-1

I would like to have an application to be executed when an event reaches multiple times in a row in the log, eg:

Oct 17 13:09:24 mail clamav-milter[30942]:
x
x
x

Happens 4 times but also this counter should be reset like in every hour. Is this possible to do with rsyslog or syslog-ng?

Thanks

Thomas
  • 4,225
  • 5
  • 23
  • 28
froggy
  • 1

2 Answers2

0

rsyslog and syslog-ng are log collection tools. They are not capable of performing any action other than recording the received message.

You need a log monitoring tool. Here is an article with some free log monitoring tools.

MikeA
  • 362
  • 2
  • 5
0

you can do that with syslog-ng. You can use a pattern database to identify the message, then use a correlation rule to count these messages (with an appropriate context-timeout to reset it). And you can also define an action (for example, send an email, or execute a script). The patterndb and related features are described here: https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/chapter-patterndb.html

But if you can install a recent version of syslog-ng (3.8.1), then you can get almost the same functionality much easier, just using filters. https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/grouping-by-parser.html (The grouping-by feature of syslog-ng cannot directly trigger e-mail alerts, only log messages, so you'll have to create a separate log path and a filter that matches this triggered log message, and sends an email or executes a script using the smtp()/program() destination)

Regards, Robert

Robert Fekete
  • 552
  • 1
  • 3
  • 6