diff options
| -rw-r--r-- | LogActio/__init__.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/LogActio/__init__.py b/LogActio/__init__.py index 4a2b523..eb11814 100644 --- a/LogActio/__init__.py +++ b/LogActio/__init__.py @@ -43,15 +43,17 @@ class WatcherThread(threading.Thread): return self.__logfile - def AddRule(self, prefix, regex, threshold, timeframe, reporters): + def AddRule(self, prefix, regex, threshold, timeframe, ratelimit, reporters): # Adds a rule specific for this log file rule = {"prefix": prefix, "regex": re.compile(regex), "threshold": int(threshold), "timeframe": timeframe and int(timeframe) or None, + "ratelimit": ratelimit and int(ratelimit) or None, "lastseen": 0, "current_count": 0, "alerts_sent": 0, + "lastsent": 0, "reporters": reporters} self.__rules.append(rule) @@ -96,12 +98,15 @@ class WatcherThread(threading.Thread): alert["current_count"] += 1 # If the threshold has been reached and within the given time frame, - # report the incident + # report the incident. Also, if we have an rate-limit, only send + # a report it is 'rate-limit seconds' since last report. if (alert["threshold"] == 0 or ((alert["current_count"] % alert["threshold"] == 0) and (alert["timeframe"] is None - or now <= (alert["lastseen"] + alert["timeframe"])))): + or now <= (alert["lastseen"] + alert["timeframe"]))) + and (alert["ratelimit"] is None or now > (alert["lastsent"] + alert["ratelimit"]))): alert["alerts_sent"] += 1 + alert["lastsent"] = now info = "|".join(m.groups()) # Gather regex exctracted info if len(info) == 0: info = None @@ -315,6 +320,8 @@ class LogActio(object): self.__cfg.get(entry, "threshold"), (self.__cfg.has_option(entry, "time-frame") and self.__cfg.get(entry, "time-frame") or None), + (self.__cfg.has_option(entry, "rate-limit") + and self.__cfg.get(entry, "rate-limit") or None), rulereps) if rulereps is not None and len(rulereps) > 0: self.__log(3, "Rule reporters prepared: [%s] => %s" % |