Just completed the update to 2.0.0p3 from 1.6.0p22 yesterday. It seems there is a bug in the pattern matching for Logwatch. Since implementation, all the rules I have added for preventing noisy logs from making it to my screen have functioned flawlessly. Now, however, it seems those rules have stopped processing and I’m seeing messages that haven’t appeared in over a year.
Apr 30 09:08:15 32768.5014 DFSR The DFS Replication service is stopping communication with partner —removed— for replication group Domain System Volume due to an error. The service will retry the connection periodically. Additional Information: Error: 9036 (Paused for backup or restore) Connection ID: 14B84E5D-3B6B-4F66-8552-9E35941B6F77 Replication Group ID: 95B7D05D-180D-41CE-8EC4-91A5273219BB
Used to match and be Ignored with no issues. Now, however, those logs are now appearing as WARN in CMK. If I click the Analyze Patterns button they still show as matching, but yet they continue to appear as WARN.
I can confirm that every character what is escaped with an “\” lead to a non working logwatch pattern matching.
In one of my systems I had some pattern with [ and ]. These where escaped with one \ but CMK saves this rule with two \
Original rule
It appears that for unknown reasons logwatch escapes all backslashes just before using the pattern.
Patching it like this seems to fix the problem (tested with 2.0.0p3 raw edition):
--- a/lib/python3/cmk/base/plugins/agent_based/utils/logwatch.py 2021-04-17 15:31:34.000000000 +0200
+++ b/lib/python3/cmk/base/plugins/agent_based/utils/logwatch.py 2021-04-30 22:34:04.123492955 +0200
@@ -98,7 +98,7 @@
# Reclassify state if a given regex pattern matches
# A match overrules the previous state->state reclassification
for level, pattern, _ in patterns.get("reclassify_patterns", []):
- reg = regex(escape_win_backslash(pattern), re.UNICODE)
+ reg = regex(pattern, re.UNICODE)
if reg.search(text):
# If the level is not fixed like 'C' or 'W' but a pair like (10, 20),
# then we count how many times this pattern has already matched and
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.