[Logcheck-devel] Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: rules to ignore acpid messages
Justin Pryzby
jpryzby+d at quoininc.com
Fri Sep 21 14:12:07 UTC 2007
On Fri, Sep 21, 2007 at 02:12:01PM +0100, martin f krafft wrote:
> also sprach maximilian attems <max at stro.at> [2007.09.21.1340 +0100]:
> > strict design
> > so that not something sneeks in at the end.
>
> I have gone down this line of thought and could not come up with
> anything that would sneak in at the end. Can you name an example?
It's a matter of being assertive. Ideally logcheck filters precisely
what the admin wants and everything else passes through.
Here's an example I've seen from postfix:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up (NS|MX) host for [._[:alnum:]-]+: Host not found(, try again)?$
AFAIK it's in practice identical behavior to leave off everything
after "Host not found". However now I know that there's two different
messages that can be output. Ideally every possible string matched by
the regex could be output by the program. This means (for example)
that both NS and MX messages should be generated both with and without
the "try again" suffix. Otherwise that rule should get split into
two.
I'm not saying that .* is good, but it's better than using no $
anchorage.
Justin
More information about the Logcheck-devel
mailing list