Wolfgang Braun said:
>[snip]
> Seems to work ok (except I get some empty mails) but I noticed that the
> context also contains log lines that matched previous 'ignore' rules.
>
> Is there a way to do this as I intend it to work? My main problem is
> that the context also contains the previously matched/ignored log lines.
You get this because log lines are matched against the active contexts
before they are matched against the configured rules. You could fix it my
adding the stuff you want to ignore into the not_match field of the
context definition:
'mark' - - - 0
open '.' 'ignore' 500 3600 0
report '/usr/bin/mail braun -s"test-context"' "."
This will open up a context called ".", which will match and collect every
line ( matching the regex "." ), except for those containing the string
"ignore".
The empty Emails you get are from the triggering of the report rule before
the "." context is created.
Depending on what you're trying to achieve, it may be easier not to use
the 'mark' mechanism and just use Logsurfer timers. For example, the
following is a pair of rules I'm using to report on abnormal messages
syslogged from a Cisco PIX:
'%PIX-.-(106023|313003|305006|410001)' - - - 0 ignore
' ([^ ]+) %PIX' - - - 0
open " $2 %PIX" '%PIX-.-(106023|313003|305006|410001)' - 1200 600
report "/bin/mailx -s \"Alert: abnormal messages from $2\"
operator@private" " $2 %PIX"
In the first rule I ignore all the stuff I'm not interested in seeing (the
patterm has been shortened in this example), in the second rule I open a
context to collect all the rest and report it to me, with absolute and
relative timeouts set.
--
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz kerry@private
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Feb 10 2005 - 17:24:25 PST