<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 8 May 2014 08:10, Greg Earle <span dir="ltr"><<a href="mailto:earle@isolar.dyndns.org" target="_blank">earle@isolar.dyndns.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div id=":1g0" class="" style="overflow:hidden">My RE smack-fu must be sorely lacking in my old age, because this isn't<br>
working (in analysis.cfg):<br>
<br>
HOST=macmini<br>
INODE %^*.Time.Machine.Backups IGNORE<br>
DISK %^*.Time.Machine.Backups 98 99<br>
PROC "/opt/tripwire/te/agent/jre/bin/java" IGNORE STOP</div></blockquote></div><div class="gmail_extra"><br></div>Firstly, you probably want ".*" instead of "*.". The "*" means "zero or more of the last character", so ".*" means "zero or more of any character". That's basic RE that you need to know.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">If you want to exactly match "/Volumes/Time Machine Backups" then you shouldn't need to use a regular expression at all, and just put the filesystem name in quotes (to allow spaces in the filesystem name):<br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra">DISK "/Volumes/Time Machine Backups" 98 99<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Unfortunately, that doesn't work. The parser does the right thing, but the filesystem matching code matches against the part of the filesystem name up to the first space. (Interestingly, "xymond_client --test" matches correctly.) So this would match your "Time Machine Backups" volume:</div>
<div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">DISK /Volumes/Time 98 99<br></div><div><br></div><div>But this would also match other filesystem names starting with "Time" when followed by a space, like "/Volumes/Time Magazine Photos". You probably don't want that. From what I can tell, a regular expression is the only way to match filesystem names containing spaces.</div>
<div><br></div></div><div class="gmail_extra">If you want to match any volume mounted in a folder called "Time Machine backups", and mounted anywhere on the filesystem, then you don't need to anchor to the start with "^". Instead, you really want to anchor it to the end. You want to match (for example) "/any/where/Time Machine Backups" but not "/some/place/Time Machine Backups Copy", nor "/other/place/Copy of Time Machine Backups".</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">So:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">DISK "%/Time Machine Backups$" 98 99<br></div><div><br></div>
<div>So this matches if the end of the mount point has a slash then the string "Time Machine Backups". Because it's in quotes, the spaces will be included in the regular expression. This is what I'd do.</div>
<div><br></div><div>If you wanted to leave out the quotes for some reason, you could replace the spaces with dots:</div><div><br></div><div>DISK %/Time.Machine.Backups$ 98 99</div><div><br></div><div>but that would also match "/Volumes/TimerMachine-Backups", which isn't strictly correct for your use-case, but will probably always do what you want anyway.</div>
<div><br></div><div>A more correct way to match a whitespace character using "\s", like so:</div><div><br></div><div>DISK %/Time\sMachine\sBackups$ 98 99<br></div><div><br></div><div>Technically, this is also not correct because it matches tabs also. But you can use an escaped octal or hex character to specify a space:</div>
<div><br></div><div><div>DISK %/Time\040Machine\040Backups$ 98 99<br></div></div><div><br></div><div>This is almost certainly more than you wanted to know about the subject. But I hope that at least you'll understand why your attempt didn't work.</div>
<div><br></div><div>Cheers</div><div>Jeremy</div><div><br></div></div></div>