Only two short remarks from my side.
- the modified rule will only apply the expire value to events created after the rule change
- to the warning for the limit rule - this means you missed potential events as the system is forced to delete some, that is also the intended usage of this rule not to “expire” old events
Inside the event view you don’t see the events with time to expire.
Inside the event status file (~/var/mkeventd/status) you can see a “live_until” value for events with expire time.
with expire
{
"facility": 1,
"priority": 5,
"text": "Still nothing happened.",
"host": "myhost089",
"ipaddress": "1.2.3.4",
"application": "Foobar-Daemon",
"pid": 0,
"time": 1713291498.808372,
"core_host": None,
"host_in_downtime": False,
"rule_id": "ER001",
"contact_groups": None,
"contact_groups_notify": False,
"contact_groups_precedence": "host",
"match_groups": (),
"match_groups_syslog_application": (),
"state": 0,
"sl": 0,
"first": 1713291498.808372,
"last": 1713291498.808372,
"phase": "open",
"id": 4,
"live_until": 1713295099.2209835,
"live_until_phases": ["open", "ack"],
}
without expire
{
"facility": 1,
"priority": 5,
"text": "Still nothing happened.111111",
"host": "myhost1",
"ipaddress": "1.2.3.5",
"application": "Foobar-Daemon1234",
"pid": 0,
"time": 1713291866.260612,
"core_host": None,
"host_in_downtime": False,
"rule_id": "ER001",
"contact_groups": None,
"contact_groups_notify": False,
"contact_groups_precedence": "host",
"match_groups": (),
"match_groups_syslog_application": (),
"state": 0,
"sl": 0,
"first": 1713291866.260612,
"last": 1713291866.260612,
"phase": "open",
"id": 5,
}