ignore certain things in a log file
list Kevin Kelly
Could somebody tell me why this won't work?
HOST=testserver
LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong
magic number)"
Trying to ignore all lines in the messages file that contain those key
words.
Thanks
Kevin
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
list Steve Holmes
▸
On Thu, Aug 26, 2010 at 10:44 AM, Kevin Kelly <user-46671a9fcf56@xymon.invalid> wrote:
Could somebody tell me why this won’t work?
HOST=testserver
LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong magic
number)"
Trying to ignore all lines in the messages file that contain those key
words.
Thanks
Kevin
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
I'm not sure why you have the parens in the pattern, but you might try taking them out. Also, if that doesn't work, try dropping the quotes and replacing each space with \s. Steve
list Matthew Moldvan
I think (someone correct me if I'm wrong) you might need the line to match to first, then what you'd like to ignore afterward. Our ignore rules, which I believe work (notice the double quotes, the ?i is case insensitive):
LOG /var/adm/messages \
%(?i)ERROR \
"IGNORE=%(?i)(nres_gethostbyaddr|simple bind failed - Invalid credentials|please upgrade FCSM|WARNING|NOTICE|fctl|FCSM|SRS Proxy|xrx8825tlh2|ImportAcsError|AcsError|File \{.*\}, error 2|No such file or directory|ViewMgr|Bad file format|Exec call for FormTek|cache_trif_image|UserQry|DESKTOP_EDMOSRV.STARTUP|Error Level: Informational|sshd.*Authentication failed for|DESKTOP_EDMOSRV.STARTUP.*local0.error|httpd.*(modsecurity|password))"
Spaces are okay. For any rules you'd like to test, you can use the pcretool command (available on my CentOS box, maybe not in your environment). Syntax is as follows:
-bash-3.2$ pcretest PCRE version 6.6 06-Feb-2006
re> /(corrupt label|wrong magic number)/
data> corrupt
No match
data> corrupt label
0: corrupt label
1: corrupt label
data> wrong magic number
0: wrong magic number
1: wrong magic number
Or for a case insensitive match:
-bash-3.2$ pcretest PCRE version 6.6 06-Feb-2006
re> /(?i)(corrupt label|wrong magic number)/
data> Corrupt label
0: Corrupt label
1: Corrupt label
data> corrupt label
0: corrupt label
1: corrupt label
data> asdf
No match
data> WRONG MAGIC NUMBER
0: WRONG MAGIC NUMBER
1: WRONG MAGIC NUMBER
data> wrong magic number
0: wrong magic number
1: wrong magic number
Good luck, hope that helps,
Matt.
Unix System Administrator
Computer Science Corporation
General Dynamics Land Systems
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
From:
"Kevin Kelly" <user-46671a9fcf56@xymon.invalid>
To:
<xymon at xymon.com>
Date:
08/26/2010 10:52 AM
Subject:
[xymon] ignore certain things in a log file
▸
Could somebody tell me why this won’t work? HOST=testserver LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong magic number)" Trying to ignore all lines in the messages file that contain those key words. Thanks Kevin This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _____________________________________________________________________
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
list Kevin Kelly
Having no luck in ignoring the following messages from /var/adm/messages Aug 27 10:43:35 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 9/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723700,0 (ssd3): Aug 27 10:43:36 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 9/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723700,0 (ssd3): Aug 27 10:43:36 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 8/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723710,1 (ssd0): Aug 27 10:43:36 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 8/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723710,1 (ssd0): Have I tried the following: LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong magic number)” LOG %/var/adm/messages %kern IGNORE=%(ID 107833|corrupt label|wrong magic number) LOG %/var/adm/messages %kern IGNORE=%ID 107833|corrupt label|wrong magic number LOG %/var/adm/messages IGNORE=%(ID 107833|corrupt label|wrong magic number) Any suggestions?
▸
From: Matthew Moldvan [mailto:user-ffaad6c7b6c3@xymon.invalid] Sent: Thursday, August 26, 2010 11:06 AM To: xymon at xymon.com Subject: Re: [xymon] ignore certain things in a log file I think (someone correct me if I'm wrong) you might need the line to match to first, then what you'd like to ignore afterward. Our ignore rules, which I believe work (notice the double quotes, the ?i is case insensitive): LOG /var/adm/messages \ %(?i)ERROR \ "IGNORE=%(?i)(nres_gethostbyaddr|simple bind failed - Invalid credentials|please upgrade FCSM|WARNING|NOTICE|fctl|FCSM|SRS Proxy|xrx8825tlh2|ImportAcsError|AcsError|File \{.*\}, error 2|No such file or directory|ViewMgr|Bad file format|Exec call for FormTek|cache_trif_image|UserQry|DESKTOP_EDMOSRV.STARTUP|Error Level: Informational|sshd.*Authentication failed for|DESKTOP_EDMOSRV.STARTUP.*local0.error|httpd.*(modsecurity|password))" Spaces are okay. For any rules you'd like to test, you can use the pcretool command (available on my CentOS box, maybe not in your environment). Syntax is as follows: -bash-3.2$ pcretest PCRE version 6.6 06-Feb-2006 re> /(corrupt label|wrong magic number)/ data> corrupt No match data> corrupt label 0: corrupt label 1: corrupt label data> wrong magic number 0: wrong magic number 1: wrong magic number Or for a case insensitive match: -bash-3.2$ pcretest PCRE version 6.6 06-Feb-2006 re> /(?i)(corrupt label|wrong magic number)/ data> Corrupt label 0: Corrupt label 1: Corrupt label data> corrupt label 0: corrupt label 1: corrupt label data> asdf No match data> WRONG MAGIC NUMBER 0: WRONG MAGIC NUMBER 1: WRONG MAGIC NUMBER data> wrong magic number 0: wrong magic number 1: wrong magic number Good luck, hope that helps, Matt. Unix System Administrator Computer Science Corporation General Dynamics Land Systems This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: "Kevin Kelly" <user-46671a9fcf56@xymon.invalid> To: <xymon at xymon.com> Date: 08/26/2010 10:52 AM Subject: [xymon] ignore certain things in a log file Could somebody tell me why this won’t work? HOST=testserver LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong magic number)" Trying to ignore all lines in the messages file that contain those key words. Thanks Kevin This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _____________________________________________________________________ This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _____________________________________________________________________
list Craig Cook
Try something like this: LOG %/var/adm/messages kern IGNORE=%corrupt[[:space:]]label|wrong[[:space:]]magic[[:space:]]number Or LOG %/var/adm/messages %kern IGNORE=%corrupt[[:space:]]label|wrong[[:space:]]magic[[:space:]]number OR LOG %/var/adm/messages %kern COLOR=red IGNORE=%corrupt[[:space:]]label|wrong[[:space:]]magic[[:space:]]number Craig
list Padraig Lennon
You should not have the percentage % before the log file name and don't
use brackets...
