msgs - Multiple ignore patterns

11 messages in this thread

list Giovanni - Gestor Redix · Fri, 18 May 2007 14:34:36 -0300 ·

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get multiple patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT
LOG /var/log/auth.log "%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

-- 
Giovanni M. Frainer

list Sean Hennessey · Fri, 18 May 2007 13:37:26 -0400 ·

I'd hazard a quess that what your regex is saying is

Plugin create statement from [userPassword or plugin] doing query. Try
putting () around the statements.

(Plugin create statement from userPassword)|(plugin doing query). Not sure
if you need to escape the ()'s or not.

Sean

▸ quoted from Giovanni - Gestor Redix


-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid] Sent: Friday, May 18, 2007 1:35 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] msgs - Multiple ignore patterns

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get multiple patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT
LOG /var/log/auth.log "%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

-- 
Giovanni M. Frainer

list Giovanni - Gestor Redix · Fri, 18 May 2007 17:05:43 -0300 ·

Didn't worked... :-(

This syntax work for you ?

Thank you!

▸ quoted from Sean Hennessey



Sean Hennessey wrote:

I'd hazard a quess that what your regex is saying is

Plugin create statement from [userPassword or plugin] doing query. Try
putting () around the statements.

(Plugin create statement from userPassword)|(plugin doing query). Not sure
if you need to escape the ()'s or not.

Sean

-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid] Sent: Friday, May 18, 2007 1:35 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] msgs - Multiple ignore patterns

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get multiple patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT
LOG /var/log/auth.log "%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

list Sean Hennessey · Fri, 18 May 2007 16:19:17 -0400 ·

Looking at your original regex in pcretest, it should have worked.

PCRE version 4.5 01-December-2003

  re> /plugin create statement from userPassword|plugin doing query/
data> plugin create statement from userPassword
 0: plugin create statement from userPassword
data> pluging create statement from plugin
No match
data> plugin doing query
 0: plugin doing query

Did you wrap your regexp in "" in the file. They don't appear in your
snippet below. I'm not sure if that is required or not.

▸ quoted from Giovanni - Gestor Redix


-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid] Sent: Friday, May 18, 2007 4:06 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] msgs - Multiple ignore patterns

Didn't worked... :-(

This syntax work for you ?

Thank you!


Sean Hennessey wrote:

I'd hazard a quess that what your regex is saying is

Plugin create statement from [userPassword or plugin] doing query. Try
putting () around the statements.

(Plugin create statement from userPassword)|(plugin doing query). Not sure
if you need to escape the ()'s or not.

Sean

-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid] Sent: Friday, May 18, 2007 1:35 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] msgs - Multiple ignore patterns

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get multiple patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query SELECT
LOG /var/log/auth.log "%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso" COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing query

SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

list Steve Holmes · Fri, 18 May 2007 16:28:53 -0400 ·

I have been having similar problem. RE which pcretest says will work don't.
I've tried with and without quotes, etc.
I believe that the RE processing within hobbit is buggy. I haven't had time
to track down where that is handled in the code, but would like to look at
it if I can find it (hint, if you know where to look let me know). I'm
assuming that hobbit is munging the RE before handing it off to PCRE. If not
why would pcretest pass the RE and then it not work within hobbit.

Steve Holmes

▸ quoted from Sean Hennessey


On 5/18/07, Sean Hennessey <user-5612d405097f@xymon.invalid> wrote:

Looking at your original regex in pcretest, it should have worked.

PCRE version 4.5 01-December-2003

  re> /plugin create statement from userPassword|plugin doing query/
data> plugin create statement from userPassword
0: plugin create statement from userPassword
data> pluging create statement from plugin
No match
data> plugin doing query
0: plugin doing query

Did you wrap your regexp in "" in the file. They don't appear in your
snippet below. I'm not sure if that is required or not.

-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid]
Sent: Friday, May 18, 2007 4:06 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] msgs - Multiple ignore patterns

Didn't worked... :-(

This syntax work for you ?

Thank you!


