Date: Thu, 24 Feb 2000 23:04:57 +0200

Your rule description, including the substring specification (as long as

'regular expression' is un-checked), seems to be correct.

What kind of trouble do you have? Are no syslog messages processed? Do =

the

following: Define a new rule without any explicit condition and =

associate an

action (log to file) with it. By doing this you can check if SL4NT is

receiving any messages and by looking into the log file you may maybe =

detect

why your explicit conditions are not correct. You can also use perf =

counters

to verify if syslog messages are received.

Franz

"Russell Lusignan" <russell.lusignan@allianceatlantis.com> wrote in =

message

news:C1CEE8E342DDD111A5720020AFE7798F170FB8@is1.netal.com...

> Hey all,

>

> I am playing around sl4nt and I am having some trouble... For =

example, I

> have setup our VPN box's syslog host to target my machine for debug

> messages. I have setup a rule on sl4nt (which is running on my =

machine)

to

> receive messages. The Priority is set to Min: Debug, Max: Emergency. =

The

> Destination IP is my machines address, and the Source IP is that of =

the

VPN

> interface. I am not too clear as to what I should enter in the =

Substring

> field. Should I enter the exact debug message or a portion of what

appears

> on the console if I am viewing debug messages? For example, if =

interface

0

> drops, and the debug message is: "[debug] int 0 disconnected," can I =

put

in

> the substring field "int;disconnected" ..which then causes the action =

to

> alert me? Let me know if I have everything straight or if I am =

missing

> something. Thanks!

>

> Russ..

>