Bug 68243 - additional expressions in scripts/services/ftpd-messages
additional expressions in scripts/services/ftpd-messages
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: logwatch (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-07-08 11:06 EDT by Jay Berkenbilt
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-07-08 11:07:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch implementing suggested changes (1.37 KB, patch)
2002-07-08 11:07 EDT, Jay Berkenbilt
no flags Details | Diff

  None (edit)
Description Jay Berkenbilt 2002-07-08 11:06:53 EDT
Description of Problem:

There are many routinely recurring log entries for wu-ftpd that logwatch does
not pick up (wu-ftpd 2.6.2-5, logwatch-2.6-2).  These are probably all the
result of changes to error messages since logwatch's ftpd-messages was
originally put together.


Version-Release number of selected component (if applicable):

logwatch-2.6-2 and its reporting of messages from wu-ftpd-2.6.2-5

How Reproducible:

always

Steps to Reproduce:

Rather than giving steps to reproduce, I'll describe each type of log message
that I'm trying to catch and why I think my treatment of it is correct.  I've
attached a patch that implements all my changes.

 * In some places, the expression [\w\.]+ is used to match a hostname.  Since -
is a valid character in a hostname, the expression [\w\.-]+ would be more
appropriate.

 * Several expressions at the top where we check for things that are to be
ignored are anchored to the beginning of the string where they shouldn't be. 
For instance, "lost connection to" is sometimes preceded by a host or user as in

through.he-va.apexinc.com: tanya: IDLE[28826]: lost connection to
through.he-va.apexinc.com [65.166.131.3]

   Likewise with "timed out after .* seconds" and "FTP LOGIN FROM".

   I feel that it is safe to remove the beginning-of-line anchor from these
expressions.  This is especially true for expressions that result in things
being counted, but I think it's true as well for things being ignored.  It is
very unlikely that the string "timed out after .* seconds" will appear not
anchhored to the beginning of the line and have different meaning.

 * The message "ACCESS DENIED (not in any class)" is always followed by a login
failed message.  The ACCESS DENIED message can be ignored.  If someone sees
something in the logwatch output about a failed login that they think should
have succeeded, they can check the actual logs for details.  This message
happens if you disable anonymous ftp by disallowing the ftp account in
/etc/ftpaccess or if any system accounts try to log in using RedHat's default
configuration.

 * The message "wu-ftpd - TLS settings: ..." under RedHat 7.3's default
configuration pops up for every incoming connection.  It can be filtered out. 
I'm not sure why it's there anyway.  It seems like a level of information that
is unsuitable when debugging is not turned on, but that's just my opinion.

After applying the attached patch to my ftpd-messages file, the logwatch output
for my ftp server is now useful.  Before, it was dominated by unmatched entries
to the point of being useless.  Thanks for your consideration.

I am also sending this to logwatch@logwatch.org,, though I don't know how much
of this is general and how much is RedHat-specific.  (I suspect most or all of
it is general.)
Comment 1 Jay Berkenbilt 2002-07-08 11:07:43 EDT
Created attachment 64229 [details]
patch implementing suggested changes
Comment 2 Elliot Lee 2002-07-11 15:16:53 EDT
Applied in 2.6-6

Note You need to log in before you can comment on or make changes to this bug.