Quickstart: TOC - 1 - 2 - 3 - (advanced) 4 - 5 - 6

Quickstart - step 4: enhancing the classification rules

The rules file generated by the GUI contains some global rules adapted to the log type used. You can complete these rules to better fit your needs. When you save the rules file, the GUI reloads it: this can be used to test the new rules you are writing.

An XSD schema and a DTD are available to help writing rules XML file, and a complete rules documentation.

groups

When some log events are interesting, you can write a group entry to match then:

  <group id="someId" [save="false"] [continueProcessing="true"]>
    <description>Description of what make these events remarkable</description>
    <condition>
      <match attribute="attributeId" type="(operator)">value to match</match>
      <match...>
    </condition>
    <condition>...
  </group>

The most important is to write the condition(s) part, that must match exactly the interesting events. Comparison operators are contains, equals, startsWith, endsWith, regexp or the negation of the test when prefixed with ! (!contains, !equals, !startsWith, !endsWith, !regexp).

By default, the events are saved in a dedicated file (groupId.log), unless you add save="false".

By default, if an event matches this group, it won't be checked for the next groups, unless you add continueProcessing="true".

plugins

Groups can have plugins configured. LogDistiller contains the following:

  • freq
  • sampling: with this plugin, you get a file containing a few samples of every different log event, may they be very frequent or very rare

reports

Each group can have reports:

  • file: basic file saved in the output directory
  • mail: a mail sent to the persons interested in the group
  • news feed: added to a feed file

>> next