AutoPatrol, Bureaucrats, Administrators
683
edits
Difference between revisions of "UM:Log Monitoring"
→Macros
(→Macros) |
|||
| Line 90: | Line 90: | ||
== Macros == | == Macros == | ||
<nowiki> | In the <nowiki><macros></nowiki> section you can define macros for use in matching rules. For example, it can be useful to define macro for a timestamp preceding each log record and use it in matching rules instead of actual regexp. You can define as many macros as you wish, each within it's own <nowiki><macro></nowiki> tag. Each macro should have unique name, defined in '''name''' attribute, and can be used in matching rules in form @{''name''}. | ||
Example: you need to parse log file where each line starts with timestamp in format dd/mm/yy HH:MM:SS. You can define the following macro: | Example: you need to parse log file where each line starts with timestamp in format dd/mm/yy HH:MM:SS. You can define the following macro: | ||
<source lang="xml"> | |||
< | <macro name="timestamp">[0-9]{2}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}</macro> | ||
</source> | |||
and then use it in matching rules: | and then use it in matching rules: | ||
<source lang="xml"> | |||
<rules> | |||
<rule> | |||
<match>@{timestamp}.*([A-Za-z]+) failed.*</match> | |||
<event>12345</event> | |||
</rule> | |||
<rule> | |||
<match>@{timestamp}.*error.*</match> | |||
<event>45678</event> | |||
</rule> | |||
</rules> | |||
</source> | |||
<nowiki>< | Please note that <nowiki><macros></nowiki> section always should be located before <nowiki><rules></nowiki> section in parser definition file. | ||
<nowiki>< | |||
== Matching rules == | == Matching rules == | ||