Discussion:
[rsyslog] Monitoring message delay
Peter Viskup via rsyslog
2018-10-24 12:31:33 UTC
Permalink
Interested in monitoring delay of message retrieval in syslog infrastructure.
We have syslog infrastructure with more rsyslog relays in chain and
would like to monitor the diff in times between timegenerated and
timereported.
Requirement is to be alerted when the messages will be delayed
reaching defined threshold.
What would be the best way to implement this?
--
Peter
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Alberto Alvarez Retuerto
2018-10-24 13:01:15 UTC
Permalink
You can set a template with twice values...

property(name="timereported")
property(name="timegenerated")
Post by Peter Viskup via rsyslog
Interested in monitoring delay of message retrieval in syslog infrastructure.
We have syslog infrastructure with more rsyslog relays in chain and
would like to monitor the diff in times between timegenerated and
timereported.
Requirement is to be alerted when the messages will be delayed
reaching defined threshold.
What would be the best way to implement this?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
David Lang
2018-10-24 17:53:00 UTC
Permalink
Post by Peter Viskup via rsyslog
Interested in monitoring delay of message retrieval in syslog infrastructure.
What I do is that I wrap the original message in JSON on the first relay, and
then each additional relay adds a timestamp as to when it processed it.

Then on the central collectors you can compare the timestamps and see how old
the message is.

you need to make sure you really have time synced everywhere. In my experience
this is far harder than people think, so I tend to limit my checking to the
'trusted' timestamps provided by the relays.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Loading...