[Logcheck-devel] so, about preprocessing... (#376106)

Martin Lohmeier martin at mein-horde.de
Wed Jul 5 14:37:34 UTC 2006


martin f krafft wrote:
> Hi,
> 
> I have been given commit access to logcheck by Todd and I am
> definitely inclined to help out with rule maintenance, but I would
> like to bring #376106 up onto the table.
> 
> I've been playing around with my little Makefile and am really
> pleased with it. Instead of cryptic regexps, I can just define rules
> like so:
> 
>   @LEAD@ @PROC_SMTP@: @QUEUE_ID@: @TO@, relay=@DNIP@, @DELAY@,
>     @DSNS@, status=deliverable \(@SMTP_SSTATUS@ recipient @EMAIL@
>     ok\)@EOL@
> 
> which will expand to
> 
>   ^[[:upper:]][[:alpha:]]{2} ([[:digit:]]{2}| [[:digit:]])
>   ([[:digit:]]{2}:){2}[[:digit:]]{2} seamus
>   postfix/smtp\[[[:digit:]]{1,5}\]: (NOQUEUE|[A-F[:digit:]]+):
>   to=<([-_.+=[:alnum:]]+@[-_.[:alnum:]]+|[[:alnum:]]+)>(,
>   orig_to=<([-_.+=[:alnum:]]+@[-_.[:alnum:]]+|[[:alnum:]]+)>)?,
>   relay=([-_.[:alnum:]]+|([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}|unknown)\[([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}\](:[[:digit:]]{1,5})?,
>   delay=[[:digit:]]+(\.[[:digit:]]+)?,
>   delays=([[:digit:]]+(\.[[:digit:]]+)?/){3}[[:digit:]]+(\.[[:digit:]]+)?,
>   dsn=2\.[[:digit:]]+\.[[:digit:]]+, status=deliverable
>   \(2[[:digit:]]{2} recipient
>   <([-_.+=[:alnum:]]+@[-_.[:alnum:]]+|[[:alnum:]]+)> ok\)$
> 
> OMG you might say, and rightly so... the generated rules are even
> less readable to humans, but this way, I can make sure that e.g. an
> IP address is always the same:
> "([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}" (which could be even more
> refined). This makes rule maintenance far easier IMHO, and also
> provides for greater consistency in the rules.
> 
> I think I could implement this in logcheck non-intrusively, but I'd
> want to hear what people have to say first.
> 
> So, any comments?

I also like this, not only because of #375428

When looking at the postfix rules, it also crossed my mind that it would
help to use equal regex on equal matches. The Q-ID in postfix's rules is
a good examplex for this. There are various regex that are used here.

bye, Martin

-- 

Powered by Debian GNU / Linux

Browse my blog on http://blog.mein-horde.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060705/761021fe/attachment.pgp 


More information about the Logcheck-devel mailing list