17 Dec
2005
17 Dec
'05
9:14 p.m.
Hello I've tried to setup some filters lately (v1.9.7). There's a problem with regex character ^. For example I want to filter out "Accepted password" and my home ip from sshd logs, so I setup: filter f_sshd { (program("sshd") and not ( (match("Accepted password") and match("from 123\.456\.789\.012")) or // other rules )) or not program("sshd"); }; Works ok, but I want to filter only messages starting with "Accepted password", but "^Accepted password" doesn't work. Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should work as a match pattern and it doesn't. (it should match only the "text" part of message, am I right?) TIA