Count instances of a pattern's match in a real-time log file, in a specific time frame, using PowerShell?

Question

I've to intercept a pattern in a log file and, when this pattern is matched for 5 times in 5 minutes, send an alert...

I've wrote this lines, but I'm stuck... I don't know how to handle the time frame...

Can you help me please?

Roberto.

$count = get-content test.txt -Tail 1 -Wait | select-string -pattern "auth" -simplematch
$count.length

I've tried other approach, but nothing to do...

$file = "test.txt"
$mymatch = "auth"
#$FirstEventTime = Get-Date
#$LastEventTime = Get-Date
$Err = 0
$Range =@(1,2,3,4)
$Tailfile = Get-Content $file -Tail 1 -Wait | select-string -pattern $mymatch -simplematch | foreach ($mymatch) {
    if($Err -lt 1){
        New-Event -SourceIdentifier StartEvent -Sender windows.timer
        $Err++
        }
    #elseif ($Err -eq [1-4])
    elseif ($Range -contains $Err){
        $Err++ }
    else {
        New-Event -SourceIdentifier LastEvent -Sender windows.timer
        $FisrtEvent = (get-event StartEvent).TimeGenerated
        $LastEvent = (get-event LastEvent).TimeGenerated
        $Elapsed = $LastEvent-$FisrtEvent
        $realElasped = ($elapsed).TotalMinutes
        [math]::Round($realElasped)

            if ($realElasped -lt 5) {
                echo "sendmail......"
                $Err = 0}
            else {
            $Err = 0
                }
            }
        }

score 0 · Answer 1 · answered May 13 '19 at 11:42

0

Number of occurrences in an interval is a useful alert condition, but it is a non-trivial program to write. Most simple tail implementations don't have such a feature.

Consider implementing a log aggregation system that has extensible alert conditions. For example, Graylog has X messages in Y minutes. Yes, it is a much bigger project than tailing one log. However it can ingest event log and syslog as well, and do similar things for any event from any host.

answered May 13 '19 at 11:42

John Mahowald

30,009
1
17
32

You're absolutely right John! We've Kafka and other Apache friends in the serverfarm! Unfortunately I've some servers in a segregated network that cannot reaches hosts in severfarm subnets... – ilRobby May 13 '19 at 14:31

score 0 · Answer 2 · edited Jun 05 '19 at 12:16

Just for who has the same need, I've fixed my script and now it works!

$MailArgs = @{
    From = bla, bla, bla....
}

$file = "Test.txt"
$FolderLogs = "E:\TMP"
$mymatch1 = "autentica"
$mymatch2 = "WS ERROR"
$Err = 0
$Range =@(1,2,3,4)
$Tailfile = Get-Content $file -Tail 1 -Wait | ?{ $_ -match $mymatch1 -and $_ -match $mymatch2 } | ForEach-Object {
    if($Err -lt 1){
        New-Event -SourceIdentifier StartEvent -Sender windows.timer
        $Err++
    }
    elseif ($Range -contains $Err) {
        $Err++ 
    }
    else {
        New-Event -SourceIdentifier LastEvent -Sender windows.timer
        $FisrtEvent = (get-event StartEvent).TimeGenerated
        $LastEvent = (get-event LastEvent).TimeGenerated
        $Elapsed = $LastEvent-$FisrtEvent
        $realElasped = ($elapsed).TotalMinutes
        [math]::Round($realElasped)

        if ($realElasped -lt 5) {
            Send-MailMessage @MailArgs 2>&1 > $FolderLogs\MailLogs.txt
            $Err = 0
        }
        else {
            $Err = 0
        }
    }
}

Count instances of a pattern's match in a real-time log file, in a specific time frame, using PowerShell?

2 Answers2