[Logcheck-users] End of search string question
Frédéric Brière
fbriere at fbriere.net
Sat Mar 29 17:42:21 UTC 2008
Denis Dimick <dgdimick at gmail.com> wrote:
> How do I tell LogCheck that I don't care what's in the rest of the search
> string?
You could either use ".*" to match anything, or leave off the "$"
end-of-string mark.
> ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9:]{8}\.[0-9]{6} xl0 (@
> 0:3|@100:3) (b|p) 192\.168\.2\.[0-9]{1,3} -> [0-9.]{7,15} PR igmp len
> [0-9]{2} \([0-9]{2}+\) K-S IN$
>
> As you can see the only diff with these two statements is the ending "IN$"
> and "K-S IN$"
In this particular case, it would be preferable to simply make the "K-S"
part optional:
... \([0-9]{2}+\) (K-S )?IN$
--
<maswan> Joy: Lets fork cat! :)
<maswan> Joy: imagine a big pitchfork and a dead kitten on top of
it.. with blood running down..
More information about the Logcheck-users
mailing list