1. 技术文章
  2. Correlation using patterndb and syslog

Correlation using patterndb and syslog

蓝咒 提交于 2019-12-12 05:06:43

问题


I am trying to make a correlation using patterndb, my requirement is when an exception or a message gets added into a context more than 4 times in 60 secondes a message gets generated.Here is my patterndb xml and syslog configuration file.

example.xml

    <patterndb version='4' pub_date='2010-10-17'>
    <ruleset name='ssh' id='123456678'>
        <pattern>ssh</pattern>
            <rules>
                <rule provider='me' id='182437592347598'  context-id='ssh-login-logout' context-timeout='60' context-scope='process'>
                    <patterns>
                        <pattern>Exception in ssp @ESTRING:SSH_USERNAME:@</pattern>
                    </patterns>
                    <actions>
<action condition='"$(context-length)" >= "4"'>

        <message>
            <values>
                <value name="PROGRAM">event</value>
                <value name="abc">Sending mail now..</value>
            </values>
        </message>
    </action>
    <action condition='"$(context-length)" < "4"'>
        <message>
            <values>
                <value name="PROGRAM">event</value>
                <value name="abc">Sending mail tommrow..</value>
            </values>
        </message>
    </action>

</actions>

                </rule>
            </rules>
    </ruleset>

</patterndb>

app1.conf

    source test_logfile {
        file("/apps/syslog-ng/etc/testfile.log");
};

parser test_pattern{
            db_parser(
                file("/apps/syslog-ng/etc/example.xml")
            );
            };

destination test_output{
        file("/apps/syslog-ng/etc/a.log" template("${abc}\n") template-escape(no));
};

log { source(test_logfile); parser(test_pattern); destination(test_output); flags(final); };

and I am writing this log message into testfile.log

echo "ssh: Exception in ssp java.lang.ClassNotFoundException" >> testfile.log

but I am not getting the required message stored in "abc" into a.log even though writing this message into testfile.log more than 4 times

来源:https://stackoverflow.com/questions/43319887/correlation-using-patterndb-and-syslog

标签
syslog
syslog-ng
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!