Bug#273433: [Logcheck-devel] Bug#273433: logcheck: odd behaviour with perdition rules
maks attems
debian at sternwelten.at
Mon Sep 27 08:36:10 UTC 2004
On Mon, 27 Sep 2004, Jamie L. Penman-Smithson wrote:
> On Mon, 2004-09-27 at 01:51 +0200, maks attems wrote:
> > try:
> >
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
> > [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}-
> > [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$
> >
> > without any space at the end.
>
> Unfortunately, this doesn't work. It appears that perdition adds a space
> to the end of Connect log messages.
maybe i'm confused by the different rules you tried,
but did you try aboves rule with logcheck?
(i know that it will fail for egrep because of the ending space.)
> > yeah that's not documented, it stripes from logfile away before
> > processing them through egrep.
hmm i was already very sleepy yesterday, so the explanation was bad,
but if you look at the code:
$SORT -m $TMPDIR/logoutput/* | uniq | sed -e 's/ *$//' | cat \
> $TMPDIR/logoutput-sorted \
we strip using sed any trailing whitespace in the logfile.
so a better test for such special logfiles would be (example for syslog):
# sed -e 's/ *$//' /var/log/syslog | egrep 'regex_of_your_choice'
this regex_of_your_choice should work with logcheck.
thanks for clarifying aboves question. :)
--
maks
More information about the Logcheck-devel
mailing list