7 Replies Latest reply on Mar 25, 2013 4:06 PM by Aforsythe

    How to detect clients that stop sending Syslog messages to the server


      How do you detect specific clients that have not sent syslog messages to the server in a specified amount of time?

        • Re: How to detect clients that stop sending Syslog messages to the server

          Here's what I do:


          My first rule processes all messages and runs a script to collect some stats. I used this as an example: http://thwack.solarwinds.com/docs/DOC-63853 and then modified it to do a bunch of other stuff including what you're asking for.


          That example was a script created to generate a daily statistics report which was eventually included in the code, but the concept is useful and it does the first half of what you want it to do which is check the age of messages from a specific host.


          So after logging the dictionary item or updating the item for every message received. My script checks each dictionary item and does a Datediff on seconds since last message. If any of them are passed a set threshold which can be configured per host, then I get an e-mail.


          I was worried that this was going to be horribly inefficient and create problems scripting something for every single message that comes in, but it's very fast takes a few milliseconds that are barely measureable with any degree of accuracy and it did not have any noticeable impact on everything else I've got scripted.


          Anyway, that script I linked should serve as a good example to get you started, it works right out of the box. If you've got any questions about it, feel free to ask. I'll also see how much extra junk I can strip out of my script without breaking it and upload it here as well.

          1 of 1 people found this helpful