[Logcheck-users] Rule question.

[Mark London]

Ross - Thanks.  Although someone at work just pointed out to me that we 
really don't need Avahi anyway (oops!), so I shut it off today.  You 
would think that Avahi would allow you to either A) disable the error 
messages or B) direct the messages to it's own log file, but of course 
the developers don't believe in either feature.  - Mark

Ross Boylan wrote:
> On Tue, 2011-06-07 at 11:54 -0400, Mark London wrote:
>   
>> Hi - I added the following 2 rules to logcheck.
>>
>> \w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid query 
>> packet.$
>> \w{3} [ :0-9]{11} [._[:alnum:]-]+ avahi-daemon\[[0-9]+\]: Invalid 
>> response packet from host 
>> [[:digit:]]+.[[:digit:]]+.[[:digit:]]+.[[:digit:]]+.$
>>
>> The first rule I found on the web.   The 2nd one I created myself, to 
>> try and stop these messages:
>>
>> Jun  7 11:45:13 xxxxx avahi-daemon[10133]: Invalid response packet from 
>> host 198.125.177.241.
>>
>> But while the first rule is working, the 2nd doesn't seem to be 
>> working.  Any ideas why?  Thanks. - Mark
>>
>>     
> Test the pattern against the message with egrep to be sure it's right;
> it does look right to me except that it would be good to quote the .'s
> that are literal periods (\.).  But the fact that it's overly broad
> shouldn't prevent a match.
>
> If the rule matches, the problem is likely that the message is being
> triggered at one severity level (warning, critical...) but your
> exception if for a different severity level.  The solution is to move it
> to the right spot for the severity.
> See /usr/local/share/doc/logcheck-database/README.logcheck-database.gz.
>
> Ross
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20110613/01727db8/attachment-0001.html>