
> > >> >>
> > >> >
> > >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
to be posted publically. However, Julian stated that he does not use
$ActionExecOnlyEveryNthTimeTimeout.
With that (and the non-public) info, I think that the missing
$ActionExecOnlyEveryNthTimeTimeout is the culprit. I have not asked how
often the receiving syslogd is restarted or huped. Julian, please let me
know. If it is sufficiently seldom, I think it could be an "old"
message.
I think about this scenario: a message comes it at, eg., 10am. That's
count 1. Then, nothing happens for the next 10 hours. At 8pm, the next
one occurs. That's count 2. Another 5 hours later, the next message
occurs, bringing the total count to 3. Thus, this message now triggers
the rule.
The question is if this is desired behavior? Or should the rule only be
triggered if the messages occur within an e.g. 20 minute window? If the
later is the case, you need a
$ActionExecOnlyEveryNthTimeTimeout 1200
This directive will timeout previous messages seen if they are older
than 20 minutes. In the example above, the count would now be always 1
and consequently no rule would ever be triggered (and that's the reason
why this directive is present;)).
Does this make sense? Does it match what you see?
Rainer
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, August 13, 2008 12:48 PM
> To: Julian Yap
> Cc: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Alert when multiple repeated lines are found
>
> Do you use $ActionExecOnlyEveryNthTimeTimeout?
>
> Rainer
>
>
> > -----Original Message-----
> > From: Julian Yap [mailto:julianokyap at gmail.com]
> > Sent: Wednesday, August 13, 2008 12:32 PM
> > To: Rainer Gerhards
> > Cc: rsyslog at lists.adiscon.com
> > Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> found
> >
> > It's kind of strange but I've had this running for about a week
> now...
> > I seem to have had 2 false alerts for no apparent reason.
> >
> >
> > On Thu, Aug 7, 2008 at 10:39 PM, Rainer Gerhards
> > <rgerhards at hq.adiscon.com> wrote:
> > > Thanks for the feedback, it will now be part of the next devel
> > release,
> > > I think some time next week :)
> > >
> > > Rainer
> > >
> > >> -----Original Message-----
> > >> From: Julian Yap [mailto:julianokyap at gmail.com]
> > >> Sent: Friday, August 08, 2008 1:55 AM
> > >> To: Rainer Gerhards
> > >> Cc: rsyslog at lists.adiscon.com
> > >> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines are
> > > found
> > >>
> > >> Yep, after further testing this works great! Thanks Rainer.
> > >>
> > >> On Thu, Aug 7, 2008 at 12:38 PM, Julian Yap
> <julianokyap at gmail.com>
> > >> wrote:
> > >> > Rainer,
> > >> >
> > >> > Initial testing looks fine. I'll try some more to see if I can
> > > break
> > >> it.
> > >> >
> > >> > - Julian
> > >> >
> > >> > On Thu, Aug 7, 2008 at 5:08 AM, Rainer Gerhards
> > >> > <rgerhards at hq.adiscon.com> wrote:
> > >> >> Julian,
> > >> >>
> > >> >> as you have probably seen in my other post, I have implemented
> > the
> > >> >> functionality. I have now also created a test tarball. I'd
> > >> appreciate if
> > >> >> you could obtain it from
> > >> >>
> > >> >>
http://download.rsyslog.com/rsyslog/rsyslog-3.21.3-Test3.tar.gz
> > >> >>
> > >> >> and give it a try. Read ./doc/rsyslog_conf.html in regard to
> > >> >> $ActionExecOnlyEveryNthTime and
> > $ActionExecOnlyEveryNthTimeTimeout.
> > >> For
> > >> >> what you intend to do, this should work:
> > >> >>
> > >> >> $ActionExecOnlyEveryNthTime 3
> > >> >> *.* ..your action..
> > >> >>
> > >> >> You don't need the timeout, but I have included it for
> > > completeness.
> > >> >> Well, actually if I were you I'd think if you really don't
need
> > it.
> > >> Is
> > >> >> it really OK that "three in a row" means one each day?
> > >> >>
> > >> >> Please provide feedback on this feature.
> > >> >>
> > >> >> Thanks,
> > >> >> Rainer
> > >> >>
> > >> >>> -----Original Message-----
> > >> >>> From: Julian Yap [mailto:julianokyap at gmail.com]
> > >> >>> Sent: Friday, August 01, 2008 12:14 PM
> > >> >>> To: Rainer Gerhards
> > >> >>> Cc: rsyslog at lists.adiscon.com
> > >> >>> Subject: Re: Re: [rsyslog] Alert when multiple repeated lines
> > are
> > >> >> found
> > >> >>>
> > >> >>> Roger that Rainer.
> > >> >>>
> > >> >>> Thanks,
> > >> >>> Julian
> > >> >>>
> > >> >>> On Thu, Jul 31, 2008 at 11:58 PM, Rainer Gerhards
> > >> >>> <rgerhards at hq.adiscon.com> wrote:
> > >> >>> > OK, that greatly simplifies things. Actually, it now boils
> > down
> > >> to
> > >> >>> > "execute an action only on the n-the time the filter
> evaluates
> > > to
> > >> >>> true".
> > >> >>> > I think this is quite easy to implement, but I must verify
> > >> that...
> > >> >>> >
> > >> >>> > Rainer
> > >> >>> >
> > >> >>> >> -----Original Message-----
> > >> >>> >> From: Julian Yap [mailto:julianokyap at gmail.com]
> > >> >>> >> Sent: Friday, August 01, 2008 11:03 AM
> > >> >>> >> To: Rainer Gerhards
> > >> >>> >> Cc: rsyslog at lists.adiscon.com
> > >> >>> >> Subject: Re: Re: [rsyslog] Alert when multiple repeated
> lines
> > >> are
> > >> >>> > found
> > >> >>> >>
> > >> >>> >> On Thu, Jul 31, 2008 at 10:18 PM, Rainer Gerhards
> > >> >>> >> <rgerhards at hq.adiscon.com> wrote:
> > >> >>> >> > Just one more re-confirmation:
> > >> >>> >> >
> > >> >>> >> >> What I'm looking for:
> > >> >>> >> >> if $msg == 'This is really bad' happens 3 times in a
row
> > > then
> > >> >>> >> >> :ommail:;mailBody
> > >> >>> >> >>
> > >> >>> >> >> This would be nice but is not required since the 'This
> is
> > >> really
> > >> >>> >> bad'
> > >> >>> >> >> message in my case is very unique:
> > >> >>> >> >> if ($msg == 'This is really bad' and $server ==
'server'
> > and
> > >> >>> >> $program
> > >> >>> >> >> == 'program') happens 3 times in a row then
> > > :ommail:;mailBody
> > >> >>> >> >
> > >> >>> >> > So you would actually use such a rule. If "this other
> thing
> > > is
> > >> >>> > really
> > >> >>> >> > bad" happened three times, the rule shall not trigger.
Is
> > > this
> > >> >>> > right?
> > >> >>> >>
> > >> >>> >> Yes, I would use such a rule. It would make what is
> already
> > an
> > >> >>> >> awesome application even more awesome. :P I am also
> willing
> > to
> > >> >> test
> > >> >>> >> it out and run the latest development version... Which
I'm
> > >> doing
> > >> >>> >> anyway.
> > >> >>> >>
> > >> >>> >> And yes, what you just wrote is correct.
> > >> >>> >>
> > >> >>> >> - Julian
> > >> >>> >
> > >> >>
> > >> >
> > >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog