Filter "Flag/Counter - Timeout" .... not working properly!!

Question

Hi, I am using a registered Kiwi syslog server (v8.3.4) over Windows XP, and I am having an issue with a Timeout filter. These are the two involved rules: "R004-RuleName=Start-OK-Parser-Online-08 R004-RuleInfo=04031 R004-F001-L01=060204000011111 R004-F001-L02=Message text-Complex R004-F001-L03=PRODUCTION R004-F001-L04=FHPO001 R004-F001-L05= R004-F001-L06= R004-F002-L01=060204000011111 R004-F002-L02=Message text-Complex R004-F002-L03=FH_XMEF FH_XMRV FH_XSEQC FH_XSFI FH_XSWR R004-F002-L04=CONNECTED to READY R004-F002-L05= R004-F002-L06= R004-F003-L01=030705000000001 R004-F003-L02=Time of day-Time of day R004-F003-L03="Everyday from 8:00 to 8:15" R004-F004-L01=050906000000001 R004-F004-L02=Flags/Counters-Threshold R004-F004-L03=6 R004-F004-L04=180 R004-F004-L05=0 R004-A001-L01=12061 R004-A001-L02=E-mail messageR004-A001-L03=mail@mail.com R004-A001-L04=OK !!! R004-A001-L07=200 R004-A001-L08=65535 R004-A001-L09=0 R004-A001-L10=0 R004-A001-L11=0 R004-A001-L12=0 R004-A002-L01=06041 R004-A002-L02=Play a sound R004-A002-L03=1 R004-A002-L04=\log\sounds\parser_online_ok.wav R004-A002-L05=0 R004-A002-L06=5 R004-A003-L01=02111 R004-A003-L02=Stop processing message" This rule is monitoring six proccess at the begin of the day. If the event occurs 6 times in 3 minutes, it means that all 6 process are allready start, so ... send me an e-mail. At this moment, the rule is working fine. The issue is with the "opposite". I would like to receive an alarm, if one of this 6 process is not online between 8:00 and 8:15. This is the rule for this meaning: "R005-RuleName=Start-ER-Parser-Online-08 R005-RuleInfo=04021 R005-F001-L01=060204000011111 R005-F001-L02=Message text-Complex R005-F001-L03=PRODUCTION R005-F001-L04=FHPO001 R005-F001-L05= R005-F001-L06= R005-F002-L01=060204000011111 R005-F002-L02=Message text-Complex R005-F002-L03=FH_XMEF FH_XMRV FH_XSEQC FH_XSFI FH_XSWR R005-F002-L04=CONNECTED to READY R005-F002-L05= R005-F002-L06= R005-F003-L01=041006000000001 R005-F003-L02=Flags/Counters-Timeout R005-F003-L03=6 R005-F003-L04=14 R005-F004-L01=030705000000001 R005-F004-L02=Time of day-Time of day R005-F004-L03="everyday from 8:00 to 8:15" R005-A001-L01=12061 R005-A001-L02=E-mail message R005-A001-L03=email@email.com R005-A001-L04=NO OK !!!! R005-A001-L05=email2@email.com R005-A001-L06=NO OK !!!! R005-A001-L07=200 R005-A001-L08=65535 R005-A001-L09=0 R005-A001-L10=0 R005-A001-L11=0 R005-A001-L12=0 R005-A002-L01=02111 R005-A002-L02=Stop processing message" This rule will triggered, if doesn't occur 6 times in 14 minutes from 8:00 to 8:15 The result, is that everyday ... received one email with the confirmation of the Rule #4 ... and two or three emails with the "Non Ok" of the Rule #5, So the rule #4 is triggering one time per day (Wich is perfect) ... but, rule #5 is triggering 2 or 3 times per day ... ??? This issue is freaking me out. Please, Could anybody tell me what am I misunderstanding with the Timeout filter? Thank you in advance.

Duke · Answer

Hi Kuz,

First of all, thank you for your answer. It was very usefull.

Now, I'm understanding what Kiwi Syslog server does with the "Flag/Counter" ... or i think so, ... and i'm still needing of help.

:)

Let me try with an example:

I have a rule, that filters a message.

This rule has a "Time-of-day" filter, between 8:00 AM and 8:15 AM, and a "Flag/Counter" filter, that fires if the rule doesn't became true 1 time in 15 minutes.

If I setup the rule, and I press "Apply" at 6:35 in the morning ... as a result, the system starts the 15 minutes countdown at 6:35 AM ...

6:35 AM: Start the countdown

6:50 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

7:05 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

7:20 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE

7:35 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

7:50 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

8:05 AM: The countdown expires ... the time is between 8:00 and 8:15 AM ... so, the rule is TRUE and fires!!!

BUT, this is not what I am looking for.

I would like to check, if the message doesn't appears between 8:00 and 8:15. I need that the counter starts at 8:00, and it stops at 8:15.  If the rule fires at 8:05, or depending when I applied in the past ... every day will fire at diferent hour, ...so, the fire will be completely unuseful.

I tried inverting the order of "Time-of-Day" and "Flag/Counter" filters ... but the results are the same. Still depending of when i pushed the "Apply" button.

There is any way, to reset the counter ... at a specific time of day ????

If I could reset the counter at 8:00 ... the rule will works perfect !

Thanks in advance, and sorry for my english.

Regards.

Kuz · Answer

Hi Duke,

Try reversing the order of “Flags/Counters-Timeout” and “Time of day-Time of day”

Filters are evaluated in order from the top-most filter down.

I think you need to constrain the Timeout filter to evaluate only when the Time-of-day is between 8 and 8:15 (and not the other way around).