Bug 166775 - Logwatch is reporting normal samba conditions
Summary: Logwatch is reporting normal samba conditions
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Ivana Varekova
QA Contact:
URL:
Whiteboard: RHEL4U3NAK
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-25 16:37 UTC by James Shanks
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-03-03 15:54:54 UTC


Attachments (Terms of Use)
Samba machine log with attachment messages (45.99 KB, text/plain)
2005-08-29 18:21 UTC, James Shanks
no flags Details
Logwatch patch (637 bytes, patch)
2005-10-27 11:05 UTC, Steve Woodcock
no flags Details | Diff

Description James Shanks 2005-08-25 16:37:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
We are using samba as our primary domain controller with over 100 clients.  When each client connects to a share, the connection is logged in their /var/log/samba/log.{username} file.  Logwatch is reporting all of these connections.  For us, it amounts to hundreds of lines in the report each day, making it difficult to determine if "real" problems are reported.

I have modified the /etc/log.d/scripts/services/samba file on the server by inserting the the following:

      ($ThisLine =~ /smbd\/service\.c:make_connection_snum\(642\)/) or

on line 70.

It seems to have fixed the problem.  I thought it might be nice if one of your programmers could have a look at it and put it into the official product.

Thanks

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
1.  Use samba server as domain controller on a large network
2.  Look at the logwatch report
3.
  

Actual Results:  Many smbd/service.:make_connection_snum(642) . . . messages appear.

Expected Results:  These messages are not errors, and should be ignored by logwatch.

Additional info:

Comment 1 Jay Fenlason 2005-08-26 14:53:06 UTC
Basing the regexp on the name of the source file and a line number within the 
source file seems extremely fragile to me.  As soon as I have to push an 
erratum that changes service.c the regexp will stop functioning.  You should 
base the regexp on the parts of the line that won't change. 
 

Comment 2 James Shanks 2005-08-26 21:54:54 UTC
Here is an example of lines that end up in the logwatch report.

[2005/08/26 08:04:12, 1] smbd/service.c:make_connection_snum(642)
  jshanks-pc (172.17.17.1) connect to service LECadmin initially as user jshanks
(uid=852, gid=513) (pid 17792)
[2005/08/26 08:04:13, 1] smbd/service.c:make_connection_snum(642)
  jshanks-pc (172.17.17.1) connect to service Archives initially as user jshanks
(uid=852, gid=513) (pid 17792)

Would it make more sense to just search for "make_connection_snum"?

Thanks

Comment 3 Ivana Varekova 2005-08-29 13:27:09 UTC
Hello,
could you please attach more samba logs containing
smbd/service.c:make_connection_snum or could you attach
/var/log/samba/log.{username} file which use logwatch in your example
smbd/service.:make_connection_snum(642) . . . messages ?
Thank you.
 

Comment 4 Jay Fenlason 2005-08-29 14:33:21 UTC
make_connection_snum produces a lot of log messages, many of which are 
important-to-critical, and need to be brought to the sysadmin's attention 
ASAP.  You need to filter on the contents of the message, not it's context.  
Use something like " connect to service .* initially as user " to ensure only 
the low-priority messages get filtered. 
 
You can also change the log level in the smb.cofn file to have Samba not 
generate these messages. 
 

Comment 5 James Shanks 2005-08-29 18:18:47 UTC
I'll attach the log for one user (myself),  And . . . Thanks Jay, I'm going to
change the filer to:

      ($ThisLine =~ /connect to service .* initially as user/ or

Looking through the file, it seems more consistent with the other filters.



Comment 6 James Shanks 2005-08-29 18:21:46 UTC
Created attachment 118221 [details]
Samba machine log with attachment messages

Comment 7 James Shanks 2005-08-29 18:40:34 UTC
Whoops, forgot an ending parenthesis.  The corrected line is as follows:

($ThisLine =~ /connect to service .* initially as user/) or

By the way, I don't want to change my samba error level to get rid of these
messages.  They should be logged.  They just shouldn't be reported by logwatch.

Comment 8 Ivana Varekova 2005-09-01 10:07:23 UTC
Thank you for your notice, thank Jay for his help. 
I agree with your last solution it should fix this problem. 


Comment 13 Steve Woodcock 2005-10-27 11:05:40 UTC
Created attachment 120459 [details]
Logwatch patch

This is the correct fix IMHO

Comment 14 Steve Woodcock 2005-10-27 11:09:37 UTC
Sorry, to be clear: the samba script is _supposed_ to match these "connect to
service" lines, but does not print them unless detail level is >=5. The bug is
that the regex which is supposed to match is missing the "initially".




Note You need to log in before you can comment on or make changes to this bug.