On 8 May 2014 08:10, Greg Earle <earle at isolar.dyndns.org> wrote:
My RE smack-fu must be sorely lacking in my old age, because this isn't working (in analysis.cfg):
HOST=macmini INODE %^*.Time.Machine.Backups IGNORE DISK %^*.Time.Machine.Backups 98 99 PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE STOP
Firstly, you probably want ".*" instead of "*.". The "*" means "zero or more of the last character", so ".*" means "zero or more of any character". That's basic RE that you need to know.
If you want to exactly match "/Volumes/Time Machine Backups" then you shouldn't need to use a regular expression at all, and just put the filesystem name in quotes (to allow spaces in the filesystem name):
DISK "/Volumes/Time Machine Backups" 98 99
Unfortunately, that doesn't work. The parser does the right thing, but the filesystem matching code matches against the part of the filesystem name up to the first space. (Interestingly, "xymond_client --test" matches correctly.) So this would match your "Time Machine Backups" volume:
DISK /Volumes/Time 98 99
But this would also match other filesystem names starting with "Time" when followed by a space, like "/Volumes/Time Magazine Photos". You probably don't want that. From what I can tell, a regular expression is the only way to match filesystem names containing spaces.
If you want to match any volume mounted in a folder called "Time Machine backups", and mounted anywhere on the filesystem, then you don't need to anchor to the start with "^". Instead, you really want to anchor it to the end. You want to match (for example) "/any/where/Time Machine Backups" but not "/some/place/Time Machine Backups Copy", nor "/other/place/Copy of Time Machine Backups".
So:
DISK "%/Time Machine Backups$" 98 99
So this matches if the end of the mount point has a slash then the string "Time Machine Backups". Because it's in quotes, the spaces will be included in the regular expression. This is what I'd do.
If you wanted to leave out the quotes for some reason, you could replace the spaces with dots:
DISK %/Time.Machine.Backups$ 98 99
but that would also match "/Volumes/TimerMachine-Backups", which isn't strictly correct for your use-case, but will probably always do what you want anyway.
A more correct way to match a whitespace character using "\s", like so:
DISK %/Time\sMachine\sBackups$ 98 99
Technically, this is also not correct because it matches tabs also. But you can use an escaped octal or hex character to specify a space:
DISK %/Time\040Machine\040Backups$ 98 99
This is almost certainly more than you wanted to know about the subject. But I hope that at least you'll understand why your attempt didn't work.
Cheers Jeremy