For starters you do not need to parse the whole log line, in this case you would start after "smartd[3562]: ". The syslog <hostname> (server23) and <program_name> (smartd) are decoded by ossec, see http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
regards, m On Mar 11, 1:17 pm, Vianney Lejeune <[email protected]> wrote: > Hello, > > I would like to ignore this alert: > > server23 smartd[3562]: Device: /dev/sdb, SMART Prefailure Attribute: 1 > Raw_Read_Error_Rate changed from 108 to 107 > > I tried this regexp: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ > sd[^[:alnum:]], SMART Prefailure Attribute: [[:digit:]]+ > Raw_Read_Error_Rate changed from [[:digit:]]+ to [[:digit:]]+$ > > But it doesn't work. What did I miss ? > > Regards, > V
