Re: SiS logfile monitor : advanced content match (246 Views)
Reply
Advisor
CLEFEBVRE
Posts: 33
Registered: ‎08-05-2011
Message 1 of 4 (270 Views)

SiS logfile monitor : advanced content match

Hello,

 

With a SiteScope logfile monitor, I would like to receive an alert when there is new errors in the /var/log/messages, excepted if it's related to SSH. In other word, the content match would be something like: "     Error message not containing "sshd" and containing "error"      "

 

EXAMPLE of an error message for which I don't want to receive an alert:

Feb 26 19:21:44 host2 sshd[23413]: error: PAM: Authentication failure for root from server.mydomain.com

 

Is there a way to do this ?

 

Thanks in advance,

Regards,

  Christophe

 

HP Expert
A_Krizhanovsky
Posts: 16
Registered: ‎01-24-2013
Message 2 of 4 (269 Views)

Re: SiS logfile monitor : advanced content match

Hi,

 

Try regexp like /.*Authentication.*from (.*)/ and label "Intruder"

Best Regards, Alexander
SiteScope Core QA Team Engineer
Advisor
CLEFEBVRE
Posts: 33
Registered: ‎08-05-2011
Message 3 of 4 (265 Views)

Re: SiS logfile monitor : advanced content match

Hi Alexander,

 

It will not work for me.

 

I want to receive an alert each time there is a line containing "error" pattern in /var/log/messages, excepted if the line contains also "sshd".

 

Regards,

  Christophe

HP Expert
A_Krizhanovsky
Posts: 16
Registered: ‎01-24-2013
Message 4 of 4 (246 Views)

Re: SiS logfile monitor : advanced content match

/c

The matched pattern may NOT appear anywhere in content that is being searched. This is a "complement" match, returning an error if the pattern IS found, and succeeding if the pattern is NOT found.

 

maybe, this modifier fit?

Best Regards, Alexander
SiteScope Core QA Team Engineer
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.