Can NXLOG event correlator buffer/retain messages in memory

Post a different question
4
responses

can event coorelation be used with a trigger such that when an event matches it collects subsequent if all come in within specifc time frame (say within 30second from first event) and write those or send via email?

we currently have such functionality out of per based "SEC" but are trying to migrate to NXLOG.

 

thanks.

AskedOctober 27, 2015 - 6:02pm

Answer (1)

You can use module variables to store the time of the event (with or without expiry) and then compare the event time of the actual event to the value stored in the module variable. See create_var(), set_var() and get_var() in the reference manual.

AnsweredOctober 27, 2015 - 6:50pm

Comments (3)

  • nxlogdesonim's picture

    what we are trying to do is to group multiple messages identifyed by a particular field that occurred in the specified period of time (i.e. within 10 seconds of first message) and combined them all into a single email alert.

    from looking at the create_var() it appear it can store a single but not multiple messages into a single variable?

    thanks.

    November 3, 2015 - 6:05pm
  • nxlogdesonim's picture

    there is an example on the documentation secion,"

    -Dealing with multi-line messages

    -Using module variables

    it indicates afterwads that messages stay in saved state and only forwarded if new one comes in, how would this affect passing the variable content to an email message or ship it to external program? thanks.

    "Unfortunately this solution has a minor flaw. The log message of an event is only forwarded if a new log is read, otherwise it is kept in the 'saved' variable indefinitely"

    November 6, 2015 - 6:19pm