LOG Pattern IGNORE syntax

5 messages in this thread

list Asif Iqbal · Fri, 1 Jun 2007 17:33:56 -0400 ·

Is this a valid syntax?

LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
IGNORE=%SUNWsrspx|srsxfer

I want no alert for lines, in `/var/adm/messages',  that has either or both
of these two words

SUNWsrspx
srsxfer

Thanks

-- 

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

list Giovanni - Gestor Redix · Sun, 03 Jun 2007 16:59:22 -0300 ·

Everything ok with your syntax, i just would try removing the double-quotes...

BTW, If you need to ignore a phrase that uses spaces, use \s to separate, like the following syntax:
LOG blablabla %blablabla IGNORE=%one\stwo\swords

Another example: IGNORE=%one\stwo|other\sword|word

Cheers

▸ quoted from Asif Iqbal


Asif Iqbal wrote:

Is this a valid syntax?

LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR" IGNORE=%SUNWsrspx|srsxfer

I want no alert for lines, in `/var/adm/messages',  that has either or both of these two words

SUNWsrspx
srsxfer

Thanks

-- 

Asif Iqbal


PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu>;

list Asif Iqbal · Fri, 13 Jul 2007 11:50:51 -0400 ·

OK here is another PCRE issue with IGNORE pattern

I have this on ~hobbit/server/etc/hobbit-clients.cfg

HOST=host.domain.net
LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
IGNORE=%Power.*Supply.*0.*NOT.*okay

But I still get alert as following

&red Critical entries in <a href="/hobbit-cgi/bb-hostsvc.sh?CLIENT=
host.domain.net&amp;SECTION=msgs:/var/adm/messages">/var/adm/messages</a>
&red Jul 13 15:04:34 host envctrltwo: [ID 771032 kern.warning] WARNING:
Power Supply 0 NOT okay

I did a pcretest and it did match so why is hobbit still alerting?

(hobbit)@hobbit:~/server/etc$ pcretest
PCRE version 4.5 01-December-2003

  re> "Power.*Supply.*0.*NOT.*okay"
data> Jul 13 15:04:34 host envctrltwo: [ID 771032 kern.warning] WARNING:
Power Supply 0 NOT okay
 0: Power Supply 0 NOT okay

▸ quoted from Giovanni - Gestor Redix



On 6/3/07, Giovanni - Gestor Redix <user-e1d5cb184a81@xymon.invalid> wrote:

 Everything ok with your syntax, i just would try removing the
double-quotes...

BTW, If you need to ignore a phrase that uses spaces, use \s to separate,
like the following syntax:
LOG blablabla %blablabla IGNORE=%one\stwo\swords

Another example: IGNORE=%one\stwo|other\sword|word

Cheers

Asif Iqbal wrote:

Is this a valid syntax?

LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
IGNORE=%SUNWsrspx|srsxfer

I want no alert for lines, in `/var/adm/messages',  that has either or
both of these two words

SUNWsrspx
srsxfer

Thanks

--

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

list Asif Iqbal · Tue, 17 Jul 2007 23:59:33 -0400 ·

▸ quoted from Asif Iqbal

On 7/13/07, Asif Iqbal <user-6f4b51ac2a40@xymon.invalid> wrote:

OK here is another PCRE issue with IGNORE pattern

I have this on ~hobbit/server/etc/hobbit-clients.cfg

HOST=host.domain.net
LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
IGNORE=%Power.*Supply.*0.*NOT.*okay


Is it suppose to be a bug in hobbit?

▸ quoted from Asif Iqbal



But I still get alert as following

&red Critical entries in <a href="/hobbit-cgi/bb-hostsvc.sh?CLIENT=
host.domain.net&amp;SECTION=msgs:/var/adm/messages">/var/adm/messages</a>
&red Jul 13 15:04:34 host envctrltwo: [ID 771032 kern.warning] WARNING:
Power Supply 0 NOT okay

I did a pcretest and it did match so why is hobbit still alerting?

