Bug 166775 - Logwatch is reporting normal samba conditions
Logwatch is reporting normal samba conditions
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-08-25 12:37 EDT by James Shanks
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-03 10:54:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Samba machine log with attachment messages (45.99 KB, text/plain)
2005-08-29 14:21 EDT, James Shanks
no flags Details
Logwatch patch (637 bytes, patch)
2005-10-27 07:05 EDT, Steve Woodcock
no flags Details | Diff

  None (edit)
Description James Shanks 2005-08-25 12:37:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
We are using samba as our primary domain controller with over 100 clients.  When each client connects to a share, the connection is logged in their /var/log/samba/log.{username} file.  Logwatch is reporting all of these connections.  For us, it amounts to hundreds of lines in the report each day, making it difficult to determine if "real" problems are reported.

I have modified the /etc/log.d/scripts/services/samba file on the server by inserting the the following:

      ($ThisLine =~ /smbd\/service\.c:make_connection_snum\(642\)/) or

on line 70.

It seems to have fixed the problem.  I thought it might be nice if one of your programmers could have a look at it and put it into the official product.


Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Use samba server as domain controller on a large network
2.  Look at the logwatch report

Actual Results:  Many smbd/service.:make_connection_snum(642) . . . messages appear.

Expected Results:  These messages are not errors, and should be ignored by logwatch.

Additional info:
Comment 1 Jay Fenlason 2005-08-26 10:53:06 EDT
Basing the regexp on the name of the source file and a line number within the 
source file seems extremely fragile to me.  As soon as I have to push an 
erratum that changes service.c the regexp will stop functioning.  You should 
base the regexp on the parts of the line that won't change. 
Comment 2 James Shanks 2005-08-26 17:54:54 EDT
Here is an example of lines that end up in the logwatch report.

[2005/08/26 08:04:12, 1] smbd/service.c:make_connection_snum(642)
  jshanks-pc ( connect to service LECadmin initially as user jshanks
(uid=852, gid=513) (pid 17792)
[2005/08/26 08:04:13, 1] smbd/service.c:make_connection_snum(642)
  jshanks-pc ( connect to service Archives initially as user jshanks
(uid=852, gid=513) (pid 17792)

Would it make more sense to just search for "make_connection_snum"?

Comment 3 Ivana Varekova 2005-08-29 09:27:09 EDT
could you please attach more samba logs containing
smbd/service.c:make_connection_snum or could you attach
/var/log/samba/log.{username} file which use logwatch in your example
smbd/service.:make_connection_snum(642) . . . messages ?
Thank you.
Comment 4 Jay Fenlason 2005-08-29 10:33:21 EDT
make_connection_snum produces a lot of log messages, many of which are 
important-to-critical, and need to be brought to the sysadmin's attention 
ASAP.  You need to filter on the contents of the message, not it's context.  
Use something like " connect to service .* initially as user " to ensure only 
the low-priority messages get filtered. 
You can also change the log level in the smb.cofn file to have Samba not 
generate these messages. 
Comment 5 James Shanks 2005-08-29 14:18:47 EDT
I'll attach the log for one user (myself),  And . . . Thanks Jay, I'm going to
change the filer to:

      ($ThisLine =~ /connect to service .* initially as user/ or

Looking through the file, it seems more consistent with the other filters.

Comment 6 James Shanks 2005-08-29 14:21:46 EDT
Created attachment 118221 [details]
Samba machine log with attachment messages
Comment 7 James Shanks 2005-08-29 14:40:34 EDT
Whoops, forgot an ending parenthesis.  The corrected line is as follows:

($ThisLine =~ /connect to service .* initially as user/) or

By the way, I don't want to change my samba error level to get rid of these
messages.  They should be logged.  They just shouldn't be reported by logwatch.
Comment 8 Ivana Varekova 2005-09-01 06:07:23 EDT
Thank you for your notice, thank Jay for his help. 
I agree with your last solution it should fix this problem. 
Comment 13 Steve Woodcock 2005-10-27 07:05:40 EDT
Created attachment 120459 [details]
Logwatch patch

This is the correct fix IMHO
Comment 14 Steve Woodcock 2005-10-27 07:09:37 EDT
Sorry, to be clear: the samba script is _supposed_ to match these "connect to
service" lines, but does not print them unless detail level is >=5. The bug is
that the regex which is supposed to match is missing the "initially".

Note You need to log in before you can comment on or make changes to this bug.