logcheckd.pattern

Package: WA2L/edrc 1.5.57
Section: File Formats (4)
Updated: 12 August 2024
Index Return to Main Contents

 

NAME

logcheckd.pattern - patternfile for logfile analysis in logcheckd and lgcheckd

 

SYNOPSIS

edrc/var/logcheckd/pattern/<patternfile>

 

AVAILABILITY

WA2L/edrc

 

DESCRIPTION

The pattern file is used to define the analysis of logfiles.

 

FILEFORMAT

The pattern file is a list of regular expression patterns divided into sections. Empty lines and lines starting with a # are considered as comments.

[SECTION_1]

pattern_11
pattern_12
pattern_1n

[SECTION_2]

pattern_21
pattern_22
pattern_2n

[SECTION_n]

pattern_n1
pattern_n2
pattern_nn

The sections and patterns are processed in the sequence listed. If a pattern matches for a logfile entry, the remaining patterns are not processed any more. Therefore it enhances performance if patterns that will match more often are listed at the beginning of a section, if possible.

Hint: a section with the identical name can appear multiple times in a pattern file.

The patterns are POSIX 1003.2 regular expressions as processed by egrep(1).

All logfile entries that are not matched are ignored and are counted as IGNORED.

The special section [EXCLUDE] can be used to exclude logfile entries from analysis. Excluded logfile entries are not reported in the 'Logfiles' section of the LOGCHECK report, but are counted and reported in the 'Overview' section.

Because the sections are processed by logcheckd(1m) and lgcheckd(1m) in the order as defined in the pattern file, the [EXCLUDE] section will often be the first section in the pattern file to have the wanted effect.

The [EXCLUDE] section also enables you to reuse rule files already defined for the logcheck(1) command written by Craig H. Rowland, <crowland@psionic.com>.

The advantage of using the [EXCLUDE] section is, that the current logfile can be used as information baseline and all entries that are not significant to be reported can be excluded; all remaining entries can be classified, the pattern .* can be used to catch all remaining entries. Doing this unknown entries, which might be of interest, are not missed.

See also EXAMPLES section to see how to use the [EXCLUDE] section.

 

OPTIONS

-

 

EXAMPLES

See also logcheckd(1m) and lgcheckd(1m).

1) example pattern file

See explanation of this pattern file in logcheckd(1m) and lgcheckd(1m) example 1) in section EXAMPLES. 

#
# logcheckd/pattern/su - logfile analysis pattern file for: su
#
# [00] 25.04.2008 CWa   Initial Version
#
 
[EXCLUDE]

.* + .* root-.*$
 
[HIGH]
 
.* - .*-root$
 
[MEDIUM]
 
.* + .*-root$
.* -
 
[LOW]
 
 
 
[VERIFY]
 
.*

 

SEE ALSO

edrcintro(1), egrep(1), lgcheckd(1m), lgcheckd.cfg(4), lgcpattern(3), logcheckd(1m), logcheckd.cfg(4), logtail(1), regexintro(4), POSIX 1003.2 section 2.8 (Regular Expression Notation)

 

NOTES

use lgcpattern(3) to help defining a pattern file.

 

BUGS

-

 

AUTHOR

logcheckd.pattern was developed by Christian Walther. Send suggestions and bug reports to wa2l@users.sourceforge.net .

 

COPYRIGHT

Copyright © 2024 Christian Walther

This is free software; see edrc/doc/COPYING for copying conditions. There is ABSOLUTELY NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 

Index

NAME
SYNOPSIS
AVAILABILITY
DESCRIPTION
FILEFORMAT
OPTIONS
EXAMPLES
SEE ALSO
NOTES
BUGS
AUTHOR
COPYRIGHT
This document was created by man2html using the manual pages.
Time: 13:32:04 GMT, March 01, 2025