(hobbit)@hobbit:~/server/etc$ pcretest
PCRE version 4.5 01-December-2003

  re> "Power.*Supply.*0.*NOT.*okay"
data> Jul 13 15:04:34 host envctrltwo: [ID 771032 kern.warning] WARNING:
Power Supply 0 NOT okay
 0: Power Supply 0 NOT okay


On 6/3/07, Giovanni - Gestor Redix <user-e1d5cb184a81@xymon.invalid<https://mail.google.com/mail?view=cm&tf=0&to=user-e1d5cb184a81@xymon.invalid>>; wrote:

 Everything ok with your syntax, i just would try removing the
double-quotes...

BTW, If you need to ignore a phrase that uses spaces, use \s to
separate, like the following syntax:
LOG blablabla %blablabla IGNORE=%one\stwo\swords

Another example: IGNORE=%one\stwo|other\sword|word

Cheers

Asif Iqbal wrote:

Is this a valid syntax?

LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
IGNORE=%SUNWsrspx|srsxfer

I want no alert for lines, in `/var/adm/messages',  that has either or
both of these two words

SUNWsrspx
srsxfer

Thanks

--

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

list Dominique Frise · Wed, 18 Jul 2007 07:33:44 +0200 ·

▸ quoted from Asif Iqbal

Asif Iqbal wrote:

On 7/13/07, *Asif Iqbal* <user-6f4b51ac2a40@xymon.invalid <mailto:user-6f4b51ac2a40@xymon.invalid>> wrote:

    OK here is another PCRE issue with IGNORE pattern

    I have this on ~hobbit/server/etc/hobbit-clients.cfg


    HOST= host.domain.net <http://host.domain.net>;

▸ quoted from Asif Iqbal

    LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
    IGNORE=%Power.*Supply.*0.*NOT.*okay 


Is it suppose to be a bug in hobbit?


    But I still get alert as following

    &red Critical entries in <a


    href="/hobbit-cgi/bb-hostsvc.sh?CLIENT=host.domain.net&amp;SECTION=msgs:/var/adm/messages">/var/adm/messages</a>

▸ quoted from Asif Iqbal

    &red Jul 13 15:04:34 host envctrltwo: [ID 771032 kern.warning]
    WARNING: Power Supply 0 NOT okay

    I did a pcretest and it did match so why is hobbit still alerting?

    (hobbit)@hobbit:~/server/etc$ pcretest
    PCRE version 4.5 01-December-2003

      re> "Power.*Supply.*0.*NOT.*okay"
    data> Jul 13 15:04:34 host envctrltwo: [ID 771032 kern.warning]
    WARNING: Power Supply 0 NOT okay
     0: Power Supply 0 NOT okay


    On 6/3/07, *Giovanni - Gestor Redix* < user-e1d5cb184a81@xymon.invalid


    <https://mail.google.com/mail?view=cm&tf=0&to=user-e1d5cb184a81@xymon.invalid>;

▸ quoted from Asif Iqbal

wrote:

        Everything ok with your syntax, i just would try removing the
        double-quotes...

        BTW, If you need to ignore a phrase that uses spaces, use \s to
        separate, like the following syntax:
        LOG blablabla %blablabla IGNORE=%one\stwo\swords

        Another example: IGNORE=%one\stwo|other\sword|word

        Cheers


        Asif Iqbal wrote:

        Is this a valid syntax?

        LOG /var/adm/messages "%(?-i)WARNING|(?-i)NOTICE|(?-i)ERROR"
        IGNORE=%SUNWsrspx|srsxfer

        I want no alert for lines, in `/var/adm/messages',  that has
        either or both of these two words

        SUNWsrspx
        srsxfer

        Thanks

        -- 
        Asif Iqbal
        PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu>;

    --     Asif Iqbal
    PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu>;


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu>;

%(?-i) tells Hobbit to turn case-sensitive pattern matching on.
This should be used once per rule.
I would write your rules like this:

      HOST=host.domain.net
      LOG /var/adm/messages %(?-i)WARNING|NOTICE|ERROR
      IGNORE=%(?-i)Power\sSupply\s0\sNOT\sokay

      LOG /var/adm/messages %(?-i)WARNING|NOTICE|ERROR
      IGNORE=%(?-i)SUNWsrspx|srsxfer


Dominique

LOG Pattern IGNORE syntax 🔗 link

LOG Pattern IGNORE syntax