LOG %/var/adm/messages IGNORE=%(ID 107833|corrupt label|wrong magic
number)
should read LOG /var/adm/messages IGNORE=%ID 107833|corrupt label|wrong magic number
Padraig Lennon Senior Systems Integration Engineer
Pioneer Investments Management Ltd 5th Floor |Georges Quay Plaza | Georges Quay | Dublin 2 | Rep. of
Ireland Tel. +353 (0)1 480.2081
user-7738cfcc6ae0@xymon.invalid
<mailto:user-bd8ca6f18835@xymon.invalid> |
www.pioneerinvestments.com <http://www.pioneerinvestments.com/>;
Please consider the environment before printing this e-mail
▸
From: Kevin Kelly [mailto:user-46671a9fcf56@xymon.invalid] Sent: 27 August 2010 16:50 To: xymon at xymon.com Subject: RE: [xymon] ignore certain things in a log file Having no luck in ignoring the following messages from /var/adm/messages Aug 27 10:43:35 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 9/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723700,0 (ssd3): Aug 27 10:43:36 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 9/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723700,0 (ssd3): Aug 27 10:43:36 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 8/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723710,1 (ssd0): Aug 27 10:43:36 testserver Corrupt label; wrong magic number Aug 27 10:43:36 testserver scsi: [ID 107833 kern.warning] WARNING: /pci at 7c0/pci at 0/pci at 8/SUNW,qlc at 0/fp at 0,0/ssd at w50060e8 005723710,1 (ssd0): Have I tried the following: LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong magic number)" LOG %/var/adm/messages %kern IGNORE=%(ID 107833|corrupt label|wrong magic number) LOG %/var/adm/messages %kern IGNORE=%ID 107833|corrupt label|wrong magic number LOG %/var/adm/messages IGNORE=%(ID 107833|corrupt label|wrong magic number) Any suggestions? From: Matthew Moldvan [mailto:user-ffaad6c7b6c3@xymon.invalid] Sent: Thursday, August 26, 2010 11:06 AM To: xymon at xymon.com Subject: Re: [xymon] ignore certain things in a log file I think (someone correct me if I'm wrong) you might need the line to match to first, then what you'd like to ignore afterward. Our ignore rules, which I believe work (notice the double quotes, the ?i is case insensitive): LOG /var/adm/messages \ %(?i)ERROR \ "IGNORE=%(?i)(nres_gethostbyaddr|simple bind failed - Invalid credentials|please upgrade FCSM|WARNING|NOTICE|fctl|FCSM|SRS Proxy|xrx8825tlh2|ImportAcsError|AcsError|File \{.*\}, error 2|No such file or directory|ViewMgr|Bad file format|Exec call for FormTek|cache_trif_image|UserQry|DESKTOP_EDMOSRV.STARTUP|Error Level: Informational|sshd.*Authentication failed for|DESKTOP_EDMOSRV.STARTUP.*local0.error|httpd.*(modsecurity|password)) " Spaces are okay. For any rules you'd like to test, you can use the pcretool command (available on my CentOS box, maybe not in your environment). Syntax is as follows: -bash-3.2$ pcretest PCRE version 6.6 06-Feb-2006 re> /(corrupt label|wrong magic number)/ data> corrupt No match data> corrupt label 0: corrupt label 1: corrupt label data> wrong magic number 0: wrong magic number 1: wrong magic number Or for a case insensitive match: -bash-3.2$ pcretest PCRE version 6.6 06-Feb-2006 re> /(?i)(corrupt label|wrong magic number)/ data> Corrupt label 0: Corrupt label 1: Corrupt label data> corrupt label 0: corrupt label 1: corrupt label data> asdf No match data> WRONG MAGIC NUMBER 0: WRONG MAGIC NUMBER 1: WRONG MAGIC NUMBER data> wrong magic number 0: wrong magic number 1: wrong magic number Good luck, hope that helps, Matt. Unix System Administrator Computer Science Corporation General Dynamics Land Systems This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: "Kevin Kelly" <user-46671a9fcf56@xymon.invalid> To: <xymon at xymon.com> Date: 08/26/2010 10:52 AM Subject: [xymon] ignore certain things in a log file Could somebody tell me why this won't work? HOST=testserver LOG %/var/adm/messages kern "IGNORE=%(corrupt label|wrong magic number)" Trying to ignore all lines in the messages file that contain those key words. Thanks Kevin This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _____________________________________________________________________ This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _____________________________________________________________________