----- Original Message ----- > From: "Rainer Gerhards" <[email protected]> > To: "rsyslog-users" <[email protected]> > Sent: Friday, April 26, 2013 12:22:41 PM > Subject: Re: [rsyslog] keeping state information > > > > > I meant of discarding logs if its repeated N times. > > > > There is an option to change N messages to one message followed by > > "message > > repeated N-1 times", but that only works if there are no other messages > > in > > between the repeats. > > > > I believe that it's disabled by default nowdays. > > Yup, but it has become considerably more useful in v7.3 (but still one may > doubt...). In previous versions, it applied to the message stream as whole, > now we have a per-input setting (this is part of the new ratelimiting > features). IIRC, you can now also turn it on/off on a per-input module > basis.
This is very interesting. Could you share a pointer to doc how to use this? > > It's usually better > > for the > > alerting engine to be able to see the messages an alert on them than to > > just > > have a 'message repeated' message > > Jup - and together with this "do not do this more often than every n seconds" > feature it is a kind of "alarm compression". > Thanks, Bala > Rainer > > > > David Lang > > > > > > > >> My go-to tool for any non-trivial alerting is Simple Event > > Correlator, (SEC) > > >> http://simple-evcorr.sourceforge.net/ > > >> > > >> for lower volume setups I create a named pipe (mkfifo) and have SEC > > read from > > >> it > > >> and rsyslog write to it > > >> > > >> for higher log volumes with more complex configs, I have multiple > > copies of > > >> SEC > > >> running, with rsyslog filtering logs so that a subset of logs go to > > each > > >> instance of SEC (and the seperate instances of SEC generate log > > messages to > > >> pass > > >> interesting correlations to other copies). > > >> > > >> for very high log volumes, this latter approach can be spread across > > multiple > > >> machines. > > >> > > > > > > Regards, > > > Bala > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > > if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
