client-local.cfg ignore a complicated line - syntax issue?
I'm probably missing something obvious here, but I'm getting stuck I'm looking at a logfile and I would like to ignore lines like this:
Sep 11 22:24:36 10.65.0.6 apcontroller: *bcastReceiveTask: Sep 11 22:24:36.407: %DTL-4-ARP_ORPHANPKT_DETECTED: dtl_net.c:1426 STA(Target MAC Address) [d4:9a:20:58:46:34, 0.0.0.0] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 10.0.10.157/TPA(Destination IP Address) 10.0.10.1
I've been playing around with variations like log:/appdata/logserver/local7.log:102400 IGNORE (apcontroller|cli.WARNING|cli.NOTICE) or log:/appdata/logserver/local7.log:102400 IGNORE apcontroller|cli.WARNING|cli.NOTICE or log:/appdata/logserver/local7.log:102400 IGNORE= (apcontroller|cli.WARNING|cli.NOTICE) or log:/appdata/logserver/local7.log:102400 IGNORE=%(?-i)apcontroller|cli.WARNING|cli.NOTICE
and even log:/appdata/logserver/local7.log:102400 IGNORE apcontroller
(I'd like to ignore the cli.WARNING and cli.NOTICE too, but there are really too many apcontroller lines)
Please, what is the syntax I need for this? Or is this a problem because it's a complicated line containing so many special sorts of characters?
thanks Betsy
Betsy
On 12 September 2014 13:00, Betsy Schwartz <betsy.schwartz at gmail.com> wrote:
I've been playing around with variations like log:/appdata/logserver/local7.log:102400 IGNORE (apcontroller|cli.WARNING|cli.NOTICE) or log:/appdata/logserver/local7.log:102400 IGNORE apcontroller|cli.WARNING|cli.NOTICE or log:/appdata/logserver/local7.log:102400 IGNORE= (apcontroller|cli.WARNING|cli.NOTICE) or
None of those is going to work because you're using PCREs but you haven't told Xymon that they're PCREs with the percent.
log:/appdata/logserver/local7.log:102400 IGNORE=%(?-i)apcontroller|cli.WARNING|cli.NOTICE
This should work. I tested it with pcregrep against your log message and it matched, meaning it should have ignored it.
and even log:/appdata/logserver/local7.log:102400 IGNORE apcontroller
I would expect this to work too, but the man page for client-local.cfg says that the pattern "is a regular expression" and so it might not match this without the "%". Have you tried just "IGNORE %apcontroller"?
Please, what is the syntax I need for this? Or is this a problem because it's a complicated line containing so many special sorts of characters?
This shouldn't matter. It might, but it shouldn't.
J
Ah, the "ignore" should be on a separate line. Like so:
log:/appdata/logserver/local7.log:102400 ignore %(?-i)apcontroller|cli.WARNING|cli.NOTICE
And it's lower-case. This is in your client-local.cfg right?
On 12 September 2014 18:23, Jeremy Laidman <jlaidman at rebel-it.com.au> wrote:
And it's lower-case.
Sorry, I meant that "ignore" is usually in lower-case. I'm not sure it matters, but the man page examples use "ignore matchstring" in lower-case. The upper-case version, like "IGNORE=matchstring" is the format used in analysis.cfg, and defines to what to ignore when alerting rather that what to ignore when sending log messages. If you're trying to create a rule for analysis.cfg, then your "log" line is in the wrong format, and should be
LOG /appdata/logserver/local7.log IGNORE=%(?-i)apcontroller|cli.WARNING|cli.NOTICE
J
participants (2)
-
betsy.schwartz@gmail.com
-
jlaidman@rebel-it.com.au