Red Hat Bugzilla – Bug 68243
additional expressions in scripts/services/ftpd-messages
Last modified: 2008-05-01 11:38:02 EDT
Description of Problem:
There are many routinely recurring log entries for wu-ftpd that logwatch does
not pick up (wu-ftpd 2.6.2-5, logwatch-2.6-2). These are probably all the
result of changes to error messages since logwatch's ftpd-messages was
originally put together.
Version-Release number of selected component (if applicable):
logwatch-2.6-2 and its reporting of messages from wu-ftpd-2.6.2-5
Steps to Reproduce:
Rather than giving steps to reproduce, I'll describe each type of log message
that I'm trying to catch and why I think my treatment of it is correct. I've
attached a patch that implements all my changes.
* In some places, the expression [\w\.]+ is used to match a hostname. Since -
is a valid character in a hostname, the expression [\w\.-]+ would be more
* Several expressions at the top where we check for things that are to be
ignored are anchored to the beginning of the string where they shouldn't be.
For instance, "lost connection to" is sometimes preceded by a host or user as in
through.he-va.apexinc.com: tanya: IDLE: lost connection to
Likewise with "timed out after .* seconds" and "FTP LOGIN FROM".
I feel that it is safe to remove the beginning-of-line anchor from these
expressions. This is especially true for expressions that result in things
being counted, but I think it's true as well for things being ignored. It is
very unlikely that the string "timed out after .* seconds" will appear not
anchhored to the beginning of the line and have different meaning.
* The message "ACCESS DENIED (not in any class)" is always followed by a login
failed message. The ACCESS DENIED message can be ignored. If someone sees
something in the logwatch output about a failed login that they think should
have succeeded, they can check the actual logs for details. This message
happens if you disable anonymous ftp by disallowing the ftp account in
/etc/ftpaccess or if any system accounts try to log in using RedHat's default
* The message "wu-ftpd - TLS settings: ..." under RedHat 7.3's default
configuration pops up for every incoming connection. It can be filtered out.
I'm not sure why it's there anyway. It seems like a level of information that
is unsuitable when debugging is not turned on, but that's just my opinion.
After applying the attached patch to my ftpd-messages file, the logwatch output
for my ftp server is now useful. Before, it was dominated by unmatched entries
to the point of being useless. Thanks for your consideration.
I am also sending this to email@example.com,, though I don't know how much
of this is general and how much is RedHat-specific. (I suspect most or all of
it is general.)
Created attachment 64229 [details]
patch implementing suggested changes
Applied in 2.6-6