Bug 68243

Summary: additional expressions in scripts/services/ftpd-messages
Product: [Retired] Red Hat Linux Reporter: Jay Berkenbilt <ejb>
Component: logwatchAssignee: Elliot Lee <sopwith>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: ejb
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-07-08 15:07:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch implementing suggested changes none

Description Jay Berkenbilt 2002-07-08 15:06:53 UTC 
Description of Problem:

There are many routinely recurring log entries for wu-ftpd that logwatch does
not pick up (wu-ftpd 2.6.2-5, logwatch-2.6-2).  These are probably all the
result of changes to error messages since logwatch's ftpd-messages was
originally put together.


Version-Release number of selected component (if applicable):

logwatch-2.6-2 and its reporting of messages from wu-ftpd-2.6.2-5

How Reproducible:

always

Steps to Reproduce:

Rather than giving steps to reproduce, I'll describe each type of log message
that I'm trying to catch and why I think my treatment of it is correct.  I've
attached a patch that implements all my changes.

 * In some places, the expression [\w\.]+ is used to match a hostname.  Since -
is a valid character in a hostname, the expression [\w\.-]+ would be more
appropriate.

 * Several expressions at the top where we check for things that are to be
ignored are anchored to the beginning of the string where they shouldn't be. 
For instance, "lost connection to" is sometimes preceded by a host or user as in

through.he-va.apexinc.com: tanya: IDLE[28826]: lost connection to
through.he-va.apexinc.com [65.166.131.3]

   Likewise with "timed out after .* seconds" and "FTP LOGIN FROM".

   I feel that it is safe to remove the beginning-of-line anchor from these
expressions.  This is especially true for expressions that result in things
being counted, but I think it's true as well for things being ignored.  It is
very unlikely that the string "timed out after .* seconds" will appear not
anchhored to the beginning of the line and have different meaning.

 * The message "ACCESS DENIED (not in any class)" is always followed by a login
failed message.  The ACCESS DENIED message can be ignored.  If someone sees
something in the logwatch output about a failed login that they think should
have succeeded, they can check the actual logs for details.  This message
happens if you disable anonymous ftp by disallowing the ftp account in
/etc/ftpaccess or if any system accounts try to log in using RedHat's default
configuration.

 * The message "wu-ftpd - TLS settings: ..." under RedHat 7.3's default
configuration pops up for every incoming connection.  It can be filtered out. 
I'm not sure why it's there anyway.  It seems like a level of information that
is unsuitable when debugging is not turned on, but that's just my opinion.

After applying the attached patch to my ftpd-messages file, the logwatch output
for my ftp server is now useful.  Before, it was dominated by unmatched entries
to the point of being useless.  Thanks for your consideration.

I am also sending this to logwatch,, though I don't know how much
of this is general and how much is RedHat-specific.  (I suspect most or all of
it is general.)
Comment 1 Jay Berkenbilt 2002-07-08 15:07:43 UTC 
Created attachment 64229 [details]
patch implementing suggested changes
Comment 2 Elliot Lee 2002-07-11 19:16:53 UTC 
Applied in 2.6-6