def test_setMatch(self): # Case 1 - Empty rules watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.setMatch(("IP", "GT", "0.0.0.0", "False", "False"), ()) self.assertDictEqual({"value": ("IP", "GT", "0.0.0.0", "False", "False"), "left": None, "right": None}, watcherInstance.rules) # Case 2 - Single element of rule tree watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.rules = createNode(("IP", "GT", "0.0.0.0", "False", "False")) watcherInstance.setMatch(("IP", "LT", "255.255.255.255", "False", "False"), ()) self.assertDictEqual({"value": ("IP", "LT", "255.255.255.255", "False", "False"), "left": None, "right": None}, watcherInstance.rules) # Case 3 - Leaf of rule tree rule1 = ("IP", "GT", "0.0.0.0", "False", "False") rule2 = ("IP", "LT", "255.255.255.255", "False", "False") rule3 = ("IP", "EQ", "10.0.0.1", "False", "False") rule4 = ("IP", "EQ", "10.0.0.2", "False", "False") watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.rules["value"] = "AND" watcherInstance.rules["left"] = createNode(rule1) watcherInstance.rules["right"] = createNode(rule2) watcherInstance.setMatch(rule3, (0,)) watcherInstance.setMatch(rule4, (1,)) self.assertDictEqual({"value": "AND", "left": {"value": rule3, "left": None, "right": None}, "right": {"value": rule4, "left": None, "right": None}}, watcherInstance.rules)
def test_delMatch(self): # Case 1 - Single element of rule tree watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.rules = createNode(("IP", "GT", "0.0.0.0", "False", "False")) watcherInstance.delMatch(()) self.assertDictEqual({"value": (), "left": None, "right": None}, watcherInstance.rules) # Case 2 - Internal element of rule tree watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.rules["value"] = "AND" watcherInstance.rules["left"] = createNode(("IP", "GT", "0.0.0.0", "False", "False")) watcherInstance.rules["right"] = createNode(("IP", "LT", "255.255.255.255", "False", "False")) watcherInstance.delMatch((0,)) self.assertDictEqual({"value": ("IP", "LT", "255.255.255.255", "False", "False"), "left": None, "right": None}, watcherInstance.rules)
def runIntegrationTests(): # Load database createTestDatabase() exit() logFile = "samples/sample.log" watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.setMatch( ("WHOLE", "EQ", "NOTE: Not using GLX TFP!", False, True), ()) watcherInstance.combineMatch(("WHOLE", "RE", ".*Anacron.*", False, False), "OR", ()) watcherInstance.combineMatch(("WHOLE", "RE", ".*anacron.*", False, False), "OR", (1, )) watcherInstance.combineMatch(("WHOLE", "RE", ".*ERROR.*", False, True), "OR", (0, )) watcherInstance.combineMatch(("WHOLE", "RE", ".*STREAM.*", False, True), "AND", (0, 1)) watcherInstance.combineMatch(("WHOLE", "RE", ".*dhcp.*", False, True), "OR", (0, 0)) watcherInstance.combineMatch(("WHOLE", "RE", ".*address.*", False, True), "AND", (0, 0, 1)) watcherInstance.combineMatch(("WHOLE", "RE", ".*rfkill.*", False, True), "OR", (0, 0, 0)) # Asserting if rules are loaded successfully with open("samples/sample_conf.json", "rb") as f: sampleRules = util.Node().loadJSON(json.load(f)["rules"]) assert sampleRules == watcherInstance.rules print("Rules are created successfully.", file=sys.stderr)
def test_combineMatch(self): # Case 1 - Single element rule tree watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) watcherInstance.rules = createNode(("OLD_MATCH",)) watcherInstance.combineMatch(("NEW_MATCH",), "AND", ()) self.assertDictEqual({"value": "AND", "left": {"value": ("OLD_MATCH",), "left": None, "right": None}, "right": {"value": ("NEW_MATCH",), "left": None, "right": None}}, watcherInstance.rules) # Case 2 - Leaf of rule tree watcherInstance.rules["value"] = "AND" watcherInstance.rules["left"] = createNode(("IP", "GT", "0.0.0.0", "False", "False")) watcherInstance.rules["right"] = createNode(("IP", "LT", "255.255.255.255", "False", "False")) watcherInstance.combineMatch(("NEW_MATCH",), "OR", (0,)) self.assertDictEqual({"value": "AND", "left": {"value": "OR", "left": {"value": ("IP", "GT", "0.0.0.0", "False", "False"), "left": None, "right": None}, "right": {"value": ("NEW_MATCH",), "left": None, "right": None}}, "right": {"value": ("IP", "LT", "255.255.255.255", "False", "False"), "left": None, "right": None}}, watcherInstance.rules)
def test_applyRule(self): watcherInstance = logwatch_manager.LogWatch(0, "Test Watcher", None) # Case 1 - matchfield : WHOLE payload = {'timestamp': 1542661800, 'hostname': 'john-pc', 'appname': 'gnome-shell', 'pid': '1758', 'msg': 'NOTE: Not using GLX TFP!'} self.assertTrue(watcherInstance.applyRule(("WHOLE", "EQ", "NOTE: Not using GLX TFP!", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "EQ", "NOTE: Not using GLX TFP!", "False", "True"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "EQ", "note: not using glx tfp!", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("WHOLE", "EQ", "note: not using glx tfp!", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "EQ", "note: not using glx tfp!", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "EQ", "note: not using glx tfp!", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "RE", ".*GLX.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "RE", ".*GLX.*", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("WHOLE", "RE", ".*GLX.*", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("WHOLE", "RE", ".*GLX.*", "True", "True"), payload)) self.assertTrue(watcherInstance.applyRule(("WHOLE", "RE", ".*tfp!", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("WHOLE", "RE", ".