TextLog - Look for expression

[JuergenF]

Dear all,

is there a problem ? Or maybe I'm to blind to see ?
I use the following expression for checking a syslog file on a linux system (with rma Agent on that system)
(HM V7.10, passive RMA Platform: Linux (Red Hat, Mandrake, SuSE), V1.25)

Look for expression:
("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and not ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22")

And I get an alarm for this kind of message
*******************************************
Message from HostMonitor (host changed status)

Test : TextLog: wersv090:/var/log/warn - Core
Method: Text Log test
Status : Warning
Date : 2008-03-22 04:36:24
Reply : Mar 22 04:34:48 dcdw0004.wetter.dematic.de 252: Mar 22 04:34:37.208: %LINK-3-UPDOWN: Interface FastEthernet1/22, changed state to up

Recurrences : 1
Last status: Ok
Total tests: 7764
Alive ratio : 96.19 %
Dead ratio: 3.81 %

Folder: Wetter Switches
**********************************************
From my point of view the
and not ("dcdw0004" and "FastEthernet1/22")
should avoid raising an alarm.

By the way:
and not ("dcdw0015" and "FastEthernet4/3")
is working fine - means no alarm

Thanks

Juergen

PS: from :/var/log/warn
Mar 21 03:27:25 dcdw0015.wetter.dematic.de 9288: Mar 21 03:27:19.898: %LINK-3-UPDOWN: Interface FastEthernet4/3, changed state to down
Mar 21 03:27:26 dcdw0015.wetter.dematic.de 9289: Mar 21 03:27:19.898: %LINK-SP-3-UPDOWN: Interface FastEthernet4/3, changed state to down
Mar 21 03:27:26 dcdw0015.wetter.dematic.de 9290: Mar 21 03:27:20.690: %LINK-3-UPDOWN: Interface FastEthernet4/3, changed state to up
Mar 21 03:27:27 dcdw0015.wetter.dematic.de 9291: Mar 21 03:27:20.694: %LINK-SP-3-UPDOWN: Interface FastEthernet4/3, changed state to up
Mar 20 16:19:26 dcdw0004.wetter.dematic.de 239: Mar 20 16:19:17.425: %LINK-3-UPDOWN: Interface FastEthernet1/22, changed state to down
Mar 20 16:19:26 dcdw0004.wetter.dematic.de 240: Mar 20 16:19:17.793: %LINK-3-UPDOWN: Interface FastEthernet1/22, changed state to up

The test: (HM V7.10, passive RMA Platform: Linux (Red Hat, Mandrake, SuSE), V1.25)
;-----------------------------------------------------------------------------
;- HostMonitor`s export/import file -
;- Generated by HostMonitor at 2008-03-22 05:04:52 -
;- Source file: E:\Program Files\HostMonitor\DCC-Network.hml -
;- Generation mode: Selected_Tests -
;-----------------------------------------------------------------------------


; ------- Test #01 -------


Method = TextLog
;--- Common properties ---
;DestFolder = DCC\Wetter Switches\
RMAgent = FTP.90 - wersv090
Title = TextLog: wersv090:/var/log/warn - Core
Comment = TextLog: wersv090:/var/log/warn - Core
RelatedURL =
ScheduleMode= Regular
Schedule = 7 Days, 24 Hours
Interval = 300
Alerts = Mail to DCC-Network-Team
ReverseAlert= No
UnknownIsBad= Yes
WarningIsBad= Yes
UseWarning = Yes
WarningExpr = %udv_status_bad%
UseCommonLog= Yes
PrivLogMode = Default
CommLogMode = Default
SyncCounters= Yes
SyncAlerts = No
DependsOn = list
MasterTest-Alive = WERSV090 - FTP .90
;--- Test specific properties ---
File = /var/log/warn
FileMacros = No
LookFor = ("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and not ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22")
LookMode = Expression
MatchCase = No
WholeWord = No
UseMacros = No
AlertMode = AllEvents
ReplyMode = Line
ReplyFilter = WholeLine
ReplyRange1 = 0
ReplyRange2 = 0

;-----------------------------------------------------------------------------
; Exported 1 items

[KS-Soft]

I would recommend to put additional brackets
("-1-" or "-2-" or "-3-" or "-4-" or "-5-") and ("dcdw000" or "dcdw001") and (not ("dcdw0015" and "FastEthernet4/3")) and (not ("dcdw0004" and "FastEthernet1/22"))
otherwise 1st not can be applied to ("dcdw0015" and "FastEthernet4/3") and not ("dcdw0004" and "FastEthernet1/22") expression

Regards
Alex

[JuergenF]