When updating to FreeBSD 13.1, I started getting these messages from sysutils/logcheck:
egrep: trailing backslash (\)
This post will document how I tracked down the problem. It is occurring on several hosts.
In this post:
- FreeBSD 13.1
- logcheck-1.3.24
Other similar issues
I suspect the issue arises because of the change from egrep 2.5.1 under FreeBSD 12.3 to egrep 2.6.0 under FreeBSD 13.1.
After the upgrade, I also encountered some egrep: empty (sub)expression messages as well. I referred to an old tweet of mine to fix that one. In short, it was errant files in the /usr/local/etc/logcheck/ignore.d.server directory.
My approach
I used this command (from the tweet) to track down the file in question:
$ echo bash -x /usr/local/sbin/logcheck | sudo su -fm logcheck
Searching through the output for the egrep: trailing backslash (\) error message, I found this:
+ for file in $(ls -1 "$clean/") + debug 'cleanchecked - dir - /tmp/logcheck.28Agnz/ignore/local-postgresql-debugging' + '[' 0 -eq 1 ']' + egrep --text -v -f /tmp/logcheck.28Agnz/ignore/local-postgresql-debugging /tmp/logcheck.28Agnz/checked + cat egrep: trailing backslash (\)
Looking at line 2, I searched for that file:
[slocum dan /usr/local/etc/logcheck] % sudo find . -name local-postgresql-debugging
./ignore.d.server/local-postgresql-debugging
[slocum dan /usr/local/etc/logcheck] % sudo wc -l ./ignore.d.server/local-postgresql-debugging
21 ./ignore.d.server/local-postgresql-debugging
That file contains 21 lines, so I will take a divide & conquer / binary search approach. I will copy that file to a temporary file, use logcheck-test and narrow down the possible candidates for the cause of the problem.
logcheck-test
First, I copy the file, then I run the test to verify I can reproduce the problem in question.
[slocum dan /usr/local/etc/logcheck] % sudo cp ./ignore.d.server/local-postgresql-debugging ~/tmp/ [slocum dan /usr/local/etc/logcheck] % cd ~/tmp [slocum dan ~/tmp] % logcheck-test -l /var/log/postgresql -r local-postgresql-debugging ERROR: '/var/log/postgresql' permission denied! [slocum dan ~/tmp] % sudo cp /var/log/postgresql . [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging egrep: trailing backslash (\) ================================================================================ parsed file: /var/log/postgresql used rule file: local-postgresql-debugging
Proof, I have the problem reproduced.
Let’s try only the first 10 rules:
[slocum dan ~/tmp] % head -10 local-postgresql-debugging > local-postgresql-debugging.head.10 [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.head.10 egrep: trailing backslash (\) ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging.head.10 [slocum dan ~/tmp] %
Next, I keep tracking down the problem:
[slocum dan ~/tmp] % head -5 local-postgresql-debugging > local-postgresql-debugging.head.5 [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.head.5 egrep: trailing backslash (\) ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging.head.5 [slocum dan ~/tmp] % head -2 local-postgresql-debugging > local-postgresql-debugging.head.2 [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.head.2 ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging.head.2 [slocum dan ~/tmp] %
There, now I know it’s in lines 3-5 of the file, because it was in the first 5 lines, but it’s not in the top two lines.
In this sequence, I narrow it down to line 4 of the file.
[slocum dan ~/tmp] % tail -3 local-postgresql-debugging.head.5 > local-postgresql-debugging.lines.3-5 [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.lines.3-5 egrep: trailing backslash (\) ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging.lines.3-5 [slocum dan ~/tmp] % tail -2 local-postgresql-debugging.lines.3-5 > local-postgresql-debugging.lines.4-5 [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.lines.4-5 egrep: trailing backslash (\) ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging.lines.4-5 [slocum dan ~/tmp] % tail -1 local-postgresql-debugging.lines.4-5 > local-postgresql-debugging.lines.5 [slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.lines.5 egrep: trailing backslash (\) ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging.lines.5 [slocum dan ~/tmp] %
I know it’s line 4 because the error was present with lines 4-5 but not present with just line 5.
The line in question
The line in question is the last one listed here:
[slocum dan ~/tmp] % head -4 local-postgresql-debugging
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] 'F'\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] values\(element_id, element_parent_id, element_directory_file_flag, element_name, 'A'\)"
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] PL/pgSQL function element_add\(text,character\) line \d+ at SQL statement
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] PL/pgSQL function getport\(text\) line \d+ at SQL statement
Let’s get that line 4 into a file by itself and save the original for later comparison. Then I test to verify I have the correct file.
NOTE: There may also be a problem with lines 10+ – but we can attack that later.
[slocum dan ~/tmp] % head -1 local-postgresql-debugging.lines.4-5 > local-postgresql-debugging.lines.4
[slocum dan ~/tmp] % cat local-postgresql-debugging.lines.4
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] PL/pgSQL function getport\(text\) line \d+ at SQL statement
[slocum dan ~/tmp] % cp local-postgresql-debugging.lines.4 local-postgresql-debugging.lines.4.testing
[slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.lines.4.testing
egrep: trailing backslash (\)
================================================================================
parsed file: postgresql
used rule file: local-postgresql-debugging.lines.4.testing
[slocum dan ~/tmp] %
I made a change and tested:
[slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging.lines.4.testing
================================================================================
parsed file: postgresql
used rule file: local-postgresql-debugging.lines.4.testing
[slocum dan ~/tmp] % diff -ruN local-postgresql-debugging.lines.4 local-postgresql-debugging.lines.4.testing
--- local-postgresql-debugging.lines.4 2022-08-02 13:04:12.774921000 +0000
+++ local-postgresql-debugging.lines.4.testing 2022-08-02 13:07:02.959112000 +0000
@@ -1 +1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] PL/pgSQL function getport\(text\) line \d+ at SQL statement
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9]+\-[0-9]+\] PL/pgSQL function getport\(text\) line \\d+ at SQL statement
[slocum dan ~/tmp] %
Fixed. There’s the issue. An unescaped backslash. I went into the original file and changed add \d+ to \\d+ and retested.
[slocum dan ~/tmp] % logcheck-test -l postgresql -r local-postgresql-debugging ================================================================================ parsed file: postgresql used rule file: local-postgresql-debugging [slocum dan ~/tmp] %
Good. Now need to put my changes back into the original Ansible files. Then redeploy them.
I have other hosts upon which this is problem and it may cover other files as well.
