for now, I removed GROUP/EXGROUP in alert rules and reverted to alert upon 'host= service='. It is not desirable since granularity rendered possible by GROUP is lost: alert is sent for the whole 'msgs' service instead of one out of nine file/log checks for that host.msgs
On 11/29/06, Jerry Yu <jjj863 at gmail.com> wrote:
if I have a alert rule as below in hobbit-alerts.cfg, every alerts will match the GROUP rule, plus EXGROUP doesn't seem to be effective either. Such behavior was observed from the real email received as well as by the insightful "bbcmd hobbitd_alert --test".
Only one group is defined. GROUP=junkgroup MAIL junkgroup at my.domain color=red HOST=* EXGROUP=junkgroup MAIL realdeal at my.domain color=yellow
It is the same case if the group named in hobbit-alerts.cfg is bogus, aka, not defined in hobbit-clients.cfg.
Only one group is defined in hobbit-clients.cfg, as listed below: log /tmp/junkgroup.log %(?-i)USER-ID:|EXCEPTION: IGNORE=kilobyte group=junkgroup
In case it matters, this is the only Hobbit server running on CentOS 4.3/i386. Version==4.2RC1-20060712