Hello all,
I am trying to build a template around an exisiting log file that is being
analyzed with logsurfer.
The log entries look as follows -
----------------------------------------------------------------------------
---
Mon Mar 29 06:57:47 2004
File: pcmuxMain.c ** Line: 914 ** Instance: ** Errno: 0
Total clients connected/MAX clients limit = 102/200;
Protocol Version 2.3; Client Version 2.6.11.0
----------------------------------------------------------------------------
---
Mon Mar 29 06:57:47 2004
File: pcmuxMain.c ** Line: 1097 ** Instance: ** Errno: 9
All clients allowed
----------------------------------------------------------------------------
---
As you can see each log is separated by "------------"'s. Always the same
amount, and the ciritical info is always between.
In the archives, I found a wonderful bit of code and changed it to this -
# context of the time of the error
#--------------------------------------------------------------------
#
# the first ### is the start of a block - the next ### will delete the
context
#
'---------------------------------------------------------------------------
----' - - - 0 continue
rule before
'---------------------------------------------------------------------------
----' - '----------------
---------------------------------------------------------------' - 0 delete
'.*'
#
# ...but before we delete it we want to report it :-)
#
'---------------------------------------------------------------------------
----' - - - 0 continue
rule top
'---------------------------------------------------------------------------
----' - '----------------
---------------------------------------------------------------' - 0
continue report "/usr/bin/cat -" '.*'
#
# if we fall through until here, then open a new context
# (still add a default action in case our end pattern wasn't seen)
#
'---------------------------------------------------------------------------
----' - - - 0 continue
open '.*' - 1000 180 90 pipe "/usr/bin/cat -"
While this works great for getting out the information everytime there is an
error, I want to only report specific context and if the context is
relevant...
In other words, I would like to create a template based logsurfer.conf
around the style of log (probably utilizing portions of my existing config)
shown above...
I would also like to pull out only the second line (day / time / etc) and
the other line of the relevant match...
So something like :
----------------------------------------------------------------------------
---
Mon Mar 29 06:57:47 2004
File: pcmuxMain.c ** Line: 914 ** Instance: ** Errno: 0
Total clients connected/MAX clients limit = 102/200;
Protocol Version 2.3; Client Version 2.6.11.0
----------------------------------------------------------------------------
---
That would trigger a report command due to it having the word MAX. It would
also include the line containing MAX and the date line...
Something like this howerver :
----------------------------------------------------------------------------
---
Mon Mar 29 06:57:47 2004
File: pcmuxMain.c ** Line: 914 ** Instance: ** Errno: 0
Total clients
Protocol Version 2.3; Client Version 2.6.11.0
----------------------------------------------------------------------------
---
Would not be triggered as it does not have the word MAX... of course, this
is not a REAL llife example.. But you get the idea.
Any help would be appreciated.. I have had a few runs of close attempts but
nothing that is perfect yet.
Any help and a big thanks is yours... Or any other non monetary valued show
of appreciation. :)
Thanks,
-ed
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Mar 29 2004 - 13:25:44 PST