[Logcheck-devel] Opinion on #742069
Martín Ferrari
tincho at tincho.org
Thu Apr 3 09:31:42 UTC 2014
On 02/04/14 19:30, Alberto Gonzalez Iniesta wrote:
> Hi, I was looking at fixing #742069, since it's quite recent. But I have
> doubts on the right solution.
>
> The thing is, if you enable smtps in postix (just un-commenting some
> lines in the shipped master.cf), logs from smtps will add 'smtps/' to
> the daemon name. So rules like this:
>
> .... postfix/smtpd\[[[:digit:]]+\]: ....
>
> Should be changed to this:
>
> .... postfix/(smtps/)?smtpd\[[[:digit:]]+\]: ...
On a similar note. I have already accumulated a few regexes to add to
postfix. In my case, I have plenty of lines for
postfix/submission/smtpd. I don't know how's postfix criteria to create
these log lines, but it seems it is using the port name. So maybe it
should be postfix/([^[:space]]+/)?smtpd
> The reporter only mentions a couple of buggy lines, but I'm afraid more
> will show up eventually [1]. Should we mass upgrade those postfix/smtpd or
> start fixing as people complain?
I don't know about this. One thing I was thinking about when preparing
my regexes for dovecot (a bunch of them, and quite complicated ones), is
that it could be useful to have some kind of testing framework. For my
own consumption, I have already prepared a script that takes live log
data, sanitises it, and then I use that to test the rules.
--
Martín Ferrari (Tincho)
More information about the Logcheck-devel
mailing list