On Fri, Aug 24, 2012 at 3:59 PM, dkoleary <[email protected]> wrote: > And no joy: > > The rule now reads: > > > <rule id="100000" level="1"> > <if_sid>1002</if_sid> > <match>polkitd\.*</match>
The literal string 'polkitd\.*' does not appear in the log sample you provided. > > <description>Meaningless syslog message. Logging...</description> > </rule> > > and the last stage of the logtest run is still showing: > > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > Thanks for any info/hints/tips/suggests. > > Doug O'Leary > > > On Friday, August 24, 2012 2:53:20 PM UTC-5, dkoleary wrote: >> >> >> >>> 'pollkitd.*' appears no where in the log sample you provided below. I >>> think you are probably thinking: >> >> >> Actually, it does... >> >> log: 'polkitd(authority=local) >> >> Right there at the beginning of the line; however, I think you pointed out >> what I was doing wrong... the '.' has to be escaped, from what I read.. too >> many regex variants. I'll give that a try. >> >> Thanks. >> >>> >>> <regex>pollkitd\.+</regex> (I can't remember if * works or not and I'm >>> too lazy to try it out) >>> >> >> Doug O'Leary
