[Logcheck-devel] Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: Bug#443171: rules to ignore acpid messages
Hanspeter Kunz
hp at edelkunz.ch
Fri Sep 21 14:54:42 UTC 2007
On Fri, 2007-09-21 at 10:12 -0400, Justin Pryzby wrote:
> On Fri, Sep 21, 2007 at 02:12:01PM +0100, martin f krafft wrote:
> > also sprach maximilian attems <max at stro.at> [2007.09.21.1340 +0100]:
> > > strict design
> > > so that not something sneeks in at the end.
> >
> > I have gone down this line of thought and could not come up with
> > anything that would sneak in at the end. Can you name an example?
> It's a matter of being assertive. Ideally logcheck filters precisely
> what the admin wants and everything else passes through.
>
> Here's an example I've seen from postfix:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Unable to look up (NS|MX) host for [._[:alnum:]-]+: Host not found(, try again)?$
>
> AFAIK it's in practice identical behavior to leave off everything
> after "Host not found". However now I know that there's two different
> messages that can be output. Ideally every possible string matched by
> the regex could be output by the program. This means (for example)
> that both NS and MX messages should be generated both with and without
> the "try again" suffix. Otherwise that rule should get split into
> two.
I agree completely. Only that way it is possible to check what kind of
messages are being ignored by just looking at the rules. If .* matches a
substantial part of the message, this would be no longer possible.
> I'm not saying that .* is good, but it's better than using no $
> anchorage.
Well, I do not agree. But anyway I will rewrite the acpid ignore rules
such that .*$ won't be necessary anymore.
> _______________________________________________
> Logcheck-devel mailing list
> Logcheck-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
More information about the Logcheck-devel
mailing list