Elizabeth,
Hm OK I updated the rules, now puzzled about why this one is alerting:
00020522 2011-03-24 12:53:44 send_alert fiona.e-dialog.com:vmio state Paging 00020522 2011-03-24 12:53:44 Matching host:service:page 'fiona.example.com:vmio:' against rule line 146 00020522 2011-03-24 12:53:44 *** Match with 'HOST=%db* EXHOST=%*dl2* SERVICE=vmio' *** 00020522 2011-03-24 12:53:44 Matching host:service:page 'fiona.e-dialog.com:vmio:' against rule line 147 00020522 2011-03-24 12:53:44 *** Match with 'MAIL xymail REPEAT=1d RECOVERED' ***
Fiona alerted for vmio and is paging. Fiona does not have the string "db" anywhere in its name. (I replaced my company with example but the company name doesn't have a db in it either)
In regular expressions, '*' is not a wildcard - it means "match the preceding pattern 0 or more times, so 'db*' matches 'd' followed by any number of 'b' characters. %db* is not anchored (it can match anywhere), so at a minimum if there is a single 'd' anywhere in the host name (including the domain) it will match - in effect the '%db*' is equivalent to '%d'
The equivalent of a wildcard is '.*' - '.' matches any character, '*' matches 0 or more times. When the regular expression is not anchored (i.e. tied to matching at a particular position), '.*' and the start or end is redundant. If you want to make a pattern fully anchored, use something like: HOST=%^db.*$ '^' means match from the beginning of the string. '$' matches the end of the string.
later on I get 00020753 2011-03-24 12:58:09 Matching host:service:page 'fiona.example.com:vmio:' against rule line 181 00020753 2011-03-24 12:58:09 Failed 'HOST=%*db*' (hostname not in include list)
The regexp is different in that there's a second asterisk, but the machines I want to catch do all start with db... HOST=%*db* isn't a valid regular expression, so it won't match anything. The first '*' has no preceding pattern. Possibly it might be interpreted as match a '*' character, which will won't match. If you want to match any host containing 'db' use HOST=%db (or HOST=%^.*db.*$ as anchored version). Strictly speaking, if you want to match 'db' in only the host and not the domain, you could do HOST=%[^.]*db - match from the start of the string any number of characters that aren't '.' followed by 'db'
Regular expressions are far more powerful than simple wildcards, but the syntax for simple matches is different.
A rundown on regular expressions is here: http://en.wikipedia.org/wiki/PCRE http://perldoc.perl.org/perlre.html
David.
-- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 david.baldwin at ausport.gov.au Leverrier Street Bruce ACT 2617
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au