[Logcheck-devel] Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: rules to ignore acpid messages
Gerfried Fuchs
alfie at ist.org
Fri Sep 21 14:35:18 UTC 2007
Am Freitag, den 21.09.2007, 10:12 -0400 schrieb Justin Pryzby:
> On Fri, Sep 21, 2007 at 02:12:01PM +0100, martin f krafft wrote:
> > also sprach maximilian attems <max at stro.at> [2007.09.21.1340 +0100]:
> > > strict design
> > > so that not something sneeks in at the end.
> >
> > I have gone down this line of thought and could not come up with
> > anything that would sneak in at the end. Can you name an example?
> It's a matter of being assertive. Ideally logcheck filters precisely
> what the admin wants and everything else passes through.
>
> Here's an example I've seen from postfix:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up (NS|MX) host for [._[:alnum:]-]+: Host not found(, try again)?$
>
> AFAIK it's in practice identical behavior to leave off everything
> after "Host not found". However now I know that there's two different
> messages that can be output. Ideally every possible string matched by
> the regex could be output by the program. This means (for example)
> that both NS and MX messages should be generated both with and without
> the "try again" suffix. Otherwise that rule should get split into
> two.
>
> I'm not saying that .* is good, but it's better than using no $
> anchorage.
Your example is a fine and good thing. But that's a completely
different case: .*$ in fact _is_ leaving off the $ anchor because it
doesn't matter at all what comes after it. Matching it just increases
the time spent in the regex engine because it will try to check for that
match in every possible sense. If I would take your example of "Host
not found(, try again)?$" and put a .* in there it makes the brackets a
waste because .* matches the bracket, too, and it's not a required match
from there, so practically "(blub)?.*$" reduces to ".*$".
So, what's your reasoning of calling dot-star-dollar being better than
not matching up to the end of the line, because your example clearly
wasn't one that helps your statement.
So long,
Rhonda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20070921/6bdea30c/attachment.pgp
More information about the Logcheck-devel
mailing list