[rsyslog] Alerting rules via a database
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Nov 17 07:28:25 CET 2009
Sorry, i have to admit it slipped my mind. Will create one this morning.
rainer
----- Ursprüngliche Nachricht -----
Von: "Phil Reilly" <philr at jaspers.co.nz>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 17.11.09 04:10
Betreff: Re: [rsyslog] Alerting rules via a database
Any luck with the template?
Or should I just roll my own.
Cheers,
Phil
Rainer Gerhards wrote:
> So what you are actually looking for is a system that can work with
> dynamically changable alert definitions? As David said, there is no such
> thing currently, but the best road to approach is is to write a custom output
> plugin, that you pass each message to. That plugin can even decide if
> messages should be discarded and not further processed. I envisioned such a
> plugin, but had not yet time to write, for a similar use case.
>
> If you intend to write one AND contribute it to the project, I can help you
> get started with the interface, would even be willing to create you a custom
> skeleton that you can fill in your logic ;)
>
> HTH
> Rainer
>
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com
>> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Phil Reilly
>> Sent: Sunday, November 08, 2009 9:30 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Alerting rules via a database
>>
>> david at lang.hm wrote:
>>
>>> On Sun, 8 Nov 2009, Phil Reilly wrote:
>>>
>>>
>>>
>>>> I attempting to allow for flexible rule matches on Syslogs
>>>>
>> from a web
>>
>>>> front end (rather than entires into the rsyslog config files)
>>>>
>>>> I want to get regexp filters from a db to alert upon
>>>>
>> messages. Not sure
>>
>>>> the best way to achieve this. I've so far though of.
>>>>
>>>> * Outputting to a pipe and runing it via an alerting script.
>>>> * Having file watch the messages.
>>>> * Recieving the messages then passing them to rsyslog (yuck)
>>>>
>>>> Can the rule engine allow for match rules outside of the config? is
>>>> there an elegant way of doing this?
>>>>
>>>>
>>> rsyslog doesn't give you this ability, but it's not really the best
>>> approach to use for alerting anyway.
>>>
>>> what are you trying to achieve by having the alert definitions in a
>>> database? there are several tools out there to do alerting
>>>
>> (SEC, Simple
>>
>>> Event Correlator) is one of the leading ones, but I'm not
>>>
>> aware of any of
>>
>>> them that use a database for their rulesets.
>>>
>>> I'm also scratching my head trying to figure out what the
>>>
>> advantage of
>>
>>> doing so would be.
>>>
>>> David Lang
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com
>>>
>>>
>> Thanks David,
>>
>> We have a networked environment. We also have a web page that
>> allows you
>> to configure regexp to match certain syslog messages. These
>> patterns are
>> compiled and kept in a table. The current syslog process we
>> use listens
>> for udp. When it gets a syslog message, we examine the
>> patterns (which
>> are re-read upon addition or change) and pass them to an alertering
>> process before writing the logs to disk. The existing system
>> works well,
>> but we now want to scale it over a few machines and I'm
>> examining what
>> syslog products out there cater for alerting.
>>
>> So a database will make configuring alerts far more dynamic than
>> statically entering them into a config file. It will also allow for
>> grouped views so different groups have the ability to have
>> custom alerts
>> based upon their own interpretation of syslog messages.
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
More information about the rsyslog
mailing list