Alerting & IGNORE
I can't get the ignore working. Is this syntax wrong:
HOST=sau102
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error IGNORE="%setuidexecution not allowed" COLOR=yellow
Thie above is in the hobbit-clients.cfg file.
Thanks.James
James Wade wrote:
I can't get the ignore working. Is this syntax wrong:
HOST=sau102
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error IGNORE="%setuidexecution not allowed" COLOR=yellow
Thie above is in the hobbit-clients.cfg file.
Both of these lines work for me.
HOST=host1 LOG /var/adm/messages %(?-i)WARNING COLOR=yellow "IGNORE=%WARNING: /var/adm/utmp exists" HOST=host2 LOG /var/adm/messages %(?-i)WARNING "IGNORE=%VOLTAGE:" COLOR=yellow
Try moving your quote.
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error "IGNORE=%setuid execution not allowed" COLOR=yellow
John
John Glowacki wrote:
James Wade wrote:
I can't get the ignore working. Is this syntax wrong:
HOST=sau102
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error IGNORE="%setuidexecution not allowed" COLOR=yellow
Thie above is in the hobbit-clients.cfg file.
Both of these lines work for me.
HOST=host1 LOG /var/adm/messages %(?-i)WARNING COLOR=yellow "IGNORE=%WARNING: /var/adm/utmp exists" HOST=host2 LOG /var/adm/messages %(?-i)WARNING "IGNORE=%VOLTAGE:" COLOR=yellow
Try moving your quote.
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error "IGNORE=%setuid execution not allowed" COLOR=yellow
John
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
I forgot I also had to exclude the hosts from the CLASS. So check if you have another rule that would alert.
CLASS=sunos EXHOST=host1,host2 LOG /var/adm/messages %(?-i)FAILED COLOR=yellow LOG %.* %(?-i)NOTICE COLOR=yellow LOG /var/adm/messages %NFS.*not.responding.still.trying COLOR=yellow LOG /var/adm/messages %(?-i)REASON COLOR=red LOG /var/adm/messages %(?-i)WARNING COLOR=yellow
Don't use SPACES, change by \s:
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error IGNORE="%setuid\sexecution\snot\sallowed" COLOR=yellow
Cheers
John Glowacki wrote:
James Wade wrote:
I can't get the ignore working. Is this syntax wrong:
HOST=sau102
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error IGNORE="%setuidexecution not allowed" COLOR=yellow
Thie above is in the hobbit-clients.cfg file.
Both of these lines work for me.
HOST=host1 LOG /var/adm/messages %(?-i)WARNING COLOR=yellow "IGNORE=%WARNING: /var/adm/utmp exists" HOST=host2 LOG /var/adm/messages %(?-i)WARNING "IGNORE=%VOLTAGE:" COLOR=yellow
Try moving your quote.
LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error "IGNORE=%setuid execution not allowed" COLOR=yellow
John
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
I think you have to use metachars instead of spaces if you are using a regex, so try this: LOG /var/adm/messages %(?-i)NOTICE|WARNING|Error IGNORE="%setuid.execution.not.allowed" COLOR=yellow
or even "%setuid.*allowed".
You may also have to put quotes around the previous regex.
-Charles
James Wade wrote:
I can't get the ignore working. Is this syntax wrong:
HOST=sau102
LOG /var/adm/messages %(?-i)NOTICE|WARNING|ErrorIGNORE="%setuid execution not allowed" COLOR=yellow
Thie above is in the hobbit-clients.cfg file.
participants (4)
-
giovanni@redix.com.br
-
jkwade@futurefrontiers.com
-
johng@idttechnology.com
-
jonescr@cisco.com