Hi there, I'm trying to get rid of non-vital logging info, with the aid of logsurfer. The accent is not on mailing suspicious stuff, more on keeping logfiles manageably small. However I find the docs that come with logsurfer inadequate, quite confusing even. I had hoped for more examples... Can anyone here share [parts of-] his/her logsurfer.conf for clarity and / or as examples ? The way to "ignore" certain messages is clear and simple, so is the way to alert when something evil is happening. What I don't really understand is how the "context" rules work. Let's say for instance I'd like to get rid of the 'named' starting messages: Oct 30 16:21:09 hostname named[16988]: starting (/etc/named.conf). [...] Oct 30 16:21:09 hostname named[16988]: hint zone "" (IN) loaded (serial 0) Oct 30 16:21:09 hostname named[16988]: master zone "localhost" (IN) [...] Oct 30 16:21:09 hostname named[16988]: master zone "0.0.127.in-addr.arpa" Oct 30 16:21:09 hostname named[16988]: master zone "foobar" (IN) [...] Oct 30 16:21:09 hostname named[16988]: master zone "8.9.10.in-addr.arpa" Oct 30 16:21:09 hostname named[16988]: listening on [10.9.8.7].53 (eth8) Oct 30 16:21:09 hostname named[16988]: Forwarding source address [...] Oct 30 16:21:09 hostname named[16989]: Ready to answer queries. In that case we'd like a rule that, if it sees a 'named .* starting (/etc/named.conf)' will open a context (and eventually ignore all inside) for all following rules from the same PID, UNLESS there is a '.* rejected due to errors .*' statement in one of those lines. My problem is, A) I don't know how to implement this, and B) This is not safe because it could drop other types of, possibly fatal, errors. Yet the only alternative is, "make 1 rule per line". Not only is that quite a mess and a LOT of work, but it makes it impossible to look at the context to see whether a message is benign or not; "With invalid flags" sounds like a serious warning, but looking at the context it's just 1 line out of many when squid is attempting to start. Oct 29 18:17:24 hostname squid[950]: 0 With invalid flags. Does anyone have relevant experience(s) with logsurfer that he /she is willing to share and / or discuss here (or off-list if perhaps perceived off-topic) ? Maybe even agree on a generic "safe_to_use"(...) ruleset for SuSE machines ? Any help or comments are greatly appreciated, Maarten -- Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273