Bug 65856 - secure log filter misses sgi_fam connections
Summary: secure log filter misses sgi_fam connections
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logwatch
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2002-06-03 01:57 UTC by Ben Liblit
Modified: 2008-05-01 15:38 UTC (History)
0 users

Clone Of:
Last Closed: 2002-06-03 01:57:09 UTC

Attachments (Terms of Use)

Description Ben Liblit 2002-06-03 01:57:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.3 (X11; Linux i686; U;) Gecko/20020523

Description of problem:
The /etc/log.d/scripts/services/secure script fails to match messages reporting
connections to the sgi_fam service.  These appear in the "**Unmatched Entries**"
bucket rather than in the "Connections:" list where they belong.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Connect to sgi_fam one or more times.  For example, launch KDE or a version
of Nautilus built with FAM support.
2. Generate a logwatch report.

Actual Results:  In the "Connections (secure-log)" section of the report, lines
like the following appear in the "**Unmatched Entries**" area:

    xinetd[798]: START: sgi_fam pid=1113 from=<no address>

Expected Results:  Those connectios should have been tallied and reported in the
"Connections:" area instead.

Additional info:

The bug appears on line 108 of /etc/log.d/scripts/services/secure, which uses
the following regular expression:

    /^xinetd\[\d+\]: START: ([^ ]+) pid=\d+ from=([^ \n]+)$/

Observe that the "from" address cannot contain any spaces.  However, connections
to sgi_fam do not report a proper address, so the actual lines look like this:

    xinetd[798]: START: sgi_fam pid=1113 from=<no address>

Note that "<no address>" contains a space.  Therefore, the regular expression
fails to match.

I recommend changing that pattern to something like:

    /^xinetd\[\d+\]: START: ([^ ]+) pid=\d+ from=(<no address>|[^ \n]+)$/

Or even simply:

    /^xinetd\[\d+\]: START: ([^ ]+) pid=\d+ from=(.+)$/

Comment 1 Elliot Lee 2002-06-27 11:03:53 UTC
Fixed & lightly tested (and also fixed matching to find xinetd-ipv6 lines, yay for me :)

Note You need to log in before you can comment on or make changes to this bug.