In message <5133f3d4.6050...@gmail.com>,
Jeffrey Starin writes:
>First off, when a rule is entered as such:
>
> pattern=[INFO] (.+)@domain.com is now logged in
If this is a regexp [INFO] is a charcter class definition meanint it
will match any one character between the []'s. I guess you want [INFO]
to literally match the word INFO surrounded by brackets.
So you need \[INFO\] not [INFO] in your regexp pattern.
>does sec look for any match within the string or must it match the
>string perfectly?
If you don't anchor it with ^ and $ (see any perl regexp reference) it
will match any substring and does not hve to match from the beginning
to the end of the string.
>the reason I'm asking is I have logs files that look like this in
>/var/log/messages:
>
> Mar 3 18:36:43 who pure-ftpd: (?@546.45.55.321) [INFO]
> admin-bac...@domain.com is now logged in
>
> Mar 3 18:33:37 who pure-ftpd:
> (admin-bac...@domain.com@546.45.55.321) [NOTICE]
> /home/domain/public_html/admin-backup//Client-contacts.xls
> downloaded (10112 bytes, 116344.81KB/sec)
>
>
>and i want alerts sent to me via email when either 1) someone ftp to the
>account, or 2) downloads a file via ftp.
>
>and I have two separate .cfg files that I want to match on (although I'm
>struggling to find out how I can have one .cfg file for two separate
>rules -- haven't figured out how to do that yet).
I am not sure what you mean a config file can have many rules. Each
additional rule starts with a type= line.
You just keep adding rules to a .cfg file.
>Anyway, the rules.cfg file has:
>
>
> type=Single
> ptype=RegExp
> pattern=(admin-backup)@domain.com is now logged in
> desc=successful FTP login for account $1
> action=pipe '$0' /bin/mail -s "$1 logged in! " m...@gmail.com
>
>
>and rules-download.cfg has:
>
> type=Single
> ptype=RegExp
> pattern=[NOTICE](.) downloaded
> desc=successful FTP download
> action=pipe '$0' /bin/mail -s "FTP download!" m...@gmail.com
>
>
>Although these rules do indeed send emails, an email is sent saying
>someone has logged in when they are downloading, and that is not the
>intent, despite having [NOTICE] as the pattern in the rules-download.cfg
>file.
Again your regular expression patterns don;t mean what you think they
mean. If you are going to capture info (by surrounding then with
parens: ()) you have to use pattern=RegExp (as you have done) and
provide a valid regexp.
My guess is things will start working better once you create valid regexps.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
