On 12 April 2013 01:20, Root, Paul T <Paul.Root at centurylink.com> wrote:
**
Is there a way to tell analysis that I want to look for this file, but if it doesn’t exist, that’s ok?
I don't think so. But you can work around this in client-local.cfg, like so:
file:[ -f /path/to/file ] && echo /path/to/file || echo /dev/null
This will simply send through a different filename in the client data, and the server-side will act as if you haven't configured it at all, which I think means it won't report anything.
Also, there seems to be an undocumented modifier "optional" for both FILE and LOG clauses. I haven't used this, but it seems you would just append it to the end of the FILE line in analysis.cfg, like so:
FILE:/path/to/file red mtime<7776000 optional
While, I’m at it, is mtime> only in seconds or can I put a ‘d’ modifier for days on the end of it?
Nope, the string after "mtime>" is fed straight into aton() before being stored in the rule structure, so it can only be digits.
Cheers Jeremy