Sean Hennessey wrote:

I'd hazard a quess that what your regex is saying is

Plugin create statement from [userPassword or plugin] doing query. Try
putting () around the statements.

(Plugin create statement from userPassword)|(plugin doing query). Not
sure
if you need to escape the ()'s or not.

Sean

-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid]
Sent: Friday, May 18, 2007 1:35 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] msgs - Multiple ignore patterns

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get multiple
patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted"
COLOR=red IGNORE=%plugin create statement from userPassword|plugin doing
query SELECT
LOG /var/log/auth.log
"%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso" COLOR=red
IGNORE=%plugin create statement from userPassword|plugin doing query

SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

--


Lots of people think they're charitable if they give away their old clothes
and things they don't want. It isn't charity to give away things you want
to get rid of and it isn't a sacrifice to do things you don't mind doing.
-Myrtle Reed, author (1874-1911)

list Charles Jones · Fri, 18 May 2007 13:32:02 -0700 ·

I had similar RE issues with hobbit-alerts.cfg. I reported it several 
times but never got any response.

-Charles

▸ quoted from Steve Holmes


Steve Holmes wrote:

I have been having similar problem. RE which pcretest says will work 
don't. I've tried with and without quotes, etc.
I believe that the RE processing within hobbit is buggy. I haven't had 
time to track down where that is handled in the code, but would like 
to look at it if I can find it (hint, if you know where to look let me 
know). I'm assuming that hobbit is munging the RE before handing it 
off to PCRE. If not why would pcretest pass the RE and then it not 
work within hobbit.

Steve Holmes

On 5/18/07, *Sean Hennessey* <user-5612d405097f@xymon.invalid 
<mailto:user-5612d405097f@xymon.invalid>> wrote:

    Looking at your original regex in pcretest, it should have worked.

    PCRE version 4.5 01-December-2003

      re> /plugin create statement from userPassword|plugin doing query/
    data> plugin create statement from userPassword
    0: plugin create statement from userPassword
    data> pluging create statement from plugin
    No match
    data> plugin doing query
    0: plugin doing query

    Did you wrap your regexp in "" in the file. They don't appear in your
    snippet below. I'm not sure if that is required or not.

    -----Original Message-----
    From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid
    <mailto:user-e1d5cb184a81@xymon.invalid>]
    Sent: Friday, May 18, 2007 4:06 PM


    To: user-ae9b8668bcde@xymon.invalid <mailto:user-ae9b8668bcde@xymon.invalid>

▸ quoted from Steve Holmes

    Subject: Re: [hobbit] msgs - Multiple ignore patterns

    Didn't worked... :-(

    This syntax work for you ?

    Thank you!


    Sean Hennessey wrote:

I'd hazard a quess that what your regex is saying is

Plugin create statement from [userPassword or plugin] doing
    query. Try
putting () around the statements.

(Plugin create statement from userPassword)|(plugin doing
    query). Not sure
if you need to escape the ()'s or not.

Sean

-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid

    <mailto:user-e1d5cb184a81@xymon.invalid> ]

Sent: Friday, May 18, 2007 1:35 PM


To: user-ae9b8668bcde@xymon.invalid <mailto:user-ae9b8668bcde@xymon.invalid>

▸ quoted from Steve Holmes

Subject: [hobbit] msgs - Multiple ignore patterns

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get
    multiple
patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted"
COLOR=red IGNORE=%plugin create statement from
    userPassword|plugin doing
query SELECT
LOG /var/log/auth.log
"%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso"

    COLOR=red

IGNORE=%plugin create statement from userPassword|plugin doing query

    SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

-- 
Lots of people think they're charitable if they give away their old 
clothes
and things they don't want. It isn't charity to give away things you want
to get rid of and it isn't a sacrifice to do things you don't mind doing.
-Myrtle Reed, author (1874-1911)

list Giovanni - Gestor Redix · Mon, 21 May 2007 11:09:50 -0300 ·

Hi Charles!

How do you work with this limitation ? Any workaround ?

Cheers

▸ quoted from Charles Jones



Charles Jones wrote:

I had similar RE issues with hobbit-alerts.cfg. I reported it several 
times but never got any response.

-Charles

Steve Holmes wrote:

I have been having similar problem. RE which pcretest says will work 
don't. I've tried with and without quotes, etc.
I believe that the RE processing within hobbit is buggy. I haven't 
had time to track down where that is handled in the code, but would 
like to look at it if I can find it (hint, if you know where to look 
let me know). I'm assuming that hobbit is munging the RE before 
handing it off to PCRE. If not why would pcretest pass the RE and 
then it not work within hobbit.

Steve Holmes

On 5/18/07, *Sean Hennessey* <user-5612d405097f@xymon.invalid 
<mailto:user-5612d405097f@xymon.invalid>> wrote:

    Looking at your original regex in pcretest, it should have worked.

    PCRE version 4.5 01-December-2003

      re> /plugin create statement from userPassword|plugin doing query/
    data> plugin create statement from userPassword
    0: plugin create statement from userPassword
    data> pluging create statement from plugin
    No match
    data> plugin doing query
    0: plugin doing query

    Did you wrap your regexp in "" in the file. They don't appear in your
    snippet below. I'm not sure if that is required or not.

    -----Original Message-----
    From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid
    <mailto:user-e1d5cb184a81@xymon.invalid>]
    Sent: Friday, May 18, 2007 4:06 PM
    To: user-ae9b8668bcde@xymon.invalid <mailto:user-ae9b8668bcde@xymon.invalid>
    Subject: Re: [hobbit] msgs - Multiple ignore patterns

    Didn't worked... :-(

    This syntax work for you ?

    Thank you!


    Sean Hennessey wrote:

I'd hazard a quess that what your regex is saying is

Plugin create statement from [userPassword or plugin] doing
    query. Try
putting () around the statements.

(Plugin create statement from userPassword)|(plugin doing
    query). Not sure
if you need to escape the ()'s or not.

Sean

-----Original Message-----
From: Giovanni - Gestor Redix [mailto:user-e1d5cb184a81@xymon.invalid

    <mailto:user-e1d5cb184a81@xymon.invalid> ]

Sent: Friday, May 18, 2007 1:35 PM
To: user-ae9b8668bcde@xymon.invalid <mailto:user-ae9b8668bcde@xymon.invalid>
Subject: [hobbit] msgs - Multiple ignore patterns

Hi everyone,

    I've applied the all-in-one patch but i still couldn't get
    multiple
patterns to work in IGNORE parameter... Here is my configuration:

LOG /var/log/syslog "%password|error|fail|changed|tcpd|Accepted"
COLOR=red IGNORE=%plugin create statement from
    userPassword|plugin doing
query SELECT
LOG /var/log/auth.log
"%password|error|fail|changed|tcpd|Accepted|jovial|tenebroso"

    COLOR=red

IGNORE=%plugin create statement from userPassword|plugin doing
    query

    SELECT

    Why this regex don't work ? Any idea ?

    Thank you all the attention...

    Cheers

-- 
Lots of people think they're charitable if they give away their old 
clothes
and things they don't want. It isn't charity to give away things you 
want
to get rid of and it isn't a sacrifice to do things you don't mind doing.
-Myrtle Reed, author (1874-1911)

list Craig Cook · Thu, 24 May 2007 15:22:05 +1000 ·

While we are asking questions about the pcre handling...

Has anyone managed to use a rule with spaces?

ie.

LOG /var/log/syslog "%disk full" COLOR=red

I have tried using quotes, escaping quotes, escaping spaces, etc.  Nothing has worked.  Reduced to individual words to get something working.


Craig Cook
--
Systems Monitoring Consulting and Support Services
http://www.cookitservices.com

list Dominique Frise · Thu, 24 May 2007 09:32:00 +0200 ·

▸ quoted from Craig Cook

Craig Cook wrote:

While we are asking questions about the pcre handling...

Has anyone managed to use a rule with spaces?

ie.

