a question of Syslog Plugin for Cacti

[mayflykaka]

Dear Jimmy Conner,
Hi, I am a user of Syslog Plugin for Cacti. I really appreciate this plugin written by you, which is convenient for my work.
I mainly use it for the storage of syslog messages and send alarms of state changes of the interfaces of rounters/ switchs (both up and down). One thing bothers me is that the states of some routers/switchs ports up and down too frequently and cause a lot of ultrashort alarms as well as alarm emails, which are not needed. I wonder weather this plugin can achieve the function of filtering (shielding) the ultrashort alarms from the same port. For example, shielding alarms from the same device on the same port up soon after down within a setting time (3 minutes). Messages in “syslog_alarm_log” table are as follows:

I tried to build a new table in mysql named “syslog_alarmtest”, to shield ultrashort alarm by matching the downing ports that after 3 minutes without up. But I don’t familiar with php, so I do not know how to associate this query with the plugin.
Would you please give me some suggestions to realize the function of shielding ultrashort alarms in the plugin? thank you so much!


Best wishes,
Hu




My queries of mysql are as follow:
create table syslog_portup as select *
from syslog_alarm_log
where logmsg LIKE '%up%'


create table syslog_portdown as select *
from syslog_alarm_log
where logmsg LIKE '%down%'


CREATE TABLE syslog_alarmtest AS
(SELECT syslog_portdown.* FROM
syslog_portdown
LEFT JOIN syslog_portup
ON syslog_portdown.host=syslog_portup.host
AND SUBSTR(syslog_portdown.logmsg,INSTR(syslog_portdown.logmsg,'GigabitEthernet'),INSTR(syslog_portdown.logmsg,'GigabitEthernet')+20)=SUBSTR(syslog_portup.logmsg,INSTR(syslog_portup.logmsg,'GigabitEthernet'),INSTR(syslog_portup.logmsg,'GigabitEthernet')+20)


AND (syslog_portdown.logtime > DATE_SUB(syslog_portup.logtime,INTERVAL 180 SECOND)
AND syslog_portdown.logtime <= syslog_portup.logtime)
WHERE syslog_portup.alert_id IS NULL)


union


(SELECT syslog_portup.* FROM
syslog_portup
LEFT JOIN syslog_portdown
ON syslog_portdown.host=syslog_portup.host
AND SUBSTR(syslog_portdown.logmsg,INSTR(syslog_portdown.logmsg,'GigabitEthernet'),INSTR(syslog_portdown.logmsg,'GigabitEthernet')+20)=SUBSTR(syslog_portup.logmsg,INSTR(syslog_portup.logmsg,'GigabitEthernet'),INSTR(syslog_portup.logmsg,'GigabitEthernet')+20)


AND (syslog_portdown.logtime > DATE_SUB(syslog_portup.logtime,INTERVAL 180 SECOND)
AND syslog_portdown.logtime <= syslog_portup.logtime)
WHERE syslog_portdown.alert_id IS NULL)‍