[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using m4 to create regular expressions for egrep via logcheck.

From: Grant Taylor
Subject: Using m4 to create regular expressions for egrep via logcheck.
Date: Thu, 16 Feb 2023 23:06:18 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0


I did something with m4 today that I think was a LOT easier to do with m4 than without. I figured I'd share it with the list.

   define(`DAEMONPID', `$1\[DIGITS\]:')
   define(`DATE', `\w{3} [ :[:digit:]]{11}')
   define(`DIGIT', `[[:digit:]]')
   define(`DIGITS', `DIGIT+')
   define(`HOST', `[._[:alnum:]-]+')
   define(`HOSTIP', `HOST\[IP\]')
   define(`IP', `[.:[:xdigit:]]+')
   define(`VERB', `( $1=DIGITS`'(/DIGITS)?)?')
^DATE HOST DAEMONPID(`postfix(/smtps)?/smtpd') disconnect from

That produces the following regular expression.

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(/smtps)?/smtpd\[[[:digit:]]+\]: disconnect from [._[:alnum:]-]+\[[.:[:xdigit:]]+\]( helo=[[:digit:]]+(/[[:digit:]]+)?)?( ehlo=[[:digit:]]+(/[[:digit:]]+)?)?( starttls=[[:digit:]]+(/[[:digit:]]+)?)?( auth=[[:digit:]]+(/[[:digit:]]+)?)?( mail=[[:digit:]]+(/[[:digit:]]+)?)?( rcpt=[[:digit:]]+(/[[:digit:]]+)?)?( data=[[:digit:]]+(/[[:digit:]]+)?)?( bdat=[[:digit:]]+(/[[:digit:]]+)?)?( rset=[[:digit:]]+(/[[:digit:]]+)?)?( noop=[[:digit:]]+(/[[:digit:]]+)?)?( quit=[[:digit:]]+(/[[:digit:]]+)?)?( unknown=[[:digit:]]+(/[[:digit:]]+)?)?( commands=[[:digit:]]+(/[[:digit:]]+)?)?$

Backstory: I'm working with logcheck which basically uses egrep regular expressions to filter out log entries that are okay and email those that aren't filtered out to an administrator.

There are 13 different parameters for verbs that can each take three states; not used, used in the sort form, or used in the long form. Plus there's another optional component if TLS is used. The number of permutations and organically growing the list as they are seen was getting really annoying.

So, I spent the 10-15 minutes to create and file the rough edges off of the m4 and I got a working regular expression without breaking my brain. :-)

I figure that there are other people who might be interested in processing Postfix log messages and seeing as there hadn't been anything from the list in a few days, well here we go. :-)

Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]