Nevermind, I see that it doesn't match program_name in the decoder. On Fri, Aug 24, 2012 at 6:26 PM, Joe Gedeon <[email protected]> wrote: > Why not change match to program_name? > <rule id="100000" level="1"> > <if_sid>1002</if_sid> > <program_name>polkitd</program_name> > <description>Meaningless syslog message. Logging...</description> > </rule> > > On Fri, Aug 24, 2012 at 4:00 PM, dan (ddp) <[email protected]> wrote: >> On Fri, Aug 24, 2012 at 3:59 PM, dkoleary <[email protected]> >> wrote: >>> And no joy: >>> >>> The rule now reads: >>> >>> >>> <rule id="100000" level="1"> >>> <if_sid>1002</if_sid> >>> <match>polkitd\.*</match> >> >> The literal string 'polkitd\.*' does not appear in the log sample you >> provided. >> >>> >>> <description>Meaningless syslog message. Logging...</description> >>> </rule> >>> >>> and the last stage of the logtest run is still showing: >>> >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '1002' >>> Level: '2' >>> Description: 'Unknown problem somewhere in the system.' >>> **Alert to be generated. >>> >>> >>> Thanks for any info/hints/tips/suggests. >>> >>> Doug O'Leary >>> >>> >>> On Friday, August 24, 2012 2:53:20 PM UTC-5, dkoleary wrote: >>>> >>>> >>>> >>>>> 'pollkitd.*' appears no where in the log sample you provided below. I >>>>> think you are probably thinking: >>>> >>>> >>>> Actually, it does... >>>> >>>> log: 'polkitd(authority=local) >>>> >>>> Right there at the beginning of the line; however, I think you pointed out >>>> what I was doing wrong... the '.' has to be escaped, from what I read.. too >>>> many regex variants. I'll give that a try. >>>> >>>> Thanks. >>>> >>>>> >>>>> <regex>pollkitd\.+</regex> (I can't remember if * works or not and I'm >>>>> too lazy to try it out) >>>>> >>>> >>>> Doug O'Leary > > > > -- > Registered Linux User # 379282
-- Registered Linux User # 379282
