It looks to me that you want an alert that will raise an alarm if one user makes a large number of edits in a short period of time. (It looks to me like this is an LDAP you are monitoring, but I could be wrong)
You also said that your monitoring script needs to preserve state, in order to minimise resource usage, which implies some sort of database or persistent data.
My approach would first be to use something like File::Tail to monitor you log file for new log entries, so that every time a new log line is written, your script springs into action, and checks if the user responsible for the latest transaction has made to many other transactions recently. That way you get alerted immediately a user commits their 101st transaction, and you don't waste resource checking for users who hardly ever make any transactions.
Once you have extracted the user ID and type of operation from the log line, you have three ways you can count how many other transactions the user has done recently.
The second two options mean that the script does not have to preserve state, so you can restart it any time you like, or even start it as an event based log processor on your LDAP server.
In my view the third option is best, as it will keep your perl script very simple, and transfer all the heavy lifting to your database server. It does rely on being able to configure your LDAP server to log directly to a database.
Alternatively, considering you are a DBA, and presumably know how to write SQL trigger scripts, you could consider bypassing perl entirely, and doing the whole thing as a Trigger on the logging database. I have no idea if this is easy, or even possible, as I am not a DBA, and can't write SQL beyond fairly basic SELECT and UPDATE calls.
In reply to Re: Help Required
by chrestomanci
in thread Help Required
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |