Why not change match to program_name? <rule id="100000" level="1"> <if_sid>1002</if_sid> <program_name>polkitd</program_name> <description>Meaningless syslog message. Logging...</description> </rule>
On Fri, Aug 24, 2012 at 4:00 PM, dan (ddp) <[email protected]> wrote: > On Fri, Aug 24, 2012 at 3:59 PM, dkoleary <[email protected]> > wrote: >> And no joy: >> >> The rule now reads: >> >> >> <rule id="100000" level="1"> >> <if_sid>1002</if_sid> >> <match>polkitd\.*</match> > > The literal string 'polkitd\.*' does not appear in the log sample you > provided. > >> >> <description>Meaningless syslog message. Logging...</description> >> </rule> >> >> and the last stage of the logtest run is still showing: >> >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> >> Thanks for any info/hints/tips/suggests. >> >> Doug O'Leary >> >> >> On Friday, August 24, 2012 2:53:20 PM UTC-5, dkoleary wrote: >>> >>> >>> >>>> 'pollkitd.*' appears no where in the log sample you provided below. I >>>> think you are probably thinking: >>> >>> >>> Actually, it does... >>> >>> log: 'polkitd(authority=local) >>> >>> Right there at the beginning of the line; however, I think you pointed out >>> what I was doing wrong... the '.' has to be escaped, from what I read.. too >>> many regex variants. I'll give that a try. >>> >>> Thanks. >>> >>>> >>>> <regex>pollkitd\.+</regex> (I can't remember if * works or not and I'm >>>> too lazy to try it out) >>>> >>> >>> Doug O'Leary -- Registered Linux User # 379282
