We have an LogFile Item with the following item key:

log[/var/log/messages,"[E|e]xiting|[E|e]xited|[T|t]erminating|[T|t]erminated|[F|f]ailing|[F|f]ailed|[S|s]tarting|[S|s]tarted|[R|r]estart|[S|s]hutdown"]


The actual trigger is defined as:

{LSKN discovered Template LOG linux messages:log[/var/log/messages,"[E|e]xiting|[E|e]xited|[T|t]erminating|[T|t]erminated|[F|f]ailing|[F|f]ailed|[S|s]tarting|[S|s]tarted|[R|r]estart|[S|s]hutdown"].nodata(120)}#1


So we get all the words defined in the regex fine.
But there are entrys in the log like:

ftp.proxy[30845]: +OK: proxy terminating


We want to exclude. Anyone an idea how to get this ?
Regards, Marcus

Because you are using brackets, you should just be able to do the following without the "OR":

log[/var/log/messages,"[Ee]xiting|[Ee]xited|[Tt]erminating|[Tt]erminated|[Ff]ailing|[Ff]ailed|[Ss]tarting|[Ss]tarted|[Rr]estart|[Ss]hutdown"]

Ok, your syntax is slightly other than mine.
But my scope is to get an trigger if, for example, an agent or daemon is sending an entry with the keywords to the log, while it is changing his status. I don't want to get the trigger if, for example, an ftp.proxy user is terminating his session.

Currently the item is matching for the keyword "terminating" and i need to exclude the ftp.proxy user session "terminating" string from this match.

Regards, Marcus