[Logwatch-Devel] Proposal/Suggestion for filter REs

Mike Tremaine mgt at stellarcore.net
Sat Dec 17 09:02:56 MST 2005


On Fri, 2005-12-16 at 12:47 -0800, logwatch at mikecappella.com wrote:

> Still, I'm not sure its realistic to review all the versions of, for
> example, sendmail, with all their variants and patches to clean out a
> filter.  Looking at the latest version of sendmail or postfix source is one
> thing, but many distros patch the source during, for example, RPM build
> time.  Unless all those variants are examined, its only guess work.  And
> then there's past versions of the source - I've seen postfix messages change
> several times in recent versions; same with amavisd-new.
> 
> Perhaps there really is no better way than just allowing the REs to
> accumulate, and massage them as necessary.  While I was working on the
> postfix filter (and others previously), I was amazed at how rudimentary, and
> redundant, many of the REs were.
> 
> Maybe there's nothing to be done here.  It would be nice to have some known
> sample data and regression tests to verify any mods.
> 
> It was good to hear your thoughts.

I think you are really touching on the trickiest part of log analysis,
that is change.

We could certainly try to collect log samples and include a new CVS
directory that is not part of the distribution. In there we could keep
log sample per each service. But it would be a fair amount of work and
I'm not sure how successful we would be keeping it up to date.

What we seem to relay on now is community feedback. Many of the people
of this list have multiple OS's in service and can verify that something
is working across the board. But the sad honest truth is Logwatch
probably has a 75%+ RedHat [family] install base. If it works under
Redhat 7.3+, Fedora 1+, and RHEL 3+ then most people will be happy. The
Solaris, Debian, Gentoo, NetBSD, etc problems will hopfully get spotted
and corrected.

Does this make clean code? No. But it is generally working. Logwatch 7+
is in much better shape then Logwatch 4. So long as people are willing
to submit patches and every once and awhile roll up their sleeves and
dig into the nasty guts of a filter or logwatch.pl we should be able to
keep it in pretty good shape.

But as I always say if you have a better idea we are always willing to
hear it. 

-Mike



More information about the Logwatch-Devel mailing list