[osiris] Filters not working

Hari Sekhon hpsekhon at googlemail.com
Mon Nov 12 07:38:24 EST 2007 

I am trying to use filters to reduce noise but it doesn't seem to be 
working. I have for example filters like:

^.*\[cmp\]\[mod_kmods\]\[service:VSS\]\[service:VSS;dname:Volume Shadow 
Copy;status:running\]\[service:VSS;dname:Volume Shadow 
Copy;status:stopped\].*$
^.*\[cmp\]\[mod_kmods\]\[service:VSS\]\[service:VSS;dname:Volume Shadow 
Copy;status:stopped\]\[service:VSS;dname:Volume Shadow 
Copy;status:running\].*$
^.*\[cmp\]\[mod_kmods\]\[service:swprv\]\[service:swprv;dname:Microsoft 
Software Shadow Copy 
Provider;status:running\]\[service:swprv;dname:Microsoft Software Shadow 
Copy Provider;status:stopped\].*$
^.*\[cmp\]\[mod_kmods\]\[service:swprv\]\[service:swprv;dname:Microsoft 
Software Shadow Copy 
Provider;status:stopped\]\[service:swprv;dname:Microsoft Software Shadow 
Copy Provider;status:running\].*$

To try to stop it reporting changes in service state for Volume Shadow 
Copy on the Windows servers running the osirisd agent.

However, I still get emails like this, several days after implementing 
this filter:

[223][SERVER_X][cmp][mod_kmods][service:VSS][service:VSS;dname:Volume Shadow Copy;status:stopped][service:VSS;dname:Volume Shadow Copy;status:running]
[223][SERVER_X][cmp][mod_kmods][service:swprv][service:swprv;dname:Microsoft Software Shadow Copy Provider;status:stopped][service:swprv;dname:Microsoft Software Shadow Copy Provider;status:running] 


This is the sole content of the email, the only change in state to the 
server, so the filters are obvious not working.

It seems that the filters also get squashed into a single line on the 
filters file like so

# add regular expressions, one per line (disable with '#')...<filters 
snipped>...^.*\[cmp\]\[mod_kmods\]\[service:VSS\]\[service:VSS;dname:Volume 
Shadow Copy;status:running\]\[service:VSS;dname:Volume Shadow 
Copy;status:stopped\].*$^.*\[cmp\]\[mod_kmods\]\[service:VSS\]\[service:VSS;dname:Volume 
Shadow Copy;status:stopped\]\[service:VSS;dname:Volume Shadow 
Copy;status:running\].*$^.*\[cmp\]\[mod_kmods\]\[service:swprv\]\[service:swprv;dname:Microsoft 
Software Shadow Copy 
Provider;status:running\]\[service:swprv;dname:Microsoft Software Shadow 
Copy 
Provider;status:stopped\].*$^.*\[cmp\]\[mod_kmods\]\[service:swprv\]\[service:swprv;dname:Microsoft 
Software Shadow Copy 
Provider;status:stopped\]\[service:swprv;dname:Microsoft Software Shadow 
Copy Provider;status:running\].*$...<filters snipped>...

Although Osiris seems to still recognise them even though technically 
this makes them part of the same line and hence commented out!

osiris-4.2.3-release: filters
Exclude anything matching the following regular expressions:

...<filters 
snipped>...^.*\[cmp\]\[mod_kmods\]\[service:VSS\]\[service:VSS;dname:Volume 
Shadow Copy;status:running\]\[service:VSS;dname:Volume Shadow 
Copy;status:stopped\].*$^.*\[cmp\]\[mod_kmods\]\[service:VSS\]\[service:VSS;dname:Volume 
Shadow Copy;status:stopped\]\[service:VSS;dname:Volume Shadow 
Copy;status:running\].*$^.*\[cmp\]\[mod_kmods\]\[service:swprv\]\[service:swprv;dname:Microsoft 
Software Shadow Copy 
Provider;status:running\]\[service:swprv;dname:Microsoft Software Shadow 
Copy 
Provider;status:stopped\].*$^.*\[cmp\]\[mod_kmods\]\[service:swprv\]\[service:swprv;dname:Microsoft 
Software Shadow Copy 
Provider;status:stopped\]\[service:swprv;dname:Microsoft Software Shadow 
Copy Provider;status:running\].*$^...<filters snipped>...
8 comparison filters.



Any ideas on how to make this work properly?

-h

-- 
Hari Sekhon

More information about the osiris mailing list