[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Using m4 to create regular expressions for egrep via logcheck.
|
From: |
Grant Taylor |
|
Subject: |
Using m4 to create regular expressions for egrep via logcheck. |
|
Date: |
Thu, 16 Feb 2023 23:06:18 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 |
Hi,
I did something with m4 today that I think was a LOT easier to do with
m4 than without. I figured I'd share it with the list.
--8<--
divert(`-1')
define(`DAEMONPID', `$1\[DIGITS\]:')
define(`DATE', `\w{3} [ :[:digit:]]{11}')
define(`DIGIT', `[[:digit:]]')
define(`DIGITS', `DIGIT+')
define(`HOST', `[._[:alnum:]-]+')
define(`HOSTIP', `HOST\[IP\]')
define(`IP', `[.:[:xdigit:]]+')
define(`VERB', `( $1=DIGITS`'(/DIGITS)?)?')
divert`'dnl
^DATE HOST DAEMONPID(`postfix(/smtps)?/smtpd') disconnect from
HOSTIP`'VERB(`helo')VERB(`ehlo')VERB(`starttls')VERB(`auth')VERB(`mail')VERB(`rcpt')VERB(`data')VERB(`bdat')VERB(`rset')VERB(`noop')VERB(`quit')VERB(`unknown')VERB(`commands')$
-->8--
That produces the following regular expression.
--8<--
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
postfix(/smtps)?/smtpd\[[[:digit:]]+\]: disconnect from
[._[:alnum:]-]+\[[.:[:xdigit:]]+\]( helo=[[:digit:]]+(/[[:digit:]]+)?)?(
ehlo=[[:digit:]]+(/[[:digit:]]+)?)?(
starttls=[[:digit:]]+(/[[:digit:]]+)?)?(
auth=[[:digit:]]+(/[[:digit:]]+)?)?(
mail=[[:digit:]]+(/[[:digit:]]+)?)?(
rcpt=[[:digit:]]+(/[[:digit:]]+)?)?(
data=[[:digit:]]+(/[[:digit:]]+)?)?(
bdat=[[:digit:]]+(/[[:digit:]]+)?)?(
rset=[[:digit:]]+(/[[:digit:]]+)?)?(
noop=[[:digit:]]+(/[[:digit:]]+)?)?(
quit=[[:digit:]]+(/[[:digit:]]+)?)?(
unknown=[[:digit:]]+(/[[:digit:]]+)?)?(
commands=[[:digit:]]+(/[[:digit:]]+)?)?$
-->8--
Backstory: I'm working with logcheck which basically uses egrep regular
expressions to filter out log entries that are okay and email those that
aren't filtered out to an administrator.
There are 13 different parameters for verbs that can each take three
states; not used, used in the sort form, or used in the long form. Plus
there's another optional component if TLS is used. The number of
permutations and organically growing the list as they are seen was
getting really annoying.
So, I spent the 10-15 minutes to create and file the rough edges off of
the m4 and I got a working regular expression without breaking my brain.
:-)
I figure that there are other people who might be interested in
processing Postfix log messages and seeing as there hadn't been anything
from the list in a few days, well here we go. :-)
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Using m4 to create regular expressions for egrep via logcheck.,
Grant Taylor <=