Back to your phpLogCon instanceHello all,
can anyone explaine me how to configure multiple alerts under 1 rule, which can send Emerg(0), Alert(1) & Crit(2) alerts to my mail. I use Winsyslog 4.2, writing all logs to database.
Cheers,
Kiran
1 Rule to send multiple Alerts
Moderator: alorbach
7 posts • Page 1 of 1
by rgerhards » Mon Mar 08, 2004 2:37 pm
Kiran,
I think there is some confusion. What Andre means is that it can not be done with a single RULE. In fact, 5.0 can not do it with a single rule, too. However, I assume you will actually use a single RULESET with multiple rules (in which case it is doable).
Am I righ with this?
Rainer
I think there is some confusion. What Andre means is that it can not be done with a single RULE. In fact, 5.0 can not do it with a single rule, too. However, I assume you will actually use a single RULESET with multiple rules (in which case it is doable).
Am I righ with this?
Rainer
-
rgerhards - Site Admin
- Posts: 2639
- Joined: Thu Feb 13, 2003 11:57 am
by rgerhards » Mon Mar 08, 2004 5:47 pm
Kiran,
as you write, you can use multiple rules to do what you intend to do.
To write all events to the database except those two, you need to create two rules above the write to database rule - and these three should be the last ones in the rule set.
What you do is use the discard action. If you execute the discard action, the message will be - as it says - discarded, that it nothing else will be executed.
So you can create a rule one that says discard if priority is info.
The next one is to discard if pri is debug.
These two rules will discard those message that you do not like to write to the database.
Then, the next rule says "write to database". It will write ALL messges to the database, but ALL means only those that have not previously been discarded.
Please note that ones discard, you can not re-create a message. This is why you should place this logic to the bottom of your rule set.
I know this whole procedure is clumpsy ... this is why we totally replaced it in the 5.x versions. There you have powerful boolean expressions where you can simply say "priority less then 6" - that's it. But not in 4.x...
I hope this helps,
Rainer
as you write, you can use multiple rules to do what you intend to do.
To write all events to the database except those two, you need to create two rules above the write to database rule - and these three should be the last ones in the rule set.
What you do is use the discard action. If you execute the discard action, the message will be - as it says - discarded, that it nothing else will be executed.
So you can create a rule one that says discard if priority is info.
The next one is to discard if pri is debug.
These two rules will discard those message that you do not like to write to the database.
Then, the next rule says "write to database". It will write ALL messges to the database, but ALL means only those that have not previously been discarded.
Please note that ones discard, you can not re-create a message. This is why you should place this logic to the bottom of your rule set.
I know this whole procedure is clumpsy ... this is why we totally replaced it in the 5.x versions. There you have powerful boolean expressions where you can simply say "priority less then 6" - that's it. But not in 4.x...
I hope this helps,
Rainer
-
rgerhards - Site Admin
- Posts: 2639
- Joined: Thu Feb 13, 2003 11:57 am
by rgerhards » Mon Mar 08, 2004 5:48 pm
Kiran,
let me add some extra information: your whole scenario can be done with 2rules in WinSyslog 5.x - one for the email alerts and one for the database write. Just in case this info is helpful (maybe for someone else).
Rainer
let me add some extra information: your whole scenario can be done with 2rules in WinSyslog 5.x - one for the email alerts and one for the database write. Just in case this info is helpful (maybe for someone else).
Rainer
-
rgerhards - Site Admin
- Posts: 2639
- Joined: Thu Feb 13, 2003 11:57 am
Google Ads
7 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
