Thank you!!! Now multiple ignore patterns works correctly!
LOG /var/log/syslog %password|error|fail|changed|tcpd|Accepted COLOR=red IGNORE=%plugin\screate\sstatement\sfrom\suserPassword|plugin\sdoing\squery\sELECTTTT LOG /var/log/auth.log %password|error|fail|changed|tcpd|Accepted COLOR=red IGNORE=%plugin\screate\sstateeement\sfrom\suserPassword|plugin\sdoing\squery\sSELECT
Steve Holmes wrote:
Thanks, Craig. I'm going to try this trick. But even single words aren't working reliably for me. Steve Holmes
On 5/24/07, *Dominique Frise* <Dominique.Frise at unil.ch <mailto:Dominique.Frise at unil.ch>> wrote:
Craig Cook wrote: > While we are asking questions about the pcre handling... > > Has anyone managed to use a rule with spaces? > > ie. > > LOG /var/log/syslog "%disk full" COLOR=red > > I have tried using quotes, escaping quotes, escaping spaces, etc. Nothing has worked. Reduced to individual words to get something working. > > > Craig Cook > -- > Systems Monitoring Consulting and Support Services > http://www.cookitservices.com > > To unsubscribe from the hobbit list, send an e-mail to > hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk> > > Spaces should work but we use \s to represent spaces. Example: LOG /var/adm/messages.da %(?-i)Fail|fail|On\sbattery|AC\sline\sfault|Replace\sbattery|Battery\snot COLOR=yellow The (?-i) tells pcre to turn case-sensitive pattern matching on. Dominique UNIL - University of Lausanne To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk>-- Lots of people think they're charitable if they give away their old clothes and things they don't want. It isn't charity to give away things you want to get rid of and it isn't a sacrifice to do things you don't mind doing. -Myrtle Reed, author (1874-1911)