Wolfgang Braun said: >[snip] > Seems to work ok (except I get some empty mails) but I noticed that the > context also contains log lines that matched previous 'ignore' rules. > > Is there a way to do this as I intend it to work? My main problem is > that the context also contains the previously matched/ignored log lines. You get this because log lines are matched against the active contexts before they are matched against the configured rules. You could fix it my adding the stuff you want to ignore into the not_match field of the context definition: 'mark' - - - 0 open '.' 'ignore' 500 3600 0 report '/usr/bin/mail braun -s"test-context"' "." This will open up a context called ".", which will match and collect every line ( matching the regex "." ), except for those containing the string "ignore". The empty Emails you get are from the triggering of the report rule before the "." context is created. Depending on what you're trying to achieve, it may be easier not to use the 'mark' mechanism and just use Logsurfer timers. For example, the following is a pair of rules I'm using to report on abnormal messages syslogged from a Cisco PIX: '%PIX-.-(106023|313003|305006|410001)' - - - 0 ignore ' ([^ ]+) %PIX' - - - 0 open " $2 %PIX" '%PIX-.-(106023|313003|305006|410001)' - 1200 600 report "/bin/mailx -s \"Alert: abnormal messages from $2\" operator@private" " $2 %PIX" In the first rule I ignore all the stuff I'm not interested in seeing (the patterm has been shortened in this example), in the second rule I open a context to collect all the rest and report it to me, with absolute and relative timeouts set. -- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz kerry@private _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Feb 10 2005 - 17:24:25 PST