NAME

/opt/pmx/etc/scheduler.d/monitor-analyzer.conf


DESCRIPTION

The Threshold analyzer accepts events from the Notifiers and analyzes them to determine when a specified threshold has been crossed.


CONFIGURATION

Example

  <analyzer too_much_spam_from_host>
    use = PureMessage::Monitor::Analyzer::Threshold
    event = spam
    field = relay_host
    expiry = 5m
    threshold = 20
  </analyzer>
  <analyzer too_much_mail_from_host>
    use = PureMessage::Monitor::Analyzer::Threshold
    event = every_message
    field = relay_host
    expiry = 5m
    threshold = 100
  </analyzer>

Option Explanations

The following options can be used in the monitor-analyzer.conf file:

event
Specifies the Event that this analyzer is accepting for analysis. Use of the keyword ``all'' here signifies that the analyzer is willing to accept all generated events for analysis. Required

field
Specifies the field within the input event that we're analyzing (e.g. ``relay_host''). Required

threshold
Specifies the threshold that must be crossed in order for the analyzer to fire an Action Event.

expiry
Specifies the expiry time for event counters. Data which is older than this is considered stale and does not count towards the threshold. Default is 5m, minimum is 1m, maximum is 1d.

period
Specifies a grouping period for event counters. Default is 1m, minimum is 1m, maximum is 1d. Default is almost always sufficient; you'll likely never need to change this value.

Action Events generated by the Threshold analyzer contain the following fields of information which can be consumed by Reactors:

time_stamp
The time stamp (in seconds since the epoch) when we detected that the threshold had been crossed.

name
The name of the generated Action Event, which has the same name as the Analyzer which generated it (e.g. ``too_much_spam_from_host'').

field
The field which is being monitored by the Threshold analyzer (e.g. ``relay_host'').

value
The data value for which the count exceeded the threshold (e.g. ``smtp.example.com'').

threshold
The configured threshold value.

count
The current count for this particular data value.


COPYRIGHT

Copyright (C) 2000-2006 Sophos Group. All rights reserved. Sophos and PureMessage are trademarks of Sophos Plc and Sophos Group.