Bug 65856 - secure log filter misses sgi_fam connections
secure log filter misses sgi_fam connections
Product: Red Hat Linux
Classification: Retired
Component: logwatch (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
Depends On:
  Show dependency treegraph
Reported: 2002-06-02 21:57 EDT by Ben Liblit
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-06-02 21:57:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ben Liblit 2002-06-02 21:57:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.3 (X11; Linux i686; U;) Gecko/20020523

Description of problem:
The /etc/log.d/scripts/services/secure script fails to match messages reporting
connections to the sgi_fam service.  These appear in the "**Unmatched Entries**"
bucket rather than in the "Connections:" list where they belong.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Connect to sgi_fam one or more times.  For example, launch KDE or a version
of Nautilus built with FAM support.
2. Generate a logwatch report.

Actual Results:  In the "Connections (secure-log)" section of the report, lines
like the following appear in the "**Unmatched Entries**" area:

    xinetd[798]: START: sgi_fam pid=1113 from=<no address>

Expected Results:  Those connectios should have been tallied and reported in the
"Connections:" area instead.

Additional info:

The bug appears on line 108 of /etc/log.d/scripts/services/secure, which uses
the following regular expression:

    /^xinetd\[\d+\]: START: ([^ ]+) pid=\d+ from=([^ \n]+)$/

Observe that the "from" address cannot contain any spaces.  However, connections
to sgi_fam do not report a proper address, so the actual lines look like this:

    xinetd[798]: START: sgi_fam pid=1113 from=<no address>

Note that "<no address>" contains a space.  Therefore, the regular expression
fails to match.

I recommend changing that pattern to something like:

    /^xinetd\[\d+\]: START: ([^ ]+) pid=\d+ from=(<no address>|[^ \n]+)$/

Or even simply:

    /^xinetd\[\d+\]: START: ([^ ]+) pid=\d+ from=(.+)$/
Comment 1 Elliot Lee 2002-06-27 07:03:53 EDT
Fixed & lightly tested (and also fixed matching to find xinetd-ipv6 lines, yay for me :)

Note You need to log in before you can comment on or make changes to this bug.