Bug 56283 - wu-ftpd and syslog - after logging in after one invalid login - all ftp actions are not captured to syslog correctly
Summary: wu-ftpd and syslog - after logging in after one invalid login - all ftp actio...
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-11-14 23:14 UTC by wyan lowe
Modified: 2007-04-18 16:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-02-19 13:34:10 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to fix syslog problems (688 bytes, patch)
2002-05-15 14:57 UTC, John Dalbec
no flags Details | Diff
Patch against wu-ftpd-2.6.2-11.73.1 (1.50 KB, patch)
2003-08-27 20:35 UTC, John Dalbec
no flags Details | Diff

Description wyan lowe 2001-11-14 23:14:05 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (Win95; U)

Description of problem:
/etc/ftpaccess has:
log transfers anonymous,real inbound,outbound
log commands anonymous,guest,real
log security anonymous,guest,real
log syslog

/etc/syslog.conf has:
ftp.*   /var/log/ftpd.log

thus, all ftp activities are logged to both /var/log/messages & /var/log/ftpd.log

The problem/bug:
if you ftp to the box, and fail to login correctly the 1st time, it is logged in both /var/log/messages & /var/log/ftpd.log
if you type "user username" from the ftp command line prompt and login correctly, /var/log/ftpd.log does not capture this...
/var/log/messages does capture this, but the formatting is all whacked out...instead of 1 line, it's 1 long line with extra whitespace - the 
fields don't match either....furthermore, subsequent ftp commands are not logged to /var/log/ftpd.log...
but are logged (in bad format) to /var/log/messages...
but the whole point is to separate ftp messages from the messages file into its own ftpd.log file

why doesn't syslog capture it into /var/log/ftpd.log correctly?


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. setup /etc/ftpaccess & /etc/syslog to be like mine above
2. in 2 windows: tail -f /var/log/messages, tail -f /var/log/ftpd.log
3. in another window, start ftp manually
         - ftp localhost
         - type in valid username
         - type-in-wrong-password
         - get the ftp> prompt
         - type in "user username"
         - type in correct password
         - look at the window with "tail -f /var/log/ftpd.log" - there's no further updates there...
         - look at the window with "tail -f /var/log/messages" - there's updates there - but badly formatted....
         - in ftp window, type "dir" or "ls" or whatever, and notice that only 1 window is updated with syslog data....

	

Expected Results:  /var/log/ftpd.log should have captured the subsequent ftp login & ftp commands...

why does /var/log/messages capture it, but not ftpd.log?
again: ftpd.log is the logfile specified in /etc/syslog.conf where the added entry is "ftp.*   /var/log/ftpd.log"

Additional info:

is this a problem with syslogd?
is this a problem with wu-ftpd?
is this a problem with me?

Comment 1 wyan lowe 2001-11-15 15:33:23 UTC
I ran syslogd manually
then did "kill -10 PID" and got it into debug mode

I think what I noticed is that the "logmsg:" field changes from "ftp.info<94>" to "auth.notice<37>" to "auth.info<38>" and stays that way, even though I 
relogin correctly and proceed to type in ftp commands...

below is extract from debug output of syslogd

...
logmsg: ftp.info<94>, flags 2, from hostname, msg Nov 14 17:24:45 ftpd[4080]: PASS password
called fprintlog, logging to FILE /var/log/messages
called fprintlog, logging to FILE /var/log/ftpd.log
...
logmsg: auth.notice<37>, flags 2, from hostname, msg Nov 14 17:24:46 PAM_unix[4080]: authentication failure; (uid=0) -> wlowe for system-auth 
service
called fprintlog, logging to FILE /var/log/messages
...
logmsg: auth.info<38>, flags 2, from hostname, msg Nov 14 17:24:50 ftpd: localhost: connected: USER wlowe ... [4080]: USER wlowe
called fprintlog, logging to FILE /var/log/messages
...
logmsg: auth.info<38>, flags 2, from hostname, msg Nov 14 17:24:52 ftpd: localhost: connected: IDLE ... [4080]: PASS password
called fprintlog, logging to FILE /var/log/messages
...
logmsg: auth.info<38>, flags 2, from hostname, msg Nov 14 17:24:52 ftpd: localhost: wlowe ... [4080]: FTP LOGIN FROM localhost [127.0.0.1], 
wlowe
called fprintlog, logging to FILE /var/log/messages



Comment 2 John Dalbec 2002-05-14 18:27:51 UTC
Any progress on this?

Comment 3 John Dalbec 2002-05-15 14:55:56 UTC
I'm attaching a patch.  It WORKSFORME, YMMV, etc., #include<stddisclaimer.h>.

Comment 4 John Dalbec 2002-05-15 14:57:30 UTC
Created attachment 57424 [details]
Patch to fix syslog problems

Comment 5 John Dalbec 2003-08-27 20:35:57 UTC
Created attachment 93995 [details]
Patch against wu-ftpd-2.6.2-11.73.1

Comment 6 Thomas Woerner 2004-02-19 13:34:10 UTC
Please use vsftpd, wu-ftpd is not maintained anymore.


Note You need to log in before you can comment on or make changes to this bug.