Monitor log for regexp but strip out unwanted data
I have log monitoring in place which basically looks are /var/log/messages for error|ERROR|Bug and it works great. However, I have one server (maybe more) that notifies me with an application error every minute that I don't want to monitor. I have this log monitoring in place on all of my servers (so far) so I don't want to change it.
Basically, I want to query for error|ERROR|Bug but if it finds "error: Connection refused" I don't want an alert.
My initial trigger is: find (/template/log[/var/log/messages,error|ERROR|Bug,,,skip,],,"iregexp","error|ERROR|Bug")=1.
I was thinking:
1. I could add an item with "error: Connection refused" but I can't figure out how to make it work with AND/OR.
2. Maybe with a count as normally error only shows up in one line but I get at least 2 lines in the same second of the application error.
Can anyone help?
Basically, I want to query for error|ERROR|Bug but if it finds "error: Connection refused" I don't want an alert.
My initial trigger is: find (/template/log[/var/log/messages,error|ERROR|Bug,,,skip,],,"iregexp","error|ERROR|Bug")=1.
I was thinking:
1. I could add an item with "error: Connection refused" but I can't figure out how to make it work with AND/OR.
2. Maybe with a count as normally error only shows up in one line but I get at least 2 lines in the same second of the application error.
Can anyone help?