Logfile Regexp Macros
The macros in the sample logfile_regexp_macros.cfg configuration file below specify regular expressions for things to watch out for in log files, or things to ignore.
///////////////////////////////////////////////////////////////////////////////
//
// logfile_regexp_macros.cfg -- logfile regular expressions
//
///////////////////////////////////////////////////////////////////////////////
redflags fail|error| err |die|down|seg.*fault|terminate|attack|abort
yellowflags warn|no such|broken|invalid|attempt|time(d )*out|reset|corrupt|
not responding| bad |going down|unauthorized|exception|halt|
authentication|obsolete|not ready|not found|abnormal|correctable|
unexpected|please enable|can.t find|unable to|no device found|
too many|is bad|can.t read|corrected|does not setup|inconsistent|
fixed|runaway|mismatch| is off|overdue|could not be|quirk detected|
cannot allocate|spurious|is the server up
// disabled -- too many instances of this!
// disabling -- and so too this?
nonesuch nonesuch
syslogeverythingbypasses postfix|download|obsolete setsockopt|
using 160 bit message hash|session closed|
reset low speed usb device|soft reset|
soft_reset|shutting down cleanly|
failed to start vnc sessions|
gconf server is not in use|
shutting down for system reboot|
write protect
syslogkernelbypasses root@|root=/dev/|exception support|
exception polling|mounted root|
obsolete setsockopt|assume root bridge|
reset.+speed usb|set_dentry_child_flags|
pcie_portdrv_probe->dev.+ has invalid irq|
write protect|too many iterations.+nv_nic_irq|
analog subsections not ready|
changing to secondary root
dmesgbypasses process.+nslookup.+is using obsolete setsockopt|
pcie_portdrv_probe->.+has invalid irq|
exception support|exception polling|
obsolete setsockopt|reset.+speed usb|
but calls wait|man 2 wait|
failed to allocate mem resource|sata link down|
scsi0: aen: warning|set_dentry_child_flags|
write protect|fixed bufsize|
handling phase mismatch|
too many iterations.+nv_nic_irq|
analog subsections not ready
///////////////////////////////////////////////////////////////////////////////
You might use the =redflags & =yellowflags macros in a script, for example:
rule // for flagged stuff, report and log
if ( $il =~~ "=redflags"
|| $il =~~ "=yellowflags"
)
output mail $il
=output_alarm_log($il)
next
endif
In the DmesgScan script specification, you might pass the =dmesgbypasses macro to the =dmesg_scan script macro, for example:
DmesgScan
#if munich
=dmesg_scan(hub 2-1|hub_port_status failed|reset low speed USB device|
=dmesgbypasses)
#else
=dmesg_scan(=dmesgbypasses)
#endif
For more examples, see Samples.
