PERL based log analyzer
SourceForge.net Logo
Home Home Contact us Contacts
Overview Documentation Downloads Contacts Links
 
News & Updates
 
July 21, 2008
v 1.0 now available
Quick Links
 
Sourceforge project's page
CeCILL license
CEA web site
The 'Event' tag next up previous contents
Next: The 'Action' tag Up: Writing the configuration file Previous: The 'Pattern' tag   Contents

The 'Event' tag

The 'Event' tag is the most complicated tag to use. It defines an event as a boolean and chronological association of realized patterns. Events are check only during 'Event Check passes'. The delay between two of these passes is defined by the EventUpdateInt keyword of the 'Kazimir' tag. An event is generally associated with a 'time window'. This means that only the patterns realized within the time window will be considered. The 'time window' is a duration value (a postfixed time value). As an example, let's consider that I set up an event with a 10 minutes time window, so I'll considered only the event between the current time and the current time minus 10 minutes. The patterns that were realized before are simply forgotten. If no window time is defined, then all the pattern detected form the start of Kazimir will be considered. Be very careful while doing this because you can makes a configuration file that detects always the same old error that happened so many time ago that it should not be considered. The 'Event' tag have two keyword:
  • Name: The name of the event. Mandatory
  • Window: The window time. Not mandatory, the default is -1 (looks pattern form the beginning). I strongly recommend to use a window time (see remark above)
But this is not enough for defining an event, you should also describe the 'event combo' this is a set of boolean pattern association. The combo begin with a line with Begin and ends between with a line with End. Each line between this two statement are combo lines. A combo line is a boolean composition of pattern realization. Imagine I have to look for pattern named pat1, pat2 , pat3. I can then define combo line like
I want the line to be realized if pat1 OR pat2 is ok:

pat1 || pat2    

I want pat2 AND a realization of pat3 or pat1:

pat2 && ( pat3 || pat1 ) 

I want a realization of pat1 with NO realization of pat2

pat1 && !pat2
Each combo line that is realized has a realization time. For the moment this is the higher value within the pattern realized involved in the combo line 2.3 . This realization time is used for chronological association. At this point, your question should be : But how to do a chronological association ? This is very simply, to say 'this should happen after this' just write two combo line, and put the line in the correct time order. For example, I want to check for pat2 or pat3 happening after pat1: I just need to write:
pat1
pat2 || pat3
But chronological association can be a little smarter by introducing the idea of 'delay' between the combo lines. For example I can look for 'pat 2 or pat3' with the next 2 minutes after pat1 was realized for the last time. You can do this by adding the additional (and optional) keyword 'Delay' at the end of a combo line (a semicolon is necessary for the parser to know when the combo ends). The value after the 'Delay' keyword is a postfixed time value. For example, for the configuration I described a few lines above, I can write:
pat1
pat2 || pat3 ; Delay = 2m
By doing this I said that the second line must happen in the 2 minutes that follows the realization of the first line. Of course the 'Delay' keyword has no meaning if used in the first line (there is no previous line with a time realized to be compared with). At the end of the document, you'll see an example section with different configuration files.
next up previous contents
Next: The 'Action' tag Up: Writing the configuration file Previous: The 'Pattern' tag   Contents
Philippe Deniel 2008-07-22
Designed by CMG Technologies, adapted by Thomas LEIBOVICI
Design downloaded from Free Templates