Re: SiS logfile monitor : advanced content match (329 Views)
Reply
Frequent Advisor
Posts: 40
Registered: ‎08-05-2011
Message 1 of 4 (330 Views)

SiS logfile monitor : advanced content match

Hello,

 

With a SiteScope logfile monitor, I would like to receive an alert when there is new errors in the /var/log/messages, excepted if it's related to SSH. In other word, the content match would be something like: "     Error message not containing "sshd" and containing "error"      "

 

EXAMPLE of an error message for which I don't want to receive an alert:

Feb 26 19:21:44 host2 sshd[23413]: error: PAM: Authentication failure for root from server.mydomain.com

 

Is there a way to do this ?

 

Thanks in advance,

Regards,

  Christophe

 

Highlighted
HP Expert
Posts: 16
Registered: ‎01-24-2013
Message 2 of 4 (329 Views)

Re: SiS logfile monitor : advanced content match

Hi,

 

Try regexp like /.*Authentication.*from (.*)/ and label "Intruder"

Best Regards, Alexander
SiteScope Core QA Team Engineer
Frequent Advisor
Posts: 40
Registered: ‎08-05-2011
Message 3 of 4 (325 Views)

Re: SiS logfile monitor : advanced content match

Hi Alexander,

 

It will not work for me.

 

I want to receive an alert each time there is a line containing "error" pattern in /var/log/messages, excepted if the line contains also "sshd".

 

Regards,

  Christophe

HP Expert
Posts: 16
Registered: ‎01-24-2013
Message 4 of 4 (306 Views)

Re: SiS logfile monitor : advanced content match

/c

The matched pattern may NOT appear anywhere in content that is being searched. This is a "complement" match, returning an error if the pattern IS found, and succeeding if the pattern is NOT found.

 

maybe, this modifier fit?

Best Regards, Alexander
SiteScope Core QA Team Engineer
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.