Content Filter conditional search?

edited January 2013 in General
We are running 2.92 build 30 on Windows Server 2003 R2 SP2. I'm new to EventSentry (ES) and could use some help.

I've configured a linux server to send syslog entries to ES (into the application log), and I've setup ES to Filter and Email certain log entries. My problem is with the Content Filter.

Here are the 2 logs I'm concerned with in the ES application log:

1)[kern/user.notice]: logger: logicaldrive 1 (232.9 GB, RAID 1): OK
2)[kern/user.notice]: logger: logicaldrive 2 (1.8 TB, RAID 1): OK

I want ES to send out an error email when the logicaldrives report anything other than OK. This is the exact logic I need:

1) Search for string *logicaldrive*
2) In that same text, search for string *OK*. If you don't find *OK* then trigger an Email Action sending the text in question

You might ask, why don't I just search for FAILED or DEGRADED? The problem is I don't know all of the possible status messages that our RAID controller might spit out to the log. There could be many, so the only way to catch them all is to report any instance where it does not say OK.

Any ideas?


  • edited January 2013
    There are two ways in which you can accomplish this. Since you are running 2.92 you cannot use regular expression support which was added for event log filters in version 2.93 (more on that later).

    You can however specify two string matches, one of which looks for the "logicaldrive" string, and another which excludes the "OK".

    In the filter dialog, in the "Content Filter" section, add a new wildcard match. The wildcard would simply be *logicaldrive*, or *logicaldrive*RAID* if you want to be more specific (and get fewer false positives).

    Then add another wildcard match which excludes ): OK (the smiley is not intentional :-) ). I added the preceding "): " so that the filter won't match other strings which may contain "OK". The exact filter text should then read !*): OK*. The exclamation point will only match the event if the specified text does not exist.

    When specifying these content filters it's important that they are chained with using AND, otherwise you will get any event which matches "logicaldrive" or does not match the "): OK" string.

    I added the asterisk at the end because EventSentry currently adds a trailing new line character sequence (\r\n) to all events. This will be resolved in an upcoming EventSentry patch for 2.93, but this behavior will not change in 2.92.

    The content filter section of the filter should then look like this:

    !*): OK*

    If you are upgrading to v2.93.1, then you can take advantage of regular expressions and will only need to add one "Regex match" content filter:

    ^(?=.*logicaldrive.*)(?=^(?:(?!\: OK).)*$).*$

    This will accomplish the same thing as the chained wildcard matches, only in one line. I'll leave it up to you to determine which method is easier to read/understand :-).

    I hope this explains, please let me know if you still have questions,
  • That is probably the best response I've ever gotten on a forum, at least in the top five. I tried ! before, but I was obviously doing it wrong and gave up too quickly.

    Thanks for the help!
Sign In or Register to comment.