Hide Forgot
Description of Problem: There are many routinely recurring log entries for wu-ftpd that logwatch does not pick up (wu-ftpd 2.6.2-5, logwatch-2.6-2). These are probably all the result of changes to error messages since logwatch's ftpd-messages was originally put together. Version-Release number of selected component (if applicable): logwatch-2.6-2 and its reporting of messages from wu-ftpd-2.6.2-5 How Reproducible: always Steps to Reproduce: Rather than giving steps to reproduce, I'll describe each type of log message that I'm trying to catch and why I think my treatment of it is correct. I've attached a patch that implements all my changes. * In some places, the expression [\w\.]+ is used to match a hostname. Since - is a valid character in a hostname, the expression [\w\.-]+ would be more appropriate. * Several expressions at the top where we check for things that are to be ignored are anchored to the beginning of the string where they shouldn't be. For instance, "lost connection to" is sometimes preceded by a host or user as in through.he-va.apexinc.com: tanya: IDLE[28826]: lost connection to through.he-va.apexinc.com [65.166.131.3] Likewise with "timed out after .* seconds" and "FTP LOGIN FROM". I feel that it is safe to remove the beginning-of-line anchor from these expressions. This is especially true for expressions that result in things being counted, but I think it's true as well for things being ignored. It is very unlikely that the string "timed out after .* seconds" will appear not anchhored to the beginning of the line and have different meaning. * The message "ACCESS DENIED (not in any class)" is always followed by a login failed message. The ACCESS DENIED message can be ignored. If someone sees something in the logwatch output about a failed login that they think should have succeeded, they can check the actual logs for details. This message happens if you disable anonymous ftp by disallowing the ftp account in /etc/ftpaccess or if any system accounts try to log in using RedHat's default configuration. * The message "wu-ftpd - TLS settings: ..." under RedHat 7.3's default configuration pops up for every incoming connection. It can be filtered out. I'm not sure why it's there anyway. It seems like a level of information that is unsuitable when debugging is not turned on, but that's just my opinion. After applying the attached patch to my ftpd-messages file, the logwatch output for my ftp server is now useful. Before, it was dominated by unmatched entries to the point of being useless. Thanks for your consideration. I am also sending this to logwatch@logwatch.org,, though I don't know how much of this is general and how much is RedHat-specific. (I suspect most or all of it is general.)
Created attachment 64229 [details] patch implementing suggested changes
Applied in 2.6-6