[Logcheck-devel] Bug#822165: logcheck-database: regex wrong in linux/ignore.d.server/postfix

[Riku Saikkonen]

Package: logcheck-database
Version: 1.3.17

(This is also present in the current git version
f005f31cd54a907adc8cb61888987d2ab3ab2480.)

The following regex on line 149 of
rulefiles/linux/ignore.d.server/postfix looks incorrect:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: numeric result [[[:xdigit:].:]{3,39}]+ in address->name lookup for [^[:space:]]+$

Specifically the part [[[:xdigit:].:]{3,39}]+ does not seem to match
anything useful, though technically it appears to be a valid POSIX
regular expression. GNU grep -E thinks it matches e.g. the strings
[444]] and 444]]], that is it has a character class that includes [
repeated 3-39 times and then a ] character one or more times.

I don't know which log messages this rule is supposed to match. Looking
at the expressions in the surrounding lines of that rule file, perhaps
the suspicious part should match an IPv4/IPv6 address, in which case the
outermost [ and ]+ should not be there. That is, perhaps the rule should
be:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: numeric result [[:xdigit:].:]{3,39} in address->name lookup for [^[:space:]]+$

On the other hand, codesearch.debian.net seems to find only this rule
when searching for "address->name lookup for" and only comments when
searching for "numeric result package:postfix". So maybe the log message
isn't there at all anymore?