*tfp!", "False", "False"), payload)) # Case 2 - matchfield : IP self.assertTrue(watcherInstance.applyRule(("IP", "EQ", "john-pc", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "EQ", "John-Pc", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "EQ", "John-Pc", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "EQ", "john-pc", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "EQ", "John-Pc", "True", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "EQ", "176.240.43.210", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "RE", ".*john-pc.*", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "RE", ".*John-Pc.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "RE", ".*John-Pc.*", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "RE", ".*john-pc.*", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "RE", ".*John-Pc.*", "True", "True"), payload)) payload = {'timestamp': 1542661800, 'hostname': "176.240.43.210", 'appname': 'gnome-shell', 'pid': '1758', 'msg': 'NOTE: Not using GLX TFP!'} self.assertTrue(watcherInstance.applyRule(("IP", "EQ", "176.240.43.210", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "EQ", "192.168.14.7", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "EQ", "176.240.43.210", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "LT", "192.168.14.7", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "LT", "192.168.14.7", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "LT", "157.51.14.41", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "LT", "157.51.14.41", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "LE", "192.168.14.7", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "LE", "192.168.14.7", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "LE", "176.240.43.210", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "LE", "176.240.43.210", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "LE", "157.51.14.41", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "LE", "157.51.14.41", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "GT", "157.51.14.41", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "GT", "157.51.14.41", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "GT", "192.168.14.7", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "GT", "192.168.14.7", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "GE", "176.240.43.210", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "GE", "192.168.14.7", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("IP", "GE", "157.51.14.41", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("IP", "GE", "176.240.43.210", "True", "False"), payload)) # Case 3 - matchfield : SEVERITY payload = {'severity': 'crit', 'facility': 'auth', 'version': 1, 'timestamp': '2003-10-11T22:14:15.003Z', 'hostname': '193.156.21.2', 'appname': 'su', 'procid': None, 'msgid': 'ID47', 'sd': {}, 'msg': "BOM'su root' failed for lonvick on /dev/pts/8"} self.assertTrue(watcherInstance.applyRule(("SEVERITY", "EQ", "crit", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "EQ", 2, "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "EQ", "criT", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "EQ", "criT", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "EQ", "crit", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "LT", "debug", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LT", 0, "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LT", "emerg", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "LT", "debuG", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "LT", "debuG", "False", "True"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LT", "debug", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "GT", "emerg", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GT", 7, "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GT", "debug", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "GT", "emerG", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "GT", "emerG", "False", "True"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GT", "emerg", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LE", "crit", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "LE", 5, "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "LE", "debug", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LE", "emerg", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LE", "criT", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "LE", "criT", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "LE", "crit", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GE", "crit", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GE", 5, "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "GE", "emerg", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GE", "debug", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GE", "criT", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("SEVERITY", "GE", "criT", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("SEVERITY", "GE", "crit", "True", "False"), payload)) # Case 4 - matchfield : FACILITY self.assertTrue(watcherInstance.applyRule(("FACILITY", "EQ", "auth", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "EQ", 4, "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "EQ", "autH", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "EQ", "autH", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "EQ", "auth", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LT", "ntp", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LT", 