[Logwatch] logwatch 2.6: suggested changes to ftpd-messages

Jay Berkenbilt ejb@ql.org
Mon, 8 Jul 2002 11:13:22 -0400


I have posted this bug to RedHat's bugzilla system as bug number
68243.  It refers specifically to the logwatch configuration in RedHat
7.3,, which is based on logwatch 2.6.  The messages in question
involve wu-ftpd 2.6.2 again as installed by RedHat.  I believe that
most or all of these concerns are general, even though the bug report
is somewhat RedHat-specific.  The rest of this message is the bug
report as sent to RedHat.

--
Jay Berkenbilt <ejb@ql.org>
http://www.ql.org/q/

---------------------------------------------------------------------------

Summary: additional expressions in scripts/services/ftpd-messages

Description of Problem:

There are many routinely recurring log entries for wu-ftpd that
logwatch does not pick up (wu-ftpd 2.6.2-5, logwatch-2.6-2).  These
are probably all the result of changes to error messages since
logwatch's ftpd-messages was originally put together.


Version-Release number of selected component (if applicable):

logwatch-2.6-2 and its reporting of messages from wu-ftpd-2.6.2-5

How Reproducible:

always

Steps to Reproduce:

Rather than giving steps to reproduce, I'll describe each type of log
message that I'm trying to catch and why I think my treatment of it is
correct.  I've attached a patch that implements all my changes.

 * In some places, the expression [\w\.]+ is used to match a hostname.
   Since - is a valid character in a hostname, the expression [\w\.-]+
   would be more appropriate.

 * Several expressions at the top where we check for things that are
   to be ignored are anchored to the beginning of the string where
   they shouldn't be.  For instance, "lost connection to" is sometimes
   preceded by a host or user as in

through.he-va.apexinc.com: tanya: IDLE[28826]: lost connection to through.he-va.apexinc.com [65.166.131.3]

   Likewise with "timed out after .* seconds" and "FTP LOGIN FROM".

   I feel that it is safe to remove the beginning-of-line anchor from
   these expressions.  This is especially true for expressions that
   result in things being counted, but I think it's true as well for
   things being ignored.  It is very unlikely that the string "timed
   out after .* seconds" will appear not anchored to the beginning of
   the line and have different meaning.

 * The message "ACCESS DENIED (not in any class)" is always followed
   by a login failed message.  The ACCESS DENIED message can be
   ignored.  If someone sees something in the logwatch output about a
   failed login that they think should have succeeded, they can check
   the actual logs for details.  This message happens if you disable
   anonymous ftp by disallowing the ftp account in /etc/ftpaccess or
   if any system accounts try to log in using RedHat's default
   configuration.

 * The message "wu-ftpd - TLS settings: ..." under RedHat 7.3's
   default configuration pops up for every incoming connection.  It
   can be filtered out.  I'm not sure why it's there anyway.  It seems
   like a level of information that is unsuitable when debugging is
   not turned on, but that's just my opinion.

After applying the attached patch to my ftpd-messages file, the
logwatch output for my ftp server is now useful.  Before, it was
dominated by unmatched entries to the point of being useless.  Thanks
for your consideration.

I am also sending this to logwatch@logwatch.org,, though I don't know
how much of this is general and how much is RedHat-specific.  (I
suspect most or all of it is general.)

---------------------------------------------------------------------------

--- ftpd-messages.qdist	Mon Apr 15 17:21:54 2002
+++ ftpd-messages	Mon Jul  8 10:51:49 2002
@@ -54,16 +54,18 @@
    if ( ( $ThisLine =~ /FTP session closed$/ ) or
          ( $ThisLine =~ /^getpeername \(in.ftpd\): Transport endpoint is not connected$/ ) or
          ( $ThisLine =~ /^QUIT$/ ) or
-         ( $ThisLine =~ /^[\w\.]+: connected: IDLE\s\[\d+\]: failed login from/ ) or
-         ( $ThisLine =~ /^lost connection to / ) or
-         ( $ThisLine =~ /^User .* timed out after .* seconds at .*$/ )   ) {
+         ( $ThisLine =~ /^[\w\.-]+: connected: IDLE\s?\[\d+\]: failed login from/ ) or
+         ( $ThisLine =~ /lost connection to / ) or
+         ( $ThisLine =~ /ACCESS DENIED \(not in any class\) TO / ) or
+         ( $ThisLine =~ /^wu-ftpd - TLS settings: / ) or
+         ( $ThisLine =~ /User .* timed out after .* seconds at .*$/ )   ) {
       # We don't care about these
    }				 
    elsif ( ($Host,$IP,$Email) = ( $ThisLine =~ /^ANONYMOUS FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) {
       $Temp = "   " . $Host . " (" . $IP . "): " . $Email . " - ";
       $AnonLogins{$Temp}++;
    }
-   elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /^FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) {
+   elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) {
       $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
       $UserLogins{$Temp}++;
    }