I'm having a similar issue myself, though I'm running the 4.2-beta-20060605version. It seems only some of my "ignore" lines are working, depending on which other ones I have added.
I'm trying to ignore the following types of messages:
Jun 30 10:23:51 www upsd[7860]: Connection from 127.0.0.1 Jun 30 10:23:51 www upsd[7860]: Client on 127.0.0.1 logged out
Jun 25 04:04:01 www crond(pam_unix)[15334]: session opened for user root by (uid=0) Jun 25 04:04:25 www crond(pam_unix)[15334]: session closed for user root
Jun 25 04:05:02 www crond(pam_unix)[15413]: session opened for user mailman by (uid=0) Jun 25 04:05:06 www crond(pam_unix)[15413]: session closed for user mailman
with the following "ignore" lines:
ignore upsd.*from|on.*127\.0\.0\.1 ignore session opened|closed for user mailman|root
If I remove the "ignore upsd..." line, the second one seems to work fine, and v.v. if I remove the second one. The log monitoring is being done on the Hobbit server itself, so it's not a problem with client-vs-server Hobbit versioning.
Any ideas? Also, are quotes (" ") required around the expressions if they contain spaces, or is everything after the keyword "ignore" treated as the regular expression?
Dominique Frise wrote:
Hi,
We have following config. in our server's client-local.cfg:
[mailc] log:/var/log/messages:10240 ignore MailScanner
The /var/log/messages of the "mailc" client is filled up with lines like following that we would like to exclude totally:
May 13 06:26:41 mailc MailScanner[933]: HTML Img tag found in message 1Feli1-0004tG-Dt from dmawllet at hotmail.com
The lines with "MailScanner" of "mailc" client (Debian 2.4.22) are never ignored. I.e. we get -yellow/red- alarms for lines with "MailScanner" tag in it.
--- some infos from the client --- bb at mailc:~$ wc -l /var/log/messages 10790 /var/log/messages bb at mailc:~$ grep MailScanner /var/log/messages | wc -l 10795 bb at mailc:/soft/pub/BB/hobbit/client/tmp$ cat logfetch.* log:/var/log/messages:10240 ignore MailScanner
/var/log/messages:1306142:1281851:1252634:1227431:1200018:1156195:1115234
bb at mailc:/soft/pub/BB/hobbit/client/tmp$
What are we doing wrong? (client is running a snapshot of 25th april)
Dominique UNIL - University of Lausanne
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
After upgrading the server to the snapshot of 16 may it now works as expected :-). (client is still running snapshot of 25 april)
Dominique UNIL - University of Lausanne
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk