<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Try using this syntax (changing space with \s + pcre)<br>
<font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">
LOG
/var/log/messages %authentication\sfailure color=yellow</span></font><br>
<pre class="moz-signature" cols="72">Giovanni M. Frainer - Gestor</pre>
<br>
<br>
Sello Tlabela (SD) wrote:
<blockquote
cite="mid0FCB0C3BC8BE584FA197966505EB085F04F59042@CNTRRA20-XCS00.telkom.co.za"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName">
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.emailstyle17
{font-family:Arial;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</o:SmartTagType>
<div class="Section1">
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">Hi </span></font><font
face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US">Manocchia,<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US">It could be
access rights, if you are running hobbit
using the init script it will run as user hobbit and make sure that
hobbit user
can read /var/log/messages<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US">Regards<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><st1:PersonName w:st="on"><font face="Tahoma"
size="2"><span style="font-size: 10pt; font-family: Tahoma;"
lang="EN-US">Sello Tlabela</span></font></st1:PersonName><font
color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<div>
<div class="MsoNormal" style="text-align: center;" align="center"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;"
lang="EN-US">
<hr tabindex="-1" align="center" size="2" width="100%"></span></font></div>
<p class="MsoNormal"><b><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma; font-weight: bold;"
lang="EN-US">From:</span></font></b><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;" lang="EN-US">
Manocchia, Robert [<a class="moz-txt-link-freetext" href="mailto:Robert-Manocchia@IDEXX.com">mailto:Robert-Manocchia@IDEXX.com</a>] <br>
<b><span style="font-weight: bold;">Sent:</span></b> 05 June 2007
21:38<br>
<b><span style="font-weight: bold;">To:</span></b> '<st1:PersonName
w:st="on"><a class="moz-txt-link-abbreviated" href="mailto:hobbit@hswn.dk">hobbit@hswn.dk</a></st1:PersonName>'<br>
<b><span style="font-weight: bold;">Subject:</span></b> [hobbit] LOG
alert not
showing yellow</span></font><span lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">I have a
small problem. I’ve set up monitoring
of the /var/log/messages logfile to search for the string
“authentication
failure” and alert with a yellow button in the MSG column. I can see
the
error displayed when I click on the button below the Msg column header
but it
does not turn yellow.</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> Below is
the entry in the clients-local.cfg
file:</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">[batman]</span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">log:/var/log/messages:10240</span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">ignore MARK</span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">This is the
entry in the hobbit-clients.cfg file:</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">HOST=batman</span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">
LOG
/var/log/messages authentication
failure color=yellow</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">Why doesn’t
this give me a yellow alert.</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> Thanks</span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US"> </span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">Robert
Manocchia</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">UNIX System
Administrator</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">IDEXX
Laboratories</span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">207 556-6860</span></font><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial;" lang="EN-US">EMail
<a class="moz-txt-link-abbreviated" href="mailto:Robert-Manocchia@idexx.com">Robert-Manocchia@idexx.com</a></span></font><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;" lang="EN-US"> <o:p></o:p></span></font></p>
</div>
<table>
<tbody>
<tr>
<td bgcolor="#ffffff"><font color="#000000">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
This e-mail and its contents are subject to the Telkom SA Limited<br>
e-mail legal notice available at <br>
<a class="moz-txt-link-freetext" href="http://www.telkom.co.za/TelkomEMailLegalNotice.PDF">http://www.telkom.co.za/TelkomEMailLegalNotice.PDF</a><br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
</font></td>
</tr>
</tbody>
</table>
</blockquote>
</body>
</html>