Logfile Regexp Macros

The macros in the sample logfile_regexp_macros.cfg configuration file below specify regular expressions for things to watch out for in log files, or things to ignore.

///////////////////////////////////////////////////////////////////////////////
//
// logfile_regexp_macros.cfg -- logfile regular expressions
//
///////////////////////////////////////////////////////////////////////////////
 
redflags        fail|error| err |die|down|seg.*fault|terminate|attack|abort

yellowflags     warn|no such|broken|invalid|attempt|time(d )*out|reset|corrupt|
                not responding| bad |going down|unauthorized|exception|halt|
                authentication|obsolete|not ready|not found|abnormal|correctable|
                unexpected|please enable|can.t find|unable to|no device found|
                too many|is bad|can.t read|corrected|does not setup|inconsistent|
                fixed|runaway|mismatch| is off|overdue|could not be|quirk detected|
                cannot allocate|spurious|is the server up
                // disabled -- too many instances of this!
                // disabling -- and so too this?

nonesuch        nonesuch

syslogeverythingbypasses        postfix|download|obsolete setsockopt|
                                using 160 bit message hash|session closed|
                                reset low speed usb device|soft reset|
                                soft_reset|shutting down cleanly|
                                failed to start vnc sessions|
                                gconf server is not in use|
                                shutting down for system reboot|
                                write protect

syslogkernelbypasses            root@|root=/dev/|exception support|
                                exception polling|mounted root|
                                obsolete setsockopt|assume root bridge|
                                reset.+speed usb|set_dentry_child_flags|
                                pcie_portdrv_probe->dev.+ has invalid irq|
                                write protect|too many iterations.+nv_nic_irq|
                                analog subsections not ready|
                                changing to secondary root

dmesgbypasses                   process.+nslookup.+is using obsolete setsockopt|
                                pcie_portdrv_probe->.+has invalid irq|
                                exception support|exception polling|
                                obsolete setsockopt|reset.+speed usb|
                                but calls wait|man 2 wait|
                                failed to allocate mem resource|sata link down|
                                scsi0: aen: warning|set_dentry_child_flags|
                                write protect|fixed bufsize|
                                handling phase mismatch|
                                too many iterations.+nv_nic_irq|
                                analog subsections not ready
 
///////////////////////////////////////////////////////////////////////////////

You might use the =redflags & =yellowflags macros in a script, for example:

        rule    // for flagged stuff, report and log
                if (    $il =~~ "=redflags"
                     || $il =~~ "=yellowflags"
                   )
                        output mail $il
                        =output_alarm_log($il)
                        next
                endif

In the DmesgScan script specification, you might pass the =dmesgbypasses macro to the =dmesg_scan script macro, for example:

DmesgScan
#if munich
        =dmesg_scan(hub 2-1|hub_port_status failed|reset low speed USB device|
                    =dmesgbypasses)
#else
        =dmesg_scan(=dmesgbypasses)
#endif

For more examples, see Samples.