1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# Set 'debug: 1' globally to enable full debugging everywhere.
# valid 'debug' values are: yes, no, true, false, 1, 0.
# The values all enable or disable debugging at the current scope
# Debugging values are passed down scope global -> program -> (file, match, etc)
#debug: no
#program {
# 'debug' is valid here
#debug: no
# Load patterns from a file.
#load-patterns: "patterns/base"
# Read a file once
#file "/tmp/messages" {
#follow: no
# 'debug' is valid here
#debug: no
#}
# Follow a file (if the file is log-rotated, truncated, or appended)
#file "/var/log/messages" {
#follow: yes
#}
#match {
# The 'debug' setting is valid almost anywhere and is scoped sanely.
#debug: no
# Example of a pattern
#pattern: "%{SYSLOGBASE} .*authentication error for (illegal user)? %{WORD} from %{IPORHOST}"
# You can only have
#reaction: "matchfound: %{@LINE}"
# Valid shell values are 'stdout' or a command string to run.
# Any reactions generated are written to this shell.
#shell: stdout
# Should writes to the 'shell' be flushed on write?
# Default is no
#flush: no
#}
#}
# Another program. You can have multiple in a single config file.
#program {
#load-patterns: "patterns/base"
# Run 'uptime' and every 15 seconds ...
#exec "uptime" {
#run-interval 15
#}
# ... and grab the 1-min load average
# Match the first number after 'load average: ' and print it to stdout
#match {
#pattern: "load average: %{NUMBER}"
#reaction: "%{NUMBER%}
#shell: "stdout"
#flush: yes
#}
#}
# Another program example
#program {
#load-patterns: "patterns/base"
# Ping www.google.com every minute
#exec "ping -c 1 -W 3 www.google.com 2> /dev/null" {
#run-interval: 60
#}
# Output all the data we have in JSON format on a successful ping.
#match {
#pattern: "time=%{NUMBER:time}"
#reaction: "%{@JSON}"
#shell: "stdout"
#flush: yes
#}
# "no-match" is executed if for every run of 'ping' no output is matched.
#no-match {
#reaction: "\"ERROR: Ping failed\""
#shell: "stdout"
#flush: yes
#}
#}
# Another example program
#program {
#load-patterns: "patterns/base"
# Run vmstat -s every 60 seconds
#exec "vmstat -s" {
#run-interval: 60
#}
# For every line of output that matches, run gmetric to advertise the value
# (This is a ganglia monitoring utility)
#match {
#pattern: "%{NUMBER} %{DATA}$"
# Pipe 'DATA' through the shelldqescape function so it can be safely
# represented in doublequotes when passed to /bin/sh. This escapes
# things like $ and "
#reaction: "gmetric -n \"%{DATA|shelldqescape}\" -v %{NUMBER} -t uint32"
#}
#}
#program {
#load-patterns: "patterns/base"
#file "/b/logs/auth.log.scorn"
#match {
#pattern: "%{SYSLOGBASE} Accepted %{NOTSPACE:method} for %{DATA:user} from %{IPORHOST:client} port %{INT:port}"
#reaction: "%{@JSON}"
#shell: "stdout"
#}
#
#match {
#pattern: "%{SYSLOGBASE} Illegal user %{DATA:user} from %{IPORHOST:client}"
#reaction: "%{@JSON}"
#shell: "stdout"
#}
#
#match {
#pattern: "%{SYSLOGBASE} Failed \S+ for %{DATA:user} from %{IPORHOST:client}"
#reaction: "%{@JSON}"
#shell: "stdout"
#}
#}
|
