<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p
{margin-right:0in;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif"}
span.EmailStyle18
{font-family:"Arial","sans-serif";
color:blue;
font-weight:normal;
font-style:normal;
text-decoration:none none}
span.EmailStyle19
{font-family:"Calibri","sans-serif";
color:#1F497D}
span.EmailStyle20
{font-family:"Arial","sans-serif";
color:blue;
font-weight:normal;
font-style:normal;
text-decoration:none none}
span.apple-style-span
{}
span.EmailStyle22
{font-family:"Arial","sans-serif";
color:#993366}
span.BalloonTextChar
{font-family:"Tahoma","sans-serif"}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.25in 1.0in 1.25in}
div.WordSection1
{}
-->
</style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366">I have had no luck using client-local.cfg to ignore eventlog messages.</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366"> </span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366">Here is the ugliness that I am using to ignore that mass quantities of garbage coming from our M$ servers. This line is in analysis.cfg (as you did I also have a couple of defined
messages that generate red alerts – all the rest are yellow):</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366"> </span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366">CLASS=win32</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366">LOG %eventlog_system* %Disk\s\(11\) COLOR=red</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366">LOG %eventlog_* %error\s-\s201|%failure\s-\s201 COLOR=yellow IGNORE=%18210\s\:\sBackupMedium|\(18456\)|3041\s\:\sBACKUP\sfailed|Application\sPopup|ASP\.NET|BigBrotherHobbitClient|BROWSER\s\(8032\)|crypt32|DCOM|Dhcp|EmailSender|Eventlog|eFaxIntegrator|EventSystem\s\(4621\)|FCSAM|iaexdm|iaexidx|information\s-\s|KDC\s\(11\)|LicenseService|Microsoft\sOffice|Microsoft\sOperations\sManager\s\(|Microsoft-Windows-GroupPolicy|MRxSmb|
|\.NET\sRuntime|NETLOGON|PerfDisk|Perflib|PlugPlayManager|Print\s\(|ProcessFeedback|rasctrs|Report\sServer\sWindows\sService|rsyncd|Schannel|Service\sControl\sManager|SmsClient\s\(10006\)|SSPI\shandshake\sfailed\swith\serror|Storage\sAgents\s\(1065\)|TermDD|TermServ|Userenv|W3Ctrs|W3SVC|WinMgmt\s</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366"> </span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366">I think this demonstrates well how you can successfully ignore messages.</span></p>
<div>
<p class="MsoNormal" style=""><span style="font-family:"Arial","sans-serif"; color:#1F497D">Thanks,
</span></p>
<p class="MsoNormal" style=""><span style="font-family:"Arial","sans-serif"; color:#1F497D">John
</span></p>
<p class="MsoNormal" style=""><span style="font-family:"Arial","sans-serif"; color:#1F497D">_____________________________________________________________________
</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#1F497D">John Rothlisberger</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#1F497D">IT Strategy, Infrastructure & Security - Technology Growth Platform</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#1F497D">TGP for Business Process Outsourcing</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#1F497D">Accenture</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#1F497D">312.693.3136 office<b></b></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#1F497D">_____________________________________________________________________
</span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"; color:#993366"> </span></p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> xymon-bounces@xymon.com [mailto:xymon-bounces@xymon.com]
<b>On Behalf Of </b>Neil Simmonds<br>
<b>Sent:</b> Wednesday, September 28, 2011 6:18 AM<br>
<b>To:</b> xymon@xymon.com<br>
<b>Subject:</b> [Xymon] FW: FW: Regular expression</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">With some assistance from users on here I’ve finally managed to get this working after starting with
<span class="apple-style-span">LOG %.* %.*error.* COLOR=red</span>. Some careful and staged refinement of the regex got me to this,</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">LOG %application "%Backup Exec System Recovery.{1,50}Error.*" COLOR=red</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">That seems to work fine and gives me the level of granularity for the failures that I wanted.</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">Thanks to all who helped.</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> Lerch, Alfred
<a href="mailto:[mailto:alfred_lerch@mentor.com]">[mailto:alfred_lerch@mentor.com]</a>
<br>
<b>Sent:</b> 28 September 2011 11:58<br>
<b>To:</b> Neil Simmonds<br>
<b>Subject:</b> RE: [Xymon] FW: Regular expression</span></p>
</div>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">I took me quite a bit of trial and horror to get log ignores to work with BBWin in central mode – and it isn’t nice…</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">I had a lot of PowerShell entries to suppress.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Basically neither ignoring event types like success, informational etc. nor ignoring by event number seem to work. I finally went for</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">ANALYSIS.CFG</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">CLASS=mywinserver</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> LOG %.* %^critical.* COLOR=red</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> LOG %.* %^error.* COLOR=red</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> LOG %.* %^failure.* COLOR=red</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> LOG %.* %^warning.* COLOR=yellow</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">CLIENT-LOCAL.CFG</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">[mywinserver]</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">eventlog:windows powershell:5120</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">ignore Engine state is changed from None to Available</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">etc etc etc
