Match a single character:
Repeats:
Position:
Grouping:
Escaping:
Suppose we are not interested in the summary messages from nfcapd at all.
group ^nfcapd:
trash Total ignored packets
trash Ident:.*Flows:.*Packets:.*Bytes:.*Sequence Errors:.*Bad Packets
group_end
Another example:
group ^sshd:
trash ^sshd: Connection closed by.*\[preauth\]
trash ^sshd: Received disconnect from
trash ^sshd:.*from 100\.68\.100\.250
group_end
Suppose we want to discard messages matching a particular pattern but only if they come from a particular host
group_host ^100\.68\.100\.254$
trash ^dhcpd:
trash ^charon:
trash ^filterlog:
trash ^check_reload_status: Reloading filter
trash ^check_reload_status: Restarting ipsec tunnels
trash ^check_reload_status: Restarting OpenVPN tunnels
trash ^check_reload_status: Syncing firewall
group_end
If a pattern is defined within parentheses ( ... )
then it will be removed, so that multiple similar messages may be reported as a single message.
For example, suppose you get lots of messages like this:
1: sshd: Connection closed by 100.68.6.131 port 38060 [preauth]
1: sshd: Connection closed by 100.68.6.132 port 39308 [preauth]
1: sshd: Connection closed by 100.68.4.133 port 50620 [preauth]
1: sshd: Connection closed by 100.68.4.134 port 58252 [preauth]
and you want to combine them in a single summary line for tenshi. Try:
misc ^sshd: Connection closed by ([0-9.]+) port (\d+) \[preauth\]
Then you should get in your tenshi report:
4: sshd: Connection closed by port [preauth]