[Logcheck-devel] Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: rules to ignore acpid messages

Fri Sep 21 14:51:38 UTC 2007

On Fri, Sep 21, 2007 at 04:35:18PM +0200, Gerfried Fuchs wrote:
> Am Freitag, den 21.09.2007, 10:12 -0400 schrieb Justin Pryzby:
> > On Fri, Sep 21, 2007 at 02:12:01PM +0100, martin f krafft wrote:
> > > also sprach maximilian attems <max at stro.at> [2007.09.21.1340 +0100]:
> > > > strict design
> > > > so that not something sneeks in at the end.
> > > 
> > > I have gone down this line of thought and could not come up with
> > > anything that would sneak in at the end. Can you name an example?
> > It's a matter of being assertive.  Ideally logcheck filters precisely
> > what the admin wants and everything else passes through.
> > 
> > Here's an example I've seen from postfix:
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up (NS|MX) host for [._[:alnum:]-]+: Host not found(, try again)?$
> > 
> > AFAIK it's in practice identical behavior to leave off everything
> > after "Host not found".  However now I know that there's two different
> > messages that can be output.  Ideally every possible string matched by
> > the regex could be output by the program.  This means (for example)
> > that both NS and MX messages should be generated both with and without
> > the "try again" suffix.  Otherwise that rule should get split into
> > two.
> > 
> > I'm not saying that .* is good, but it's better than using no $
> > anchorage.
> 
>  Your example is a fine and good thing.  But that's a completely
> different case: .*$ in fact _is_ leaving off the $ anchor because it
> doesn't matter at all what comes after it.  Matching it just increases
> the time spent in the regex engine because it will try to check for that
> match in every possible sense.  If I would take your example of "Host
> not found(, try again)?$" and put a .* in there it makes the brackets a
> waste because .* matches the bracket, too, and it's not a required match
> from there, so practically "(blub)?.*$" reduces to ".*$".
> 
>  So, what's your reasoning of calling dot-star-dollar being better than
> not matching up to the end of the line, because your example clearly
> wasn't one that helps your statement.
Like I said, this is far from ideal.  But .*$ at least shows that the
regex is effectively ended, and not that the tail part is missing.