[Logwatch-Devel] Proposal/Suggestion for filter REs

logwatch at mikecappella.com logwatch at mikecappella.com
Fri Dec 16 13:47:38 MST 2005


 
> The unspoken solution is that every so often someone who 
> cares enough needs to go through the filter and remove the 
> bloat and clean up the RE.
> Sounds painful huh? I'll point out that Bjorn did just this 
> with the Sendmail filter this year. A huge task but the end 
> was result was very good.
> 
> -Mike
> 

Bjorn/Mike,

I hear and understand your points.  I've been a developer for a long time,
and understand the issues you've presented.  I've also written enough server
apps and kernel code to understand how logs are generated, sometimes field
by field.

Still, I'm not sure its realistic to review all the versions of, for
example, sendmail, with all their variants and patches to clean out a
filter.  Looking at the latest version of sendmail or postfix source is one
thing, but many distros patch the source during, for example, RPM build
time.  Unless all those variants are examined, its only guess work.  And
then there's past versions of the source - I've seen postfix messages change
several times in recent versions; same with amavisd-new.

Perhaps there really is no better way than just allowing the REs to
accumulate, and massage them as necessary.  While I was working on the
postfix filter (and others previously), I was amazed at how rudimentary, and
redundant, many of the REs were.

Maybe there's nothing to be done here.  It would be nice to have some known
sample data and regression tests to verify any mods.

It was good to hear your thoughts.

MikeC



More information about the Logwatch-Devel mailing list