[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Logfile matching

From: Christian Hopp
Subject: Logfile matching
Date: Fri, 5 Aug 2005 12:10:58 +0200 (CEST)


Logfile matching for file checks has been added to the CVS.  The
syntax is the following:

  IF [NOT] MATCH {regex|path} THEN action
  IGNORE [NOT] MATCH {regex|path}

regex  : extended regular expression (POSIX 1003.2, see regex(7)) or if
no regex support is available a "sub-string" path : file containing extended regular expression (and only regular
         expression, NO comments!)... see also regex
action : The action which is triggered on a match (see man page for
         the available actions)

Matches are being done on the first 511 bytes of fully completed
lines! (No '\n', no matching!)  The matching happens in the first cycle
the line is completed with a '\n'.

IGNORE rules have precidence over IF rules!  Any line matching an
IGNORE rule is not further examined.  Any regex matching an IF rule
causes an action (-> one line can cause multiple, even the same
actions if more then one matching rule exists!).

NOT inverts the rule.  Thus, the action is trigger by an not matching
the certain rule (same applies for IGNORE NOT MATCH).

This implementation can be used e.g. for realtime logcheck (like
logcheck does "cron"ed).  Because of the additional feature of
per-rule actions the performance is two times slower then
e.g. logcheck.  110000 lines of real life logfiles (syslog+auth.log),
90 if rules, 700 ignore rules and with 90 alerts took 25s using monit
and 12s using logcheck on a P-M1.7GHz.

Happy matching,


Christian Hopp                                email: address@hidden
Institut für Elektrische Informationstechnik             fon: +49-5323-72-2113
TU Clausthal, Leibnizstr. 28, 38678 Clausthal-Zellerf.   fax: +49-5323-72-3197

reply via email to

[Prev in Thread] Current Thread [Next in Thread]