LOG /var/log/syslog "%disk full" COLOR=red

I have tried using quotes, escaping quotes, escaping spaces, etc.  Nothing has worked.  Reduced to individual words to get something working.


Craig Cook
--
Systems Monitoring Consulting and Support Services
http://www.cookitservices.com

Spaces should work but we use \s to represent spaces.

Example:

LOG /var/adm/messages.da %(?-i)Fail|fail|On\sbattery|AC\sline\sfault|Replace\sbattery|Battery\snot COLOR=yellow

The (?-i) tells pcre to turn case-sensitive pattern matching on.


Dominique
UNIL - University of Lausanne

list Steve Holmes · Thu, 24 May 2007 09:48:17 -0400 ·

Thanks, Craig. I'm going to try this trick. But even single words aren't
working reliably for me.
Steve Holmes

▸ quoted from Dominique Frise



On 5/24/07, Dominique Frise <user-78ab6673b600@xymon.invalid> wrote:

Craig Cook wrote:

While we are asking questions about the pcre handling...

Has anyone managed to use a rule with spaces?

ie.

LOG /var/log/syslog "%disk full" COLOR=red

I have tried using quotes, escaping quotes, escaping spaces,
etc.  Nothing has worked.  Reduced to individual words to get something
working.


Craig Cook
--
Systems Monitoring Consulting and Support Services
http://www.cookitservices.com

Spaces should work but we use \s to represent spaces.

Example:

LOG /var/adm/messages.da
%(?-i)Fail|fail|On\sbattery|AC\sline\sfault|Replace\sbattery|Battery\snot
COLOR=yellow

The (?-i) tells pcre to turn case-sensitive pattern matching on.


Dominique
UNIL - University of Lausanne

-- 
Lots of people think they're charitable if they give away their old clothes
and things they don't want. It isn't charity to give away things you want
to get rid of and it isn't a sacrifice to do things you don't mind doing.
-Myrtle Reed, author (1874-1911)

list Giovanni - Gestor Redix · Thu, 24 May 2007 10:59:57 -0300 ·

Thank you!!! Now multiple ignore patterns works correctly!

       LOG /var/log/syslog %password|error|fail|changed|tcpd|Accepted 
COLOR=red 
IGNORE=%plugin\screate\sstatement\sfrom\suserPassword|plugin\sdoing\squery\sELECTTTT
       LOG /var/log/auth.log %password|error|fail|changed|tcpd|Accepted 
COLOR=red 
IGNORE=%plugin\screate\sstateeement\sfrom\suserPassword|plugin\sdoing\squery\sSELECT

▸ quoted from Steve Holmes


Steve Holmes wrote:

Thanks, Craig. I'm going to try this trick. But even single words 
aren't working reliably for me.
Steve Holmes


On 5/24/07, *Dominique Frise* <user-78ab6673b600@xymon.invalid 
<mailto:user-78ab6673b600@xymon.invalid>> wrote:

    Craig Cook wrote:

While we are asking questions about the pcre handling...

Has anyone managed to use a rule with spaces?

ie.

LOG /var/log/syslog "%disk full" COLOR=red

I have tried using quotes, escaping quotes, escaping spaces,
    etc.  Nothing has worked.  Reduced to individual words to get
    something working.


Craig Cook
--
Systems Monitoring Consulting and Support Services
http://www.cookitservices.com

    Spaces should work but we use \s to represent spaces.

    Example:

    LOG /var/adm/messages.da
    %(?-i)Fail|fail|On\sbattery|AC\sline\sfault|Replace\sbattery|Battery\snot
    COLOR=yellow

    The (?-i) tells pcre to turn case-sensitive pattern matching on.


    Dominique
    UNIL - University of Lausanne


-- 
Lots of people think they're charitable if they give away their old 
clothes
and things they don't want. It isn't charity to give away things you want
to get rid of and it isn't a sacrifice to do things you don't mind doing.
-Myrtle Reed, author (1874-1911)

msgs - Multiple ignore patterns 🔗 link

msgs - Multiple ignore patterns