Bug#306913: [Logcheck-devel] Bug#306913: logcheck: please allow @ in "hostname" part of logs

[Todd Troxell]

On Wed, May 04, 2005 at 09:56:18PM +0100, Jamie L. Penman-Smithson wrote:
> On Wed, 2005-05-04 at 19:44 +0200, maximilian attems wrote:
> > On Wed, 04 May 2005, Jamie L. Penman-Smithson wrote:
> > > > > Now logcheck doesn't usually allo for the @ in logs which results in
> > > > > bascially no ignore line matching.  Please add @ to the regexes, thanks.
> > > <snip log snippets>
> > > > 
> > > > ~/src/logcheck/rulefiles/linux$ egrep '\[._\[:alnum:\]-\]'  -r . | wc -l
> > > > 896
> > > > 
> > > > that's not fun. while changing all those we'd better switch to the use of
> > > > macros. very inclined to merge that with those open bugs.
> > > 
> > > for i in *; do cat $i | sed -e "s/\[\._\[:alnum:\]-\]+/\[\._@\[:alnum:
> > > \]-\]\+/" >> $i.new; done 
> > > 
> > > ..appears to work here..
> >
> > yes i know, could have done something similar with perl,
> > but we just want to change all hostname and who says they
> > are exactly formated like aboves and really hostnames you
> > change. needs human edit and than it's better to do it
> > right, no?
> 
> That only matches the first occurrence of [._[:alnum:]-]+ and since
> every rule starts with "^\w{3} [ :0-9]{11} [._[:alnum:]-]+" it'll only
> change the regexp we use for the hostname.
> 
> It's better than manually going through and changing every occurrence
> 800+ times. I've tested it here:
> 
> $ for i in *; do cat $i | sed -e "s/\[\._\[:alnum:\]-\]+/\[\._@\[:alnum:
> \]-\]\+/" >> $i.new; done
> 
> $ egrep -vf ../logcheck/rulefiles/linux/TEST_ignore.d.server/postfix.new
> postfix.log | egrep
> -vf ../logcheck/rulefiles/linux/violations.ignore.d/logcheck-postfix
> $
> 
> They work just as well as the old rules, they just match the additional
> '@'.. 
> 
> However, if you'd rather wait for macro support, that's fine.

Macros are on the way:
http://wiki.logcheck.org/index.cgi/LogcheckTemplateSystem
:)

-- 
Todd Troxell
http://rapidpacket.com/~xtat