You might consider sec.pl (http://www.estpak.ee/~risto/sec/) One perl script, regular expression support, and the following event correlation rule types: * Single - match input event and immediately execute an action that is specified by rule. * SingleWithScript - match input event and execute an action immediately if external script specified by rule returns zero for its exit value. * SingleWithSuppress - match input event and execute an action immediately, but ignore following matching events for the next t seconds. * Pair - match input event, execute an action immediately and ignore following matching events until some other input event arrives. On the arrival of second event execute another action. * PairWithWindow - match input event and wait for t seconds for other input event to arrive. If that event is not observed within given time window, execute an action. If the event arrives on time, execute another action. * SingleWithThreshold - count matching input events during t seconds and if given threshold is exceeded, execute an action and ignore all matching events during rest of the time window. * SingleWith2Thresholds - count matching input events during t1 seconds and if given threshold is exceeded, execute an action. Now start to count matching events again and if their number per t2 seconds drops below second threshold, execute another action. * Suppress - suppress matching input event (useful for avoiding the event to be matched by following rules). * Calendar - execute an action at specific times -- Brian Birkinbine <bbirkinbineat_private> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x37D55FF6 On Thu, Dec 27, 2001 at 11:35:22AM +0100, Wolfgang Ley - Sun Germany - Hamburg wrote: > Hi, > > you can use logsurfer (http://www.cert.dfn.de/eng/logsurf/). This > program allows you to follow the logs in "realtime" (well - as they > are getting added). It has no variable for throttling but you can > very easy include this throtteling: > After a match fire up your action and add another rule in front > of your current one to capture this message(s). This additional > rule is generated with an "ignore" action and has a line limit (how > often to you want to ignore this message) and/or a time limit (for > how long do you want to ignore this message). > > For details see the manpage. > > Bye, > Wolfgang. > > > > Hi, > > > > I am looking for the best software to do realtime log checking (regex on > > patterns) with special features. I am using Redhat 6.x and have perl and C > > compiler installed. > > > > The special features are : > > > > - executing a command when pattern is found > > - limiting the number of times that the matched pattern has actions > > performed on it (throttle) > > - examining lines of text as they are added to logfile (tail mode) > > > > I already tried swatch 3.0.4 (http://www.oit.ucsb.edu/~eta/swatch/) which is > > supposed to do that but I had some problems with it : > > > > 1) I noticed that with --tail-file mode, execution of a command doesn't > > occur as soons as pattern appears in logfile (there is a delay of nearly one > > minute) > > > > 2) throttle values are not accepted. > > > > Thanks in advance for your help. > > > > Gildas. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 20:28:13 PST