On Sun, Sep 07, 2003 at 09:49:17PM -0500, Alex Malinovich wrote:
> I've got a slight problem with a regexp in one of my logcheck ignore
> files. The lines that I want to get rid of are in the form of the
> following:
>
> Sep 7 17:21:48 Bigbrother dhcpd: DHCPREQUEST for 192.168.0.8 from
> 00:50:04:d2:e0:2c via eth1
> Sep 7 17:21:48 Bigbrother dhcpd: DHCPACK on 192.168.0.8 to
> 00:50:04:d2:e0:2c via eth1
>
> and
>
> Sep 7 07:09:45 Bigbrother dhcpd: DHCPREQUEST for 192.168.0.125 from
> 00:0c:29:65:14:f5 (guts) via eth1
> Sep 7 07:09:45 Bigbrother dhcpd: DHCPACK on 192.168.0.125 to
> 00:0c:29:65:14:f5
> (guts) via eth1
>
> The default setup got rid of the former lines just fine. That was:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x|): DHCPREQUEST for
> [.0-9]+ (\([\.0-9]+\) |)from [:[:alnum:]]+ via [[:alnum:]]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x|): DHCPACK on [.0-9]+ to
> [:[:al\num:]]+ via [[:alnum:]]+$
>
>
> I modified it in order to get rid of the latter by adding
> (\([._[:alnum:]-]+\)|) giving me:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x|): DHCPREQUEST for
> [.0-9]+ (\([\.0-9]+\) |)from [:[:alnum:]]+ (\([._[:alnum:]-]+\)|) via
> [[:alnum:]]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x|): DHCPACK on [.0-9]+ to
> [:[:al\num:]]+ (\([._[:alnum:]-]+\)|) via [[:alnum:]]+$
^^^^^^^^^^^^^^^^^^^^^^^
You need to move one of the spaces into the optional part, otherwise
with no "(guts)" part the rule is looking for 2 consecutive spaces.
>
> Now the filter gets rid of the latter, but lets the former through! Is
> there some glaring omission in my regexp that I haven't caught yet?
> Possibly because of the double parenthesis? The outer set is for a
> selection, the inner set is literal. Any suggestions are welcome.
--
.''`. Jason Chambers <chambersj@thingy.org.uk>
: :' : Registered linux user #271693
`. `'`
`- http://www.debian.org/ - The Universal Operating System
Attachment:
pgpqaYieNX2Rb.pgp
Description: PGP signature