[rsyslog-notify] Forum Thread: Re: Property Replacer to change text in msg? - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Mar 11 08:20:50 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25313#p25313
Message:
----------
The right tool to do this inside rsyslog would be the partially completed
table lookup functionality. It would let you have a table of mac addresses
to names and easily see if you find one that doesn't match.
This work was planned and started in the expectation of it being funded,
but when the funding fell through the work stopped. The functionality in
rsyslog works to some extent, but has nor been extensively tested and has
limitations (it's known that you can't do more than one table with the
existing code)
Since what you are wanting to do is to alert when an unknown MAC address is
seen, I would use a tool better suited for correlating data and generating
alerts. Simple Event Correlator is my go-to tool for this sort of thing.
You can have it load a table at startup, and re-load it when you pass it a
special log message (for updates) and it can easily do things like alerting
when it doesn't find an entry in the table.
More information about the rsyslog-notify
mailing list