Counter tracking assistance | Log collection solutions

#1 akumar 9 years ago

I have multiple windows hosts sending events in binary to a single tcp listener.<Input windows>
Module im_tcp
Port 9999
Host 0.0.0.0
InputType Binary

I am trying to track the rate of logs from the servers and create email alerts when the rate either drops or crosses a high watermark per hour.

To do that I need to create a stat / variable appending the hostname and hourstamp such as

create_stat("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') or

create_var("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)')

Next I use the schedule code to detect a low watermark

Every 3600 sec
Exec create_stat("rate" + '$Hostname' + 'stroftime($EventTimeStamp, something something)'', "RATE", 10); add_stat("rate" + '$Hostname'' + 'stroftime($EventTimeStamp, something something)', 0);
Exec log_info("Current Counts " + ":" + get_stat("rate" + '$Hostname'));
Exec if defined get_stat("rate" + '$Hostname') and get_stat("rate" + '$Hostname') <= 1 \
{ \
log_warning("No messages received from Host" ); \
exec_async("/bin/sh", "-c", 'echo "' + $Hostname + \
'"|/usr/bin/mail -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" ' \
+ 'analyst@company.com' ); \
}
</Schedule>

Two problems: How do I insert the variable/statistic name and value in the log message and how do I extract the hour stamp from the Event Time?

Thanks

Ash

PS: I could not get the deployment tool to work. have you had more success with it?

Permalink

#2 adm Nxlog ✓ 9 years ago (Last updated 9 years ago )

#1 akumar

I have multiple windows hosts sending events in binary to a single tcp listener.<Input windows> Module im_tcp Port 9999 Host 0.0.0.0 InputType Binary I am trying to track the rate of logs from the servers and create email alerts when the rate either drops or crosses a high watermark per hour. To do that I need to create a stat / variable appending the hostname and hourstamp such as create_stat("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') or create_var("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') Next I use the schedule code to detect a low watermark <Schedule> Every 3600 sec Exec create_stat("rate" + '$Hostname' + 'stroftime($EventTimeStamp, something something)'', "RATE", 10); add_stat("rate" + '$Hostname'' + 'stroftime($EventTimeStamp, something something)', 0); Exec log_info("Current Counts " + ":" + get_stat("rate" + '$Hostname')); Exec if defined get_stat("rate" + '$Hostname') and get_stat("rate" + '$Hostname') <= 1 \ { \ log_warning("No messages received from Host" ); \ exec_async("/bin/sh", "-c", 'echo "' + $Hostname + \ '"|/usr/bin/mail -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" ' \ + 'analyst@company.com' ); \ } </Schedule> Two problems: How do I insert the variable/statistic name and value in the log message and how do I extract the hour stamp from the Event Time? Thanks Ash PS: I could not get the deployment tool to work. have you had more success with it?

There are several issues with you conf.

1. The statistical counter must be updated outside of the Schedule block

2. You can't refer to field names (i.e. $Hostname) inside the Schedule block because that's executed independently of an arriving event. As such, you can't insert/modify the log message inside <Schedule>.

3. Not sure why you want to append the timestamp to the name of the statistical counter. The statistical counter does that internally for you. What you want is this:

create_stat('Rate-' + $Hostname, 'RATE', 3600);

Probably what you want is to check all statistical counters every x minutes and alert if there is one that's 0. Currently it is not possible to iterate on all statistical counters (i.e. there is no for loop).

What deployment tool are you referring to?