12, "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LT", "unknown", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LT", "kern", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LT", "ntP", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LT", "ntP", "False", "True"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LT", "ntp", "True", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "GT", "kern", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "GT", 0, "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "GT", "unknown", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "GT", "ntp", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "GT", "kerN", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "GT", "kerN", "False", "True"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "GT", "kern", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LE", "auth", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LE", 19, "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LE", "ntp", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LE", "kern", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LE", "autH", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LE", "autH", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LE", "auth", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "GE", "auth", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "GE", 19, "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "GE", "kern", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "GE", "ntp", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LE", "autH", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FACILITY", "LE", "autH", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FACILITY", "LE", "auth", "True", "False"), payload)) # Case 5 - matchfield : FIELD payload = {'severity': 'crit', 'facility': 'auth', 'version': 1, 'timestamp': '2003-10-11T22:14:15.003Z', 'hostname': '193.156.21.2', 'appname': 'su', 'procid': None, 'msgid': 'ID47', 'sd': {}, 'msg': "BOM,'su root',failed,for,lonvick,on,/dev/pts/8,check"} self.assertTrue(watcherInstance.applyRule(("FIELD:7:,", "EQ", "check", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2:,", "EQ", "failed", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5:,", "EQ", "failed,for,lonvick,on", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5:,", "EQ", "Failed,For,Lonvick,On", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5:,", "EQ", "Failed,For,Lonvick,On", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5:,", "EQ", "failed,for,lonvick,on", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:7:,", "RE", ".*check.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2:,", "RE", ".*failed.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5:,", "RE", ".*failed,for,lonvick,on.*", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5:,", "RE", ".*Failed,For,Lonvick,On.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5:,", "RE", ".*Failed,For,Lonvick,On.*", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5:,", "RE", ".*failed,for,lonvick,on.*", "True", "False"), payload)) payload = {'severity': 'crit', 'facility': 'auth', 'version': 1, 'timestamp': '2003-10-11T22:14:15.003Z', 'hostname': '193.156.21.2', 'appname': 'su', 'procid': None, 'msgid': 'ID47', 'sd': {}, 'msg': "BOM 'grep' failed for lonvick on /dev/pts/8 check"} self.assertTrue(watcherInstance.applyRule(("FIELD:7: ", "EQ", "check", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2: ", "EQ", "failed", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5: ", "EQ", "failed for lonvick on", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5: ", "EQ", "Failed For Lonvick On", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5: ", "EQ", "Failed For Lonvick On", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5: ", "EQ", "failed for lonvick on", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:7: ", "RE", ".*check.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2: ", "RE", ".*failed.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5: ", "RE", ".*failed for lonvick on.*", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5: ", "RE", ".*Failed For Lonvick On.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("FIELD:2-5: ", "RE", ".*Failed For Lonvick On.*", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("FIELD:2-5: ", "RE", ".*failed for lonvick on.*", "True", "False"), payload)) # Case 6 - matchfield : RE payload = {'severity': 'crit', 'facility': 'auth', 'version': 1, 'timestamp': '2003-10-11T22:14:15.003Z', 'hostname': '193.156.21.2', 'appname': 'su', 'procid': None, 'msgid': 'ID47', 'sd': {}, 'msg': "BOM'su root' failed for lonvick on /dev/pts/8"} self.assertTrue(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event_location", "EQ", "/dev/pts/8", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "EQ", "failed", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "EQ", "faileD", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "EQ", "faileD", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "EQ", "failed", "True", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event_location","RE", ".*dev.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "RE", ".*fail.*", "False", "False"), payload)) self.assertFalse(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "RE", ".*faiL.*", "False", "False"), payload)) self.assertTrue(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "RE", ".*faiL.*", "False", "True"), payload)) self.assertFalse(watcherInstance.applyRule(("RE:.*su root.* (?P<event>.*ed).*on (?P<event_location>.+):event", "RE", ".*fail.*", "True", "False"), payload))