<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">

</head>

<body bgcolor="#ffffff" text="#000000">

Thank you!!! Now multiple ignore patterns works correctly!<br>

<br>

       LOG /var/log/syslog %password|error|fail|changed|tcpd|Accepted

COLOR=red

IGNORE=%plugin\screate\sstatement\sfrom\suserPassword|plugin\sdoing\squery\sELECTTTT<br>

       LOG /var/log/auth.log %password|error|fail|changed|tcpd|Accepted

COLOR=red

IGNORE=%plugin\screate\sstateeement\sfrom\suserPassword|plugin\sdoing\squery\sSELECT<br>

<br>

Steve Holmes wrote:

<blockquote

 cite="mid43be87180705240648m5ce66c3bvd3c462bc515fb0b9@mail.gmail.com"

 type="cite">Thanks, Craig. I'm going to try this trick. But even

single words aren't working reliably for me.<br>

Steve Holmes<br>

  <br>

  <br>

  <div><span class="gmail_quote">On 5/24/07, <b

 class="gmail_sendername">Dominique Frise</b> <<a

 href="mailto:Dominique.Frise@unil.ch">Dominique.Frise@unil.ch</a>>

wrote:</span>

  <blockquote class="gmail_quote"

 style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Craig

Cook wrote:

    <br>

> While we are asking questions about the pcre handling...<br>

><br>

> Has anyone managed to use a rule with spaces?<br>

><br>

> ie.<br>

><br>

> LOG /var/log/syslog "%disk full" COLOR=red<br>

>

    <br>

> I have tried using quotes, escaping quotes, escaping spaces,

etc.  Nothing has worked.  Reduced to individual words to get something

working.<br>

><br>

><br>

> Craig Cook<br>

> --<br>

> Systems Monitoring Consulting and Support Services

    <br>

> <a href="http://www.cookitservices.com">http://www.cookitservices.com</a><br>

><br>

> To unsubscribe from the hobbit list, send an e-mail to<br>

> <a href="mailto:hobbit-unsubscribe@hswn.dk">hobbit-unsubscribe@hswn.dk

    </a><br>

><br>

><br>

Spaces should work but we use \s to represent spaces.<br>

    <br>

Example:<br>

    <br>

LOG /var/adm/messages.da<br>

%(?-i)Fail|fail|On\sbattery|AC\sline\sfault|Replace\sbattery|Battery\snot<br>

COLOR=yellow<br>

    <br>

The (?-i) tells pcre to turn case-sensitive pattern matching on.<br>

    <br>

    <br>

Dominique<br>

UNIL - University of Lausanne<br>

    <br>

To unsubscribe from the hobbit list, send an e-mail to<br>

    <a href="mailto:hobbit-unsubscribe@hswn.dk">hobbit-unsubscribe@hswn.dk</a><br>

    <br>

    <br>

  </blockquote>

  </div>

  <br>

  <br clear="all">

  <br>

-- <br>

Lots of people think they're charitable if they give away their old

clothes<br>

and things they don't want. It isn't charity to give away things you

want

  <br>

to get rid of and it isn't a sacrifice to do things you don't mind

doing.<br>

-Myrtle Reed, author (1874-1911)

</blockquote>

</body>

</html>