Hello,
On Sat, Nov 09, 2024 at 01:53:46PM +0000, Richard Lewis wrote:
> (as above, we wouldn't want to include any syslog-summary in the
> debian package but we should keep the support for such local scripts:
> i think it should still work if the script is correct)
Yes, I read the whole thread AND the merged bugs :)
> > HOWEVER, it broke with bullseye, I guess the log format changed,
>
> i didn't try, but 38 has some issues:
Actually, it works, my fault, with bullseye. With bookworm, it will
fail since the format changed (due to the systemd-journald integration
and rsyslog adapting it's output format).
Anyway, thank you for your suggestions:
> - it assumes a PID is logged on every line - this is not the case for,
> eg, lines from the kernel
Actually, I wrote this script for a very specific case, and that's right
it could be genericized. It really helps to limit the amount of
DNS logs I get on this special container. Added as a comment.
> - has a lot of backtracking because you include [ and ] in $1: it will
> first match to the end of the PID and then backtrack every character
> until the [
> -- i dont think you want [ and ] in $1 at all
The used regex is exactly the same as standard logcheck. $what (end of the
line) is used for deduping, but $last_line contains the full line. Aka:
deduping is done on part of the line, printing on the whole.
It could probably be optimized, but it's not trivial since the
amount of spaces is not fixed, apparently. Added as a comment.
> - it only matches lines from the journal, not rsyslog
Again, it works in my case: I don't get tossed lines in general
(except rare kernel logs).
> - (i dont know about perl but \ is not usually an escape character
> inside [...] groups: you usually put "]" first, "[" not first and "-"
> last in the group)
It is right that [ in a [] set does not need to be escaped, it does not hurt in
Perl to do it, though. However, ] in a set ] needs to be escaped:
# wrong (it breaks the regex completely in Perl)
if ($line =~ /^[a-z]]+$/) {
# right
if ($line =~ /^[a-z\]]+$/) {
Now, maybe I am just a bit picky and \- is strictly not necessary in this case
(it would be if it was [a-z] and I want a, z and -: [a\-z]. You could write
that [az-] but then if someone adds a c in the end [az-c] it breaks and
- gets back its interval meaning! Very prone to error in my opinion! I
prefer my habit of escaping systematically.
Backslashes definitely makes it safer in my opinion as you immediately see it
is the normal "-" character, not the interval.
Your favourite programming language has probably other constraints, and would
definitely be more error-prone if someone changes the order of characters
within the set, in my opinion.
> And at the end (line 62) you lose anything not matching line 38:
> better to set count=1 there and log as other lines
I don't loose, it gets tossed on STDERR, which is intentional,
so you see what is not matched. But your suggestion to put $count = 1
would also work.
STDERR gets to the e-mail logcheck sends.
It wouldn't be so easy to set $count=1, because the logic of what is
printed is inside the regex match if.
> Hope that's helpful
Yes, I have integrated your comments if someone wants to
generalize the script.
