Hi Jiri,
Jiri B wrote on Thu, Feb 07, 2019 at 07:36:09PM +0100:
> On Thu, Feb 7, 2019 at 5:09 PM Ingo Schwarze <[email protected]> wrote:
>> Jiri B wrote:
>>> I was playing a little bit with !progname in syslog.conf and it does
>>> not match pattern if there is "/",
>> Right, as was recently documented in syslog.conf(5):
>>
>> If a received message matches the specified facility and is of the
>> specified level (or a higher level), and the first word in the message
>> after the date matches the program, the action specified in the action
>> field will be taken. In this context, ascii(7) letters, digits, hyphens
>> ('-'), periods ('.'), and underscores ('_') can be contained in a word;
>> other bytes end the word.
>>
>> The reason for being restrictive in what the word can contain is that
>> the word needs to be parsed from the message, and allowing too many
>> characters might cause the word to run away into the message text.
>> I don't think we want to allow slashes.
> Thank you for clarification. I should have check syslog.conf(5) from
> -current.
>
> Two notes. As not native English speaker, the part from man page
> is not very clear, ie. 'this context' means beginning of the word which
> should match program?
No. "This context" means "the current paragraph, the previous sentence".
It looks like a very simple and common wording to me.
> Also 'other bytes' is not clear to me as non-native
> English speaker.
I fail to see what could possibly be unclear about listing a number
of bytes, then talking about "other bytes" right afterwards.
> Ad pattern matching - wouldn't just be possible to match everything
> in the message
No, that would be backward-incompatible in a very bad way.
Right now, you can say
!spamd
and it will match messages from spamd(8). With your proposed change,
almost everybody would have to change their syslog.conf(5) file to
!spamd*
and even worse: that might then match messages from unintended
programs like "spamd-foo", and there isn't a way to indicate
"end of the word" (like \> in regular expressions) in glob(3)
patterns.
> so one would not need to use syslog-ng/rsyslog for some
> more precise filtering?
Looks like a theoretical problem to me. Just make sure your
programs use sane names.
> httpd already uses patterns(7) which could, if used
> in syslogd, offer better pattern matching, couldn't it?
Also breaking backward compatibility in a bad way - but in a way
different from the way your other suggestion broke it.
Yours,
Ingo
