oh, you are using it under a wild-card (or multi-host) HOST= section thus you want to limit the test to apply to that HOST alone. makes sense then. I think the missing () is somewhat important too. If I recall correctly, I didn't have much sucess until I inserted () myself.
On 8/31/06, Gary B. <gmbfly98 at gmail.com> wrote:
I don't use HOST= in my working PORT tracking. I agree with Greg on doing it via the RegExp itself.
The problem with that is, it will perform the PORT test on all of the machines under the HOST= section the test is under. I don't want this, as only one of the machines actually has the ports running. I haven't had a problem using HOST= in this manner before, and it's described in the "rules to select hosts" section in the manpage for hobbit-clients.cfg
minor thing: not so sure TRACK= can take all numeric or not. I believe your RegExp needs (). Mine goes like below. I have PORT column show and alerts generated, plus RRD graph for counting of TIME_WAIT connections to PORT LOCAL=%([.:]3306)$ STATE=TIME_WAIT MIN=0 MAX=10000 COL=yellow TRACK=db_TimeWait TEXT=db_TimeWait
I was wondering that myself. I'll try changing to TRACK= to be character-based and see if that helps.
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk