Bug 56283 - wu-ftpd and syslog - after logging in after one invalid login - all ftp actions are not captured to syslog correctly
wu-ftpd and syslog - after logging in after one invalid login - all ftp actio...
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-11-14 18:14 EST by wyan lowe
Modified: 2007-04-18 12:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-02-19 08:34:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to fix syslog problems (688 bytes, patch)
2002-05-15 10:57 EDT, John Dalbec
no flags Details | Diff
Patch against wu-ftpd-2.6.2-11.73.1 (1.50 KB, patch)
2003-08-27 16:35 EDT, John Dalbec
no flags Details | Diff

  None (edit)
Description wyan lowe 2001-11-14 18:14:05 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (Win95; U)

Description of problem:
/etc/ftpaccess has:
log transfers anonymous,real inbound,outbound
log commands anonymous,guest,real
log security anonymous,guest,real
log syslog

/etc/syslog.conf has:
ftp.*   /var/log/ftpd.log

thus, all ftp activities are logged to both /var/log/messages & /var/log/ftpd.log

The problem/bug:
if you ftp to the box, and fail to login correctly the 1st time, it is logged in both /var/log/messages & /var/log/ftpd.log
if you type "user username" from the ftp command line prompt and login correctly, /var/log/ftpd.log does not capture this...
/var/log/messages does capture this, but the formatting is all whacked out...instead of 1 line, it's 1 long line with extra whitespace - the 
fields don't match either....furthermore, subsequent ftp commands are not logged to /var/log/ftpd.log...
but are logged (in bad format) to /var/log/messages...
but the whole point is to separate ftp messages from the messages file into its own ftpd.log file

why doesn't syslog capture it into /var/log/ftpd.log correctly?


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. setup /etc/ftpaccess & /etc/syslog to be like mine above
2. in 2 windows: tail -f /var/log/messages, tail -f /var/log/ftpd.log
3. in another window, start ftp manually
         - ftp localhost
         - type in valid username
         - type-in-wrong-password
         - get the ftp> prompt
         - type in "user username"
         - type in correct password
         - look at the window with "tail -f /var/log/ftpd.log" - there's no further updates there...
         - look at the window with "tail -f /var/log/messages" - there's updates there - but badly formatted....
         - in ftp window, type "dir" or "ls" or whatever, and notice that only 1 window is updated with syslog data....

	

Expected Results:  /var/log/ftpd.log should have captured the subsequent ftp login & ftp commands...

why does /var/log/messages capture it, but not ftpd.log?
again: ftpd.log is the logfile specified in /etc/syslog.conf where the added entry is "ftp.*   /var/log/ftpd.log"

Additional info:

is this a problem with syslogd?
is this a problem with wu-ftpd?
is this a problem with me?
Comment 1 wyan lowe 2001-11-15 10:33:23 EST
I ran syslogd manually
then did "kill -10 PID" and got it into debug mode

I think what I noticed is that the "logmsg:" field changes from "ftp.info<94>" to "auth.notice<37>" to "auth.info<38>" and stays that way, even though I 
relogin correctly and proceed to type in ftp commands...

below is extract from debug output of syslogd

...
logmsg: ftp.info<94>, flags 2, from hostname, msg Nov 14 17:24:45 ftpd[4080]: PASS password
called fprintlog, logging to FILE /var/log/messages
called fprintlog, logging to FILE /var/log/ftpd.log
...
logmsg: auth.notice<37>, flags 2, from hostname, msg Nov 14 17:24:46 PAM_unix[4080]: authentication failure; (uid=0) -> wlowe for system-auth 
service
called fprintlog, logging to FILE /var/log/messages
...
logmsg: auth.info<38>, flags 2, from hostname, msg Nov 14 17:24:50 ftpd: localhost: connected: USER wlowe ... [4080]: USER wlowe
called fprintlog, logging to FILE /var/log/messages
...
logmsg: auth.info<38>, flags 2, from hostname, msg Nov 14 17:24:52 ftpd: localhost: connected: IDLE ... [4080]: PASS password
called fprintlog, logging to FILE /var/log/messages
...
logmsg: auth.info<38>, flags 2, from hostname, msg Nov 14 17:24:52 ftpd: localhost: wlowe ... [4080]: FTP LOGIN FROM localhost [127.0.0.1], 
wlowe
called fprintlog, logging to FILE /var/log/messages

Comment 2 John Dalbec 2002-05-14 14:27:51 EDT
Any progress on this?
Comment 3 John Dalbec 2002-05-15 10:55:56 EDT
I'm attaching a patch.  It WORKSFORME, YMMV, etc., #include<stddisclaimer.h>.
Comment 4 John Dalbec 2002-05-15 10:57:30 EDT
Created attachment 57424 [details]
Patch to fix syslog problems
Comment 5 John Dalbec 2003-08-27 16:35:57 EDT
Created attachment 93995 [details]
Patch against wu-ftpd-2.6.2-11.73.1
Comment 6 Thomas Woerner 2004-02-19 08:34:10 EST
Please use vsftpd, wu-ftpd is not maintained anymore.

Note You need to log in before you can comment on or make changes to this bug.