[logs] logsurfer inclusion

• Previous message: Allan Liska: "Re: [logs] RedHat, Syslog and Remote Logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i'm trying to catch exceptions from a tomcat log but having troubles 
matching what i'm after. the first line can always be matched with 
'^(.*) - \[(.*)\]: (#####.*)', but unfortionately the first and last 
line look the same. that being said, the first and last line are not 
actually the part i care about. the middle lines, which i want, are a 
mixture of lines of widely varying formats, some start with a time stamp 
others with white space. e.g.:

12/18/03 10:26:53 AM PST - [com.pronet.bob.gui.core.bobServlet]: 
###################################
12/18/03 10:26:53 AM PST - [com.pronet.bob.gui.core.bobServlet]: Member: 
abcdefghi
12/18/03 10:26:53 AM PST - [com.pronet.bob.gui.core.bobServlet]: 
Original request: https://localhost/list
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: 
Request Parameters:
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: key/abc
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: 
rotate/left
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: 
from/profile
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: Cookies:
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: 
JSESSIONID|null|CBBD2D96BF24
12/18/03 10:26:53 AM PST - [org.xeril.wafwk.gui.core.CoreRequest]: 
session.rememberme|null|null
12/18/03 10:26:53 AM PST - [com.pronet.bob.gui.core.bobServlet]: 
uncaught exception (recovered to home page)
com.pronet.bob.bl.core.api.UnauthorizedActionException: not in network
         at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
         at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
         at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
         at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
         at 
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
         at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:530)
         at java.lang.Thread.run(Thread.java:536)

12/18/03 10:26:53 AM PST - [com.pronet.bob.gui.core.bobServlet]: 
###################################

i have tried a nimber of things but keep only matching the first or last 
line, not the stuff in between.

'^(.*) - \[(.*)\]: (#####.*)' - '^(.*) - \[(.*)\]: (#####.*)' - 0
         open '.*' - 1000 180 90
         pipe "/usr/bin/cat -"

i would think the above rule would catch the first "*###*" line, then 
feed everything upto the next "*###*" line into the new context, the new 
context would match everything between. what i'm seeing with this rule 
is a match for only the first line.


any suggestions?

thx.




_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: samwun: "[logs] parsing snort files"
• Previous message: Allan Liska: "Re: [logs] RedHat, Syslog and Remote Logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 19 2003 - 20:20:16 PST