[Xymon] analysis.cfg regular expression
Jeremy Laidman
jeremy at laidman.org
Wed Jan 17 08:57:54 CET 2024
Hi Neil
This is probably not the cause, but the closing double quotes on your
second LOG line is an unprintable character representing a fancy
(non-ASCII) quote symbol.
Apart from that, I can't see anything wrong with your match strings.
Testing them with pcre2grep shows that they match the log lines just fine.
However, I wonder if your filename matching regular expressions is the
problem. Each backslash in the match string are likely to be interpreted by
the PCRE engine as the start of a special sequence, such as "\W" meaning
"non-word character", and "\*" meaning a literal asterisk rather than a
wildcard. For a test, try changing the filename string to be a non-regular
expression (without the %) and name a single file rather than trying to use
a wildcard.
Cheers
Jeremy
On Wed, 17 Jan 2024 at 02:28, Neil Simmonds <Neil.Simmonds at studio.co.uk>
wrote:
> Hi folks,
>
>
>
> I’m having trouble with a regular expression in a LOG entry in
> analysis.cfg which is monitoring a Windows log.
>
>
>
> I’ve included some sample lines below (IP addresses changed for obvious
> reasons) and I need to alert when the 12th string (space separated) is
> 403 (actually 500 but for testing, 403)
>
>
>
> I’ve tried this,
>
>
>
> LOG "%D:\Weblogs\*\u_ex*.log" "%2.{1,75} .{1,75} .{1,75} .{1,75} .{1,75}
> .{1,75} .{1,75} .{1,75} .{1,75} .{1,75}- 403 .{1,75} .{1,75} .{1,75}"
> COLOR=yellow
>
>
>
> And
>
>
>
> LOG "%D:\Weblogs\*\u_ex*.log" "%(?:\S+\s+){11}403\b” COLOR=yellow
>
>
>
> 2024-01-16 14:41:01 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 93
>
> 2024-01-16 14:42:03 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 83
>
> 2024-01-16 14:43:04 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78
>
> 2024-01-16 14:44:08 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 110
>
> 2024-01-16 14:45:13 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 89
>
> 2024-01-16 14:46:16 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 62
>
> 2024-01-16 14:47:20 127.0.0.1 GET / - 80 - 127.0.0.1
> Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78
>
>
>
> Neither of these work. Can anyone help?
>
>
>
> Kind Regards,
>
>
>
> Neil*.*
>
> ).
>
>
>
>
>
>
>
> Studio is a trading name of Studio Retail Trading Limited (Company no.
> 03994833), which is an introducer of credit not a lender. Studio Pay is
> provided by Frasers Group Financial Services Limited (Registered Company
> no. 00718151), which is authorised and regulated by the Financial Conduct
> Authority (FRN 311908) for consumer credit and general insurance and a
> member of the Finance and Leasing Association. Both companies are
> registered in England and their registered office is: Church Bridge House
> Henry Street Accrington BB5 4EE.
>
> NOTE: This email and any information contained within or attached in a
> separate file is confidential and intended solely for the Individual to
> whom it is addressed. The information or data included is solely for the
> purpose indicated or previously agreed. Any information or data included
> with this e-mail remains the property of Studio Retail Trading Ltd or
> Frasers Group Financial Services Ltd. The recipient will refrain from
> utilising the information for any purpose other than that indicated and
> upon request will destroy the information and remove it from their records.
> Any views or opinions presented are solely those of the author and do not
> necessarily represent those of Studio Retail Trading Ltd or Frasers Group
> Financial Services Ltd. If you are not the intended recipient, be advised
> that you have received this email in error and that any use, dissemination,
> forwarding, printing, or copying of this email is strictly prohibited. No
> warranties or assurances are made in relation to the safety and content of
> this e-mail and any attachments. No liability is accepted for any
> consequences arising from it. Studio Retail Trading Ltd and Frasers Group
> Financial Services Ltd reserve the right to monitor all e-mail
> communications through their internal and external networks. If you have
> received this email in error please let us know. You can find our available
> contact details by going to help.studio.co.uk and clicking ‘Contact Us’.
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240117/5357344f/attachment.htm>
More information about the Xymon
mailing list