[Logwatch-Devel] Update to proftpd-messages filter

Mike Tremaine mgt at stellarcore.net
Fri Mar 16 13:47:33 MST 2007


James Treworgy wrote:
> Sorry - I meant http://www.trewtech.com/pub/proftpd-messages
> 
> I am unclear on the reason why ProFTP produces two different log formats;
> I'm just using the default and assumed it was just a change in later
> versions since the Logwatch filter was kind of old. I actually only upgraded
> to 1.3.1RC2 yesterday when I was trying to get LogWatch to work -- my
> previous installation, 1.2.10, was producing the same (modern?) log formats.
> I guess that will remain a mystery.
> 
> Anyway, beyond the basic format, at least one of the messages also changed;
> e.g:
> 
>   } elsif ( ($Host,$IP) = ( $ThisLine =~ /\((.*)\[(.*)\]\): Maximum login
> attempts \((.*)\) exceeded/ ) ) {
> 
> .. my logs show a number in parentheses; the old version apparently didn't.
> Also, I think some "periods" at the end of a message were different (e.g.
> they exist now and didn't before, or vice versa).
> 
> Finally, just in case you didn't notice I added this to the "don't care
> about these" section at the beginning:
> 
>          ( $ThisLine =~ /no such user \'.*\'/ )
> 
> because this message was always produced by ProFTPD immediately after this
> one:
> 
> /USER (.*): no such user found from (.*) \[(
> 


Not sure about the formats. The logs I have are from a Solaris box 
proftpd is logging to syslog. The biggest "gotcha" is by default 
proftpd-messages is looking at "messages" [/var/log/messages or 
/var/adm/messages] most details are going to /var/log/authlog under solaris.

Mar 16 05:34:12 hypernova proftpd[7854]: hypernova 
(61.157.58.251[61.157.58.251]) - mod_delay/0.5: delaying for 298 usecs
Mar 16 05:34:12 hypernova proftpd[7854]: hypernova 
(61.157.58.251[61.157.58.251]) - mod_delay/0.5: delaying for 40 usecs
Mar 16 05:34:13 hypernova proftpd[7854]: hypernova 
(61.157.58.251[61.157.58.251]) - no such user 'Administrator'
Mar 16 05:34:13 hypernova proftpd[7854]: hypernova 
(61.157.58.251[61.157.58.251]) - USER Administrator: no such user found 
from 61.157.58.251 [61.157.58.251] to 192.168.45.10:21


So of course mine is :/ less then perfect. I suppose I should add 
authlog to the conf. [Anyone under linux get a split of logging between 
messages and secure]

-Mike




More information about the Logwatch-Devel mailing list