You can use exclude rules in the logmon configuration to exclude log lines that would normally match your watcher rules.
There are a couple of issues with your regex though.
- You do not need to begin or end the regex with .* because it will automatically match any part of the line.
- The square brackets [] create a character class that matches a single character in the string from a list of several options. So the [2-800] part matches any digit between 2 and 8 (inclusive) plus the digit 0. (The second appearance of 0 does nothing in this case.)
- The fact that you are preceeding the numeric part of the regex with .* means it could match many numbers you did not intend. You might want to put a \b in front of that like you have in other places.
- Your use of \b to make sure you match only the words you want is very good. But if those words are supposed to appear one after the other without anything but space in between, I would recommend coding the regex with a \s+ between each word. You would not have to do this, but it would be far more efficient.
Matching ranges of numbers in a regex can be a little tricky. The exclude rules make it much easier though. Here is one possible approach...
Watcher rule:
- /\bexited\s+with\s+status\s+([1-7]?[0-9]?[0-9]|800)+/
Exclude rules:
- /\bexited\s+with\s+status\s+[01]\b/
- /\bexited\s+with\s+status\s+15[07]\b/
If the range of possible exit status values only goes up to 800, then the watcher rule becomes much simpler (but still requires the exclude rules):
- /\bexited\s+with\s+status\s+\d+/
I would definitely recommend testing whatever regex you decide to use to make sure it does exactly what you want. NMS uses PCRE, so testing is fairly easy because you can code a test in a Perl script. (Well, that is easy only if you know Perl, I suppose.) There is also a regex tester available in the NAS GUI, which I think you could use to test this.
-Keith