Hi all,
I am searching some lightweight tool to control when rsyslog didn't receive events from a specific host or group of hosts for x minutes/seconds.
Only a simple tool to send an email when an alert is triggered, I don't need flat tools like zabbix or similars.
Does anyone know any?
On 30.08.2012, at 11:52, C. L. Martinez wrote:
I am searching some lightweight tool to control when rsyslog didn't receive events from a specific host or group of hosts for x minutes/seconds.
Only a simple tool to send an email when an alert is triggered, I don't need flat tools like zabbix or similars.
try SEC: http://sourceforge.net/projects/simple-evcorr/
SEC can do a lot more, but your requirement can be implemented in a fairly simple rule. The tool is rock-solid and I've been using it in a number of projects for years.
On Thu, Aug 30, 2012 at 12:28 PM, Peter Eckel lists@eckel-edv.de wrote:
On 30.08.2012, at 11:52, C. L. Martinez wrote:
I am searching some lightweight tool to control when rsyslog didn't receive events from a specific host or group of hosts for x minutes/seconds.
Only a simple tool to send an email when an alert is triggered, I don't need flat tools like zabbix or similars.
try SEC: http://sourceforge.net/projects/simple-evcorr/
SEC can do a lot more, but your requirement can be implemented in a fairly simple rule. The tool is rock-solid and I've been using it in a number of projects for years.
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
Hi,
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
You can use this as a sample to start with:
type = Single ptype = RegExp pattern = .* desc = Heartbeat received action = create HEARTBEAT_ACTIVE 720 \ shellcmd /bin/echo 'Alert!' | /bin/mail -s test user@example.com
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.
On Thu, Aug 30, 2012 at 3:58 PM, Peter Eckel lists@eckel-edv.de wrote:
Hi,
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
You can use this as a sample to start with:
type = Single ptype = RegExp pattern = .* desc = Heartbeat received action = create HEARTBEAT_ACTIVE 720 \ shellcmd /bin/echo 'Alert!' | /bin/mail -s test user@example.com
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.
It is a really good approach if I use plain log files ... But this syslog process acts as a syslog server and stores logs in a mysql DB...
On 31.8.2012 08:03, C. L. Martinez wrote:
On Thu, Aug 30, 2012 at 3:58 PM, Peter Eckel lists-NiwE9pSNePTucvZx32VAuQ@public.gmane.org wrote:
Hi,
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
...
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.
It is a really good approach if I use plain log files ... But this syslog process acts as a syslog server and stores logs in a mysql DB...
Ask the DB. something like select count(*) from syslog where host = 'x' or host = 'y' and date > z;
You could make this into a nagios or zabbix check or whatever you use for monitoring and let this handle the notification.
Am 30.08.2012 um 11:52 schrieb C. L. Martinez:
Hi all,
I am searching some lightweight tool to control when rsyslog didn't receive events from a specific host or group of hosts for x minutes/seconds.
What are your goals?
What about monitoring the system itself?
Only a simple tool to send an email when an alert is triggered, I don't need flat tools like zabbix or similars.
Does anyone know any?
https://mon.wiki.kernel.org/index.php/Main_Page
not comparable to SEC but could also be used to monitor an (local) event.
--
LF
On Thu, Aug 30, 2012 at 4:28 PM, Leon Fauster leonfauster@googlemail.com wrote:
Am 30.08.2012 um 11:52 schrieb C. L. Martinez:
Hi all,
I am searching some lightweight tool to control when rsyslog didn't receive events from a specific host or group of hosts for x minutes/seconds.
What are your goals?
What about monitoring the system itself?
Only a simple tool to send an email when an alert is triggered, I don't need flat tools like zabbix or similars.
Does anyone know any?
https://mon.wiki.kernel.org/index.php/Main_Page
not comparable to SEC but could also be used to monitor an (local) event.
I only need to send an alert if syslog process doesn't receives logs from x hosts in a defined time. Only this ... I don't need to check if syslog process is alive (this is monitored by a Zabbix or Nagios, I am not sure) ...
-
C. L. Martinez -
Leon Fauster -
Markus Falb -
Peter Eckel