I have been trying to create an alert to forward some syslog messages using a regular expression. I'm using almost the exactly same expression for a different alert and it is working. The messages I am trying to alert on are longer and suspect that is the issue.
Here is a message I want to alert on.7/15/2008 9:20 AM : Application Jul 15 2008 12:15:56 SERVER01 %Application: SysmonLog : Counter: \\SERVER01\MSMQService\Total messages in all queues has tripped its alert threshold. The counter value of 6155 is over the limit value of 5000.
This is the regular expression I am using that I beleive should work. It should catch any messages that contain the string "SysmonLog" but not if it also contains the string "restarted".
^(?=.*?\bSysmonLog\b)((?!restarted).)*$
I think the issue is the length of the message exceeds the ability of Orion's filter. Has anyone had luck with a similar task?
