On Mon, 8 Apr 2024, Prasad Koya wrote:
Yes, we get a lot of flexibility with omprog.
However, changing a syslog's facility/priority isn't possible right?
Please see below.
if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
action(type="omfile"
a
Yes, we get a lot of flexibility with omprog.
However, changing a syslog's facility/priority isn't possible right?
Please see below.
if ($syslogfacility-text == 'daemon' and $msg contains "Out of memory") then {
action(type="omfile"
action.execOnlyOnceEveryInterval="3600"
not easily within rsyslog, with an event correlation engine, you have a lot more
capability (which is why I keep pushing you that way :-) )
you can create a template to use when outputting a log, and that log can say
anything (it can be arbitrary text unrelated to the log you received), but tha
Thank you. "action.execOnlyOnceEveryInterval" is very useful.
We intend to keep all unfiltered syslogs in a local file, say file1,
but log a rate limited message to file2 and forward that message to a
syslog collector.
Is it possible to change the facility, severity or message for the next action
you would need to do the filtering with omprog on the sending machines.
I would suggest that rather than throwing them away, you generate a log every
rate-limiting period along the lines of "X number of messages happened in the
last period"
This is really a job for an event correlation engine
This sounds like you are looking for
action.execOnlyOnceEveryInterval="3600"
for the action in question.
Doc:
https://www.rsyslog.com/doc/configuration/actions.html
Sample use in ommal doc:
https://www.rsyslog.com/doc/configuration/modules/ommail.html
HTH
Rainer
El lun, 8 abr 2024 a las 8:36,
Thanks for the replies.
My requirement is that I have a daemon that may generate a burst of
syslogs, say, every minute (when a certain subsystem is overloaded).
We do not want to write all these syslogs to /var/log/messages. We
also do not want to forward so many of those syslogs to a remote
syslo
A piece of feedback against
https://www.rsyslog.com/doc/tutorials/random_sampling.html
I know it's obvious for some people but for some it might not be - it
will collect _about_ 20% of logs provided the overall number of events
is big enough. Since it's a random-based mechanism, it's... random
This sounds a bit like you are looking for this:
https://www.rsyslog.com/doc/tutorials/log_sampling.html
HTH
Rainer
El mié, 3 abr 2024 a las 3:25, Prasad Koya via rsyslog
() escribió:
>
> Hi
>
>
> module( load="imuxsock" )
> module( load="imklog" )
>
> if ($syslogfacility-text == 'kern' and $msg
rate limiting output will just cause things to back up, it doesn't throw away
the messages. It would be better for you to detect these messages and feed them
into an external event correlation engine (Simple Event Correltator for
example), and have that engine then send you logs that you keep (w
10 matches
Mail list logo
