3
responses

I have multiple windows hosts sending events in binary to a single tcp listener.<Input windows>
    Module     im_tcp
    Port       9999
    Host       0.0.0.0
    InputType  Binary

I am trying to track the rate of logs from the servers and create email alerts when the rate either drops or crosses a high watermark per hour. 

To do that I need to create a stat / variable appending the hostname and hourstamp such as

create_stat("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') or

create_var("Rate-" + '$Hostname' + 'stroftime($EventTimeStamp, something something)') 

Next I use the schedule code to detect a low watermark

 <Schedule>

        Every   3600 sec
        Exec    create_stat("rate" + '$Hostname' + 'stroftime($EventTimeStamp, something something)'', "RATE", 10); add_stat("rate" + '$Hostname'' + 'stroftime($EventTimeStamp, something something)', 0);
        Exec    log_info("Current Counts " + ":" + get_stat("rate" + '$Hostname'));
        Exec    if defined get_stat("rate" + '$Hostname') and get_stat("rate" + '$Hostname') <= 1 \
                { \
                    log_warning("No messages received from Host" ); \
                    exec_async("/bin/sh", "-c", 'echo "' + $Hostname + \
                           '"|/usr/bin/mail -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" '  \
                           + 'analyst@company.com' );                                                      \
                }
  </Schedule>

 

Two problems: How do I insert the variable/statistic name and value in the log message and how do I extract the hour stamp from the Event Time?

 

Thanks 

Ash 

PS: I could not get the deployment tool to work. have you had more success with it?

AskedDecember 19, 2014 - 5:54pm

Answer (1)

There are several issues with you conf.

1. The statistical counter must be updated outside of the Schedule block

2. You can't refer to field names (i.e. $Hostname) inside the Schedule block because that's executed independently of an arriving event. As such, you can't insert/modify the log message inside <Schedule>.

3. Not sure why you want to append the timestamp to the name of the statistical counter. The statistical counter does that internally for you. What you want is this:

create_stat('Rate-' + $Hostname, 'RATE', 3600);

Probably what you want is to check all statistical counters every x minutes and alert if there is one that's 0. Currently it is not possible to iterate on all statistical counters (i.e. there is no for loop).

What deployment tool are you referring to?

Comments (2)

  • akumar's picture

    Thank you for your response. I should first clarify what I am trying to do.

    1. Create a method where I can track log rate / log absense alert by loghost.

    For this I was trying to create a statistic event by $hostname and scheduler based alerting

    2. Create counters for specific event type by hour of day e.g. Successful_login+UserName+Day_hour

    For this I am trying to create a variable and output the event in a log format I can do trending with.

    3. How do I log the statistic name or variable name in addition to the value to the log?

    Hope that makes sense.

    Thanks 

     

    Ash 

  • adm's picture
    (NXLog)

    The issue here is that nxlog does not support arrays and maps and there is no iteration, so you will need know the name of the variable. A future enhancement for nxlog would be adding a function that would return a json of all the variables and counters and then you could process this json as needed.