[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Sarge Logcheck Query



On Mon, Feb 16, 2004 at 09:02:18PM +1000, Peter A. Cole wrote:
> I'm using logcheck to get notifications on my Debian Sarge box, but I would
> really like to get rid of a few extra messages that can be ignored. The
> entries I want to ignore are:
> 
> Feb 16 20:49:38 jake in.qpopper[2843]: connect from 10.200.50.152
> Feb 16 20:49:38 jake in.qpopper[2843]: (v4.0.5) Unable to get canonical name
> of client 10.200.50.152: Unknown host (1) [pop_init.c:1087]
> Feb 16 20:49:39 jake in.qpopper[2843]: (v4.0.5) POP login by user "user" at
> (10.200.50.152) 10.200.50.152 [pop_log.c:244]
> Feb 16 20:49:39 jake in.qpopper[2843]: Stats: user 0 0 0 0 10.200.50.152
> 10.200.50.152 [pop_updt.c:296]
> 
> ^\w{3} [ :0-9]{11} jake in.qpopper\[[0-9]+\]: connect from$

The $ at the end is your problem. This matches the end of the string.

> ^\w{3} [ :0-9]{11} jake in.qpopper\[[0-9]+\]: (v.4.0.5) Unable to get
> canonical name of client$

Quote the (). Also the '.'s should be quoted but it isn't really as
important. (v.4.0.5) -> \(v4.0.5\) or \(v4\.0\.5\) There was an extra
dot in there.

> ^\w{3} [ :0-9]{11} jake in.qpopper\[[0-9]+\]: (v.4.0.5) POP login by user$
> ^\w{3} [ :0-9]{11} jake in.qpopper\[[0-9]+\]: Stats:$

Ditto for these

Also you might want to get rid of everything before 'in.qpopper' -
unless you are dealing with multiple systems.

Don't think theres any more problems but I could have missed something.

> I realise I'm probably getting the syntax or something wrong, but I have no
> idea what language this is or exactly what these commands do.

Extended regular expressions. 'man grep' for more information.

Brian



Reply to: