On 31.8.2012 08:03, C. L. Martinez wrote:
On Thu, Aug 30, 2012 at 3:58 PM, Peter Eckel lists-NiwE9pSNePTucvZx32VAuQ@public.gmane.org wrote:
Hi,
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
...
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.
It is a really good approach if I use plain log files ... But this syslog process acts as a syslog server and stores logs in a mysql DB...
Ask the DB. something like select count(*) from syslog where host = 'x' or host = 'y' and date > z;
You could make this into a nagios or zabbix check or whatever you use for monitoring and let this handle the notification.