</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">And make sure you are using the class in your bbwin.cfg on the client.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Good luck</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Alfred
</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">
<a href="mailto:xymon-bounces@xymon.com">xymon-bounces@xymon.com</a> <a href="mailto:[mailto:xymon-bounces@xymon.com]">
[mailto:xymon-bounces@xymon.com]</a> <b>On Behalf Of </b>Neil Simmonds<br>
<b>Sent:</b> Freitag, 23. September 2011 15:37<br>
<b>To:</b> <a href="mailto:xymon@xymon.com">xymon@xymon.com</a><br>
<b>Subject:</b> [Xymon] FW: Regular expression</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">Thanks for that Daniel,</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">It’s still not working. I’ve even reduced it down to the following,</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">LOG eventlog:application Error COLOR=red</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">I’ve also tried</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">LOG eventlog_application Error COLOR=red</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">And</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">LOG application Error COLOR=red</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">All with no success. These entries are all in analysis.cfg on the server and the BBWin agent is running in central mode.</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">I’d really like to get this working if anyone can help?</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue"> </span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">Regards,</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt; font-family:"Arial","sans-serif"; color:blue">Neil.</span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">
<a href="mailto:xymon-bounces@xymon.com">xymon-bounces@xymon.com</a> <a href="mailto:[mailto:xymon-bounces@xymon.com]">
[mailto:xymon-bounces@xymon.com]</a> <b>On Behalf Of </b>McDonald, Dan<br>
<b>Sent:</b> 22 September 2011 16:43<br>
<b>To:</b> Xymon<br>
<b>Subject:</b> Re: [Xymon] Regular expression</span></p>
</div>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB"> </span></p>
<p style="margin-bottom:12.0pt"><span lang="EN-GB" style="font-size:10.0pt">On 9/22/11 7:54 AM, "Neil Simmonds" <<a href="mailto:Neil.Simmonds@express-gifts.co.uk">Neil.Simmonds@express-gifts.co.uk</a>><br>
wrote:<br>
<br>
> Hi all,<br>
> <br>
> Iım trying to monitor a Windows event log for an error,<br>
> <br>
> Iıve got BBWin 0.12 installed in central mode and Iıve successfully got the<br>
> eventlogs showing up in messages,<br>
> <br>
> However if I get an error from Backup Exec similar to this,<br>
> <br>
> error - 2011/09/22 13:30:00 - Backup Exec System Recovery (100) - Error<br>
> EC8F17B7: Cannot create recovery points for job: BACKUP_SCHED_01_30_SAT. Error<br>
> E7B70001: Win32/Win64 API DeviceIoControl(IOCTL_VSNAP_VDIFF_STOP) failed.<br>
> Error EBAB03F1: The device does not recognize the command. Details: 0xE7B70001<br>
> Source: Backup Exec System Recovery<br>
> <br>
> Despite the fact that I have this, ³LOG eventlog:Application %(Backup Exec<br>
> System Recovery\.+?|Error) COLOR=yellow² in my analysis.cfg file the color<br>
> doesnıt change.<br>
<br>
Why did you escape the . ? If you remove the \ in front of the ., it might<br>
work better.<br>
<br>
I don't think you need to specify greediness either.<br>
<br>
In other projects we tend to be very suspicious of unqualified .+<br>
expansions, as they can consume a lot of memory. You might try something<br>
like:<br>
%(Backup Exec System Recovery.{1,50}Error)<br>
<br>
That is read as "look for the exact words "Backup Exec System Recovery",<br>
followed by the word "Error" no more than 50 characters later..."<br>
<br>
<br>
--<br>
Daniel J McDonald, CCIE # 2495, CISSP # 78281</span><span lang="EN-GB"></span></p>
<p class="MsoNormal"><span lang="EN-GB"><br>
Name & Registered Office: EXPRESS GIFTS LIMITED, 2 GREGORY ST, HYDE, CHESHIRE, ENGLAND, SK14 4TH, Company No. 00718151.<br>
Express Gifts Limited is authorised and regulated by the Financial Services Authority<br>
-------------<br>
NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any
information or data included with this e-mail remains the property of Findel PLC and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their
records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Findel PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Findel Plc reserves the
right to monitor all e-mail communications through its internal and external networks. If you have received this email in error please notify our IT helpdesk on +44(0) 1254 303030</span></p>
<p class="MsoNormal"><span lang="EN-GB"><br>
Name & Registered Office: EXPRESS GIFTS LIMITED, 2 GREGORY ST, HYDE, CHESHIRE, ENGLAND, SK14 4TH, Company No. 00718151.<br>
Express Gifts Limited is authorised and regulated by the Financial Services Authority<br>
-------------<br>
NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any
information or data included with this e-mail remains the property of Findel PLC and the recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their
records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Findel PLC. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Findel Plc reserves the
right to monitor all e-mail communications through its internal and external networks. If you have received this email in error please notify our IT helpdesk on +44(0) 1254 303030</span></p>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal
compliance with Accenture policy.<br>
______________________________________________________________________________________<br>
<br>
www.accenture.com<br>
</font>
</body>
</html>