3

I'm using Logwatch on a machine running a firewall. Every day I get an email full of entries like the following:

From 123.123.123.10 - 28087 packets
   To 123.123.123.1 - 2 packets
      Service: http (tcp/80) (Firewall Allow) - 2 packets
   To 123.123.123.2 - 1 packet
      Service: http (tcp/80) (Firewall Allow) - 1 packet
   To 123.123.123.3 - 7 packets
      Service: https (tcp/443) (Firewall Allow) - 7 packets
From 123.123.123.11 - 28087 packets
   To 123.123.123.1 - 2 packets
      Service: http (tcp/80) (Firewall Allow) - 2 packets
   To 123.123.123.2 - 1 packet
      Service: http (tcp/80) (Firewall Allow) - 1 packet
   To 123.123.123.3 - 7 packets
      Service: https (tcp/443) (Firewall Allow) - 7 packets

I would like to put an entry in my ignore.conf file that skips all the information for a specific system or subnet. Since the ignore.conf entries are just Perl-style regular expressions, if I put

^    From 123\.123\.123\.10

in the file, the matching "From" line is deleted, but all the other lines remain. My question is, can I construct a single regex that will match not only the "From" line, but all the lines that follow it, until the next line beginning with "^ From" occurs? I know you can do this with sed, but I'm not sure if it's possible with just a regex in ignore.conf. Thanks in advance to all who respond.

Leslie
  • 618
  • 4
  • 14

1 Answers1

1

If dot also captures new line characters, then this regex pattern should suffice:

From\s+123\.123\.123\.10.+(?=\s+From)

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
  • In Perl-style regex, a dot matches everything except a newline. – Leslie Feb 26 '15 at 22:11
  • See http://docstore.mik.ua/orelly/perl/cookbook/ch06_07.htm, it says "/s lets . match newline (normally it doesn't)". See https://regex101.com/r/qY4yB1/1, PCRE (Perl compatible regular expressions) mode works with the input. – Wiktor Stribiżew Feb 26 '15 at 22:17
  • I stand corrected; my "Programming Perl" book is obviously out of date. Still, after several days with your suggested regex in my ignore.conf file, I am still seeing the lines that should have been deleted. if you will forgive an off-the-top-of-my-head guess, perhaps logwatch is not interpreting the regex to the current standard? Is it possible to write a regex that does not assume dot captures new line characters, so this could be tested? Again, thanks for your help. – Leslie Mar 02 '15 at 17:28
  • @Leslie, maybe you did not specify the singleline regex option? I guess there is no possibility to pass it as an explicit option, but inline switch should work. Try this: `(?s)From\s+123\.123\.123\.10.+(?=\s+From)`. Also, I guess the regex flavor you need is Python (acc. to this page: https://mathias-kettner.de/checkmk_logfiles.html) – Wiktor Stribiżew Mar 02 '15 at 21:28
  • I've been using the new regex you suggested for the last few days, and I'm still seeing the lines that should have been removed. Do you have any other ideas I can try? – Leslie Mar 11 '15 at 19:16
  • It seems Perl has nothing to do with Logwatch. http://www.softpanorama.info/Logs/Log_analysers/Logwatch/customarization.shtml: "ignore.conf: This file specifies regular expressions that, when matched by the output of logwatch, will suppress the matching line, regardless of which service is being executed". So, it operates on a single **line**. There is a workaround: you can use a macro inside your mail client to remove unnecessary data. I could help with VBA if you use MS Office. – Wiktor Stribiżew Mar 11 '15 at 21:41
  • There is another post saying that "it seems that Regex is NOT accepted in the ignore.conf file. Adding the line 'adjusting local clock by' by itself to the file then makes the script ignore those lines." https://bbs.archlinux.org/viewtopic.php?id=47534 – Wiktor Stribiżew Mar 11 '15 at 21:43
  • When I said that Logwatch used Perl-style regex expressions, I was going by the comments in this thread: [http://serverfault.com/questions/9904/using-ignore-conf-with-logwatch](http://serverfault.com/questions/9904/using-ignore-conf-with-logwatch). That's what I get for believing everything I read online. :( I'm running Logwatch on a RedHat Linux server, so VBA isn't an option, unfortunately. At any rate, I do appreciate all your help; thank you very much. – Leslie Mar 13 '15 at 14:19