From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Description of problem: We are using samba as our primary domain controller with over 100 clients. When each client connects to a share, the connection is logged in their /var/log/samba/log.{username} file. Logwatch is reporting all of these connections. For us, it amounts to hundreds of lines in the report each day, making it difficult to determine if "real" problems are reported. I have modified the /etc/log.d/scripts/services/samba file on the server by inserting the the following: ($ThisLine =~ /smbd\/service\.c:make_connection_snum\(642\)/) or on line 70. It seems to have fixed the problem. I thought it might be nice if one of your programmers could have a look at it and put it into the official product. Thanks Version-Release number of selected component (if applicable): logwatch-5.2.2-1 How reproducible: Always Steps to Reproduce: 1. Use samba server as domain controller on a large network 2. Look at the logwatch report 3. Actual Results: Many smbd/service.:make_connection_snum(642) . . . messages appear. Expected Results: These messages are not errors, and should be ignored by logwatch. Additional info:
Basing the regexp on the name of the source file and a line number within the source file seems extremely fragile to me. As soon as I have to push an erratum that changes service.c the regexp will stop functioning. You should base the regexp on the parts of the line that won't change.
Here is an example of lines that end up in the logwatch report. [2005/08/26 08:04:12, 1] smbd/service.c:make_connection_snum(642) jshanks-pc (172.17.17.1) connect to service LECadmin initially as user jshanks (uid=852, gid=513) (pid 17792) [2005/08/26 08:04:13, 1] smbd/service.c:make_connection_snum(642) jshanks-pc (172.17.17.1) connect to service Archives initially as user jshanks (uid=852, gid=513) (pid 17792) Would it make more sense to just search for "make_connection_snum"? Thanks
Hello, could you please attach more samba logs containing smbd/service.c:make_connection_snum or could you attach /var/log/samba/log.{username} file which use logwatch in your example smbd/service.:make_connection_snum(642) . . . messages ? Thank you.
make_connection_snum produces a lot of log messages, many of which are important-to-critical, and need to be brought to the sysadmin's attention ASAP. You need to filter on the contents of the message, not it's context. Use something like " connect to service .* initially as user " to ensure only the low-priority messages get filtered. You can also change the log level in the smb.cofn file to have Samba not generate these messages.
I'll attach the log for one user (myself), And . . . Thanks Jay, I'm going to change the filer to: ($ThisLine =~ /connect to service .* initially as user/ or Looking through the file, it seems more consistent with the other filters.
Created attachment 118221 [details] Samba machine log with attachment messages
Whoops, forgot an ending parenthesis. The corrected line is as follows: ($ThisLine =~ /connect to service .* initially as user/) or By the way, I don't want to change my samba error level to get rid of these messages. They should be logged. They just shouldn't be reported by logwatch.
Thank you for your notice, thank Jay for his help. I agree with your last solution it should fix this problem.
Created attachment 120459 [details] Logwatch patch This is the correct fix IMHO
Sorry, to be clear: the samba script is _supposed_ to match these "connect to service" lines, but does not print them unless detail level is >=5. The bug is that the regex which is supposed to match is missing the "initially".