################################################################
#   SEC ruleset for syslog-ng (contributed by Peter Straka)
################################################################
#date        host proces[pid]: [ID number facility.level] txt

################################################################
#     internal
################################################################
# setings parameters for next use
#
# %A,%B,%C,%D     = parameters
# %F  = output file for write
# %E  = email list
# %M  = mail program
################################################################

#rule beno#1
type=Single
ptype=RegExp
pattern=(SEC_STARTUP|SEC_RESTART|SEC_SHUTDOWN)
context=SEC_INTERNAL_EVENT
desc=SEC internal
action=shellcmd /bin/echo -- %t %s $0;\
      assign %F /tmp/sec.out;\
      assign %E root@localhost;\
      assign %M /bin/mail -s "SEC production event";\
        add OUT %t "starting";\

################################################################
#     statistics
################################################################

#rule beno#2
type=Single
continue=TakeNext
ptype=RegExp
pattern=\s(\S+)\s(\S+)\[\d+\]\:\s\[ID \d+ (\S+)\.(\S+)\]\s
desc=log level and facility counter + host and proces counter
action=     assign %A $1;\
      assign %B $2;\
      assign %C $3;\
      assign %D $4;\
      eval %Z ($host{"%A"}++; $proces{"%B"}++; $facility{"%C"}++; $level{"%D"}++;);

#rule beno#3
#write statistics and null counters every hour
type=Calendar
time=0 * * * *
desc=log level and facility counter + host and proces counter
action=eval %Z (\
      my @ret; \
      push(@ret,"*******************************\n***** LEVEL:\n");\
      foreach $x (keys %level) {push(@ret,sprintf "%%s=%d\n",$x,$level{$x}) if $level{$x}; $level{$x}=0}; \
      push(@ret,"\n***** FACILITY:\n");\
      foreach $x (keys %facility) {push(@ret,sprintf "%%s=%d\n",$x,$facility{$x}) if $facility{$x}; $facility{$x}=0}; \
      push(@ret,"\n***** HOSTS:\n");\
      foreach $x (keys %host) {push(@ret,sprintf "%%s=%d\n",$x,$host{$x}) if $host{$x}; $host{$x}=0}; \
      push(@ret,"\n***** PROCES:\n");\
      foreach $x (keys %proces) {push(@ret,sprintf "%%s=%d\n",$x,$proces{$x}) if $proces{$x}; $proces{$x}=0}; \
push(@ret,"\n********************************************************\n");\
      return "@ret"); \
      write %F %t %Z; \
      add STAT %Z; \
      report STAT %M %E; \
      delete STAT ;

################################################################
#     hourly statistics
################################################################

#rule beno#4
type=Single
continue=TakeNext
ptype=RegExp
pattern=\S+\s+\d+\s+(\d+)\:\d+\:\d+\s
desc=hourly counter
action=assign %A H$1;\
      eval %Z ($hour{%A}++;);

#rule beno#5
#write statistics and null counters at midnight
type=Calendar
time=25 16 * * *
desc=hourly counter
action=eval %Z (\
      my @ret; \
      push(@ret,"*******************************\n");\
      foreach $x (keys %hour) {push(@ret,sprintf "%%s:00=%d\n",$x,$hour{$x});$hour{$x}=0}; \
push(@ret,"\n********************************************************\n");\
      return "@ret"); \
      write %F %t %Z; \
      add HOUR_STAT %Z; \
      report HOUR_STAT %M %E; \
      delete HOUR_STAT