Re: SiS logfile monitor : advanced content match (197 Views)
Reply
Advisor
CLEFEBVRE
Posts: 33
Registered: ‎08-05-2011
Message 1 of 4 (198 Views)

SiS logfile monitor : advanced content match

Hello,

 

With a SiteScope logfile monitor, I would like to receive an alert when there is new errors in the /var/log/messages, excepted if it's related to SSH. In other word, the content match would be something like: "     Error message not containing "sshd" and containing "error"      "

 

EXAMPLE of an error message for which I don't want to receive an alert:

Feb 26 19:21:44 host2 sshd[23413]: error: PAM: Authentication failure for root from server.mydomain.com

 

Is there a way to do this ?

 

Thanks in advance,

Regards,

  Christophe

 

Please use plain text.
HP Expert
A_Krizhanovsky
Posts: 16
Registered: ‎01-24-2013
Message 2 of 4 (197 Views)

Re: SiS logfile monitor : advanced content match

Hi,

 

Try regexp like /.*Authentication.*from (.*)/ and label "Intruder"

Best Regards, Alexander
SiteScope Core QA Team Engineer
Please use plain text.
Advisor
CLEFEBVRE
Posts: 33
Registered: ‎08-05-2011
Message 3 of 4 (193 Views)

Re: SiS logfile monitor : advanced content match

Hi Alexander,

 

It will not work for me.

 

I want to receive an alert each time there is a line containing "error" pattern in /var/log/messages, excepted if the line contains also "sshd".

 

Regards,

  Christophe

Please use plain text.
HP Expert
A_Krizhanovsky
Posts: 16
Registered: ‎01-24-2013
Message 4 of 4 (174 Views)

Re: SiS logfile monitor : advanced content match

/c

The matched pattern may NOT appear anywhere in content that is being searched. This is a "complement" match, returning an error if the pattern IS found, and succeeding if the pattern is NOT found.

 

maybe, this modifier fit?

Best Regards, Alexander
SiteScope Core QA Team Engineer
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation