How to detect clients that stop sending Syslog messages to the server

Here's what I do:

My first rule processes all messages and runs a script to collect some stats. I used this as an example: http://thwack.solarwinds.com/docs/DOC-63853 and then modified it to do a bunch of other stuff including what you're asking for.

That example was a script created to generate a daily statistics report which was eventually included in the code, but the concept is useful and it does the first half of what you want it to do which is check the age of messages from a specific host.

So after logging the dictionary item or updating the item for every message received. My script checks each dictionary item and does a Datediff on seconds since last message. If any of them are passed a set threshold which can be configured per host, then I get an e-mail.

I was worried that this was going to be horribly inefficient and create problems scripting something for every single message that comes in, but it's very fast takes a few milliseconds that are barely measureable with any degree of accuracy and it did not have any noticeable impact on everything else I've got scripted.

Anyway, that script I linked should serve as a good example to get you started, it works right out of the box. If you've got any questions about it, feel free to ask. I'll also see how much extra junk I can strip out of my script without breaking it and upload it here as well.

Acy,

Thank you for pointing me in the right direction. I am new to Kiwi Syslog server and scripting with it. Any other examples you can post from your custom script would be much appreciated.

You said your script "checks each dictionary item and does a Datediff on seconds since last message." Is the "dictionary" you refer to built into the Syslog server or is this something you build in your script?  Do you know of any scripting guides for Syslog server other than whats in the help file?

Thanks much,

Rick

Rick,

I apologize for not responding sooner, but I will provide you a sample script you should be able to use to accomplish what you need. Also, for scripting help, I would begin with VB or Jscript because you don't need to install anything specific for them to function and there are plenty of reference guides out there for these. Just Google VBscript tutorial or Jscript tutorial, and you're off!

I'll get back to you in the next couple of days with a script for this...

No Problem. I am not in a super rush.  I did find some better documentation in the CHM file in the "Action - Run Script" section.  I was just using the index or search feture before and it was not giving me much to go on. I am pretty familiar with VBscript.  I have been studying how to use the dictionaries in my spare time.  I was curious what you get by having it send syslog statistics and I found that my test server did not have the SMTP port open to my test email server, LOL. I am still waiting on my network guys to get that setup for me.

I appreciate all your help.

Rick,

Here you go... http://thwack.solarwinds.com/docs/DOC-170644

I've uploaded the script to the content exchange. It requires some minor editng, but if you have any questions or need any assistance getting it setup, let me know and I'll do what I can to help.

You'll need to configure at least one rule, and make some minor changes to the script with a text editor. If you've got any issues with the Syslog server sending you e-mails, I may not be able to help you there, but provided you've got that working, we should be able to get through the rest of this with very few problems.

A little bit of editing and understanding and now I am up and running and fine-tuning it.  Thank you so much for your help Acy!

Awesome. I'm glad it's working for you, and again, I'm sorry it took so long. I have that script doing sooo much that editing it all out proved to be more time consuming that I had thought so we both won out in the end. I ended up re-writing the device check in from the ground up and removing that portion from my reporting script so now that functionality is in it's own script, it's a whole lot easier to modify now and runs quite a bit faster.