I use a nasty perl script to do my pattern matching. I anchor my
patterns to ignore at both the beginning and end of the line. All
unmatched lines get brought to my attention. I won't bother to
publish my script as it's really a custom job and quite simple.
It is just a while loop that blanks lines that are matched then
prints any that still have content. I have 100s of patterns that
it matches and throws out.
Brian Hatch wrote:
> I'm curious about how many folks do their log analysis
> against full pattern matches. For example, I have the
> following swatch rules to eliminate some standard ignorable
> events in syslogd output:
>
> ignore = /^.{15} hostname -- MARK --$/
> ignore = /^.{15} hostname sshd\[\d+\]: Generating new 768 bit RSA key.$/
> ignore = /^.{15} hostname sshd\[\d+\]: RSA key generation complete.$/
> ....
>
> The '^' anchors the pattern at the beginning of the line, the '.{15}'
> catches the date, I explicitly match hostname (since this box doesn't
> accept remote syslog events, any that appeared here should set off
> big warning flags) and then match the remainder as fully as possible.
--
| Bryan Andersen | bryanat_private | http://www.nerdvest.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 14:45:31 PDT