And no joy:
The rule now reads:
<rule id="100000" level="1">
<if_sid>1002</if_sid>
<match>polkitd\.*</match>
<description>Meaningless syslog message. Logging...</description>
</rule>
and the last stage of the logtest run is still showing:
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Thanks for any info/hints/tips/suggests.
Doug O'Leary
On Friday, August 24, 2012 2:53:20 PM UTC-5, dkoleary wrote:
>
>
>
> 'pollkitd.*' appears no where in the log sample you provided below. I
>> think you are probably thinking:
>>
>
> Actually, it does...
>
> log: 'polkitd(authority=local)
>
> Right there at the beginning of the line; however, I think you pointed out
> what I was doing wrong... the '.' has to be escaped, from what I read.. too
> many regex variants. I'll give that a try.
>
> Thanks.
>
>
>> <regex>pollkitd\.+</regex> (I can't remember if * works or not and I'm
>> too lazy to try it out)
>>
>>
> Doug O'Leary
>
