[Apparmor-dev] [PATCH] syslog regex fix for logprof
Steve Beattie
steve at nxnw.org
Thu Oct 18 00:28:36 MDT 2007
On Tue, Oct 16, 2007 at 08:16:15AM -0600, Dominic Reynolds wrote:
> This patch corrects a problem the tools were having parsing the ubuntu gutsy
> syslog message format.
> Index: trunk/utils/SubDomain.pm
> ===================================================================
> --- trunk.orig/utils/SubDomain.pm
> +++ trunk/utils/SubDomain.pm
> @@ -1771,7 +1771,7 @@ our $next_log_entry;
> our $logmark;
> our $seenmark;
> my $RE_LOG_v2_0_syslog = qr/SubDomain/;
> -my $RE_LOG_v2_1_syslog = qr/kernel:\s+audit\([\d\.\:]+\):\s+type=150[1-6]/;
> +my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?audit\([\d\.\:]+\):\s+type=150[1-6]/;
This looks fine to me, I think it should be applied.
Note that the dmesg timestamp (which is the added bits here) the kernel
generates is not a particularly well thought out format, in that the
seconds field (i.e. to the left of the period) is set to a minimum
field width of 5 with no leading zeros, so the following are all legit
timestamps:
[ 12.123456]
[12345.123456]
[1234567.123456]
One thing that would be useful to add to SubDomain.pm would be a set
of unit tests that, for example, test whether some sample messages get
parsed correctly.
Thanks Dom.
--
Steve Beattie
<steve at nxnw.org>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20071017/e37560ad/attachment.pgp
More information about the Apparmor-dev
mailing list