[Pkg-logwatch-general] r50 - in trunk: debian patches
Willi Mann
willi-guest at costa.debian.org
Thu Sep 21 19:28:58 UTC 2006
Author: willi-guest
Date: 2006-09-21 19:28:58 +0000 (Thu, 21 Sep 2006)
New Revision: 50
Added:
trunk/patches/00-fileisnodirectory-from-upstream.diff
trunk/patches/01-unmatchedsecure.diff
trunk/patches/02-debspecific-disable-su-reporting-in-secure.diff
trunk/patches/03-pam_unix-resolve-session-opened-by.diff
trunk/patches/04-cron-no-reboot-jobs-no-sys-reboot.diff
trunk/patches/05-openvpn-sigterm.diff
trunk/patches/06-named-ipv6-stopping-command-channel.diff
trunk/patches/07-courier-authdaemond-nonlogs.diff
Modified:
trunk/debian/changelog
Log:
Missed some unmatched entries, plus remove some redundant reporting concerning
secure <-> pam_unix.
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2006-09-21 11:30:14 UTC (rev 49)
+++ trunk/debian/changelog 2006-09-21 19:28:58 UTC (rev 50)
@@ -5,6 +5,13 @@
- fail2ban scripts now included upstream
* Add parser for dpkg.log
* Some updates to debian/copyright
+ * Pull in patch from upstream for issues with subdirectories in logdirs.
+ * Created patches for secure, pam_unix, cron, openvpn, named, courier to
+ support some unmatched entries.
+ * Also, remove some redundant reporting for secure. This is logged in
+ pam_unix anyway.
+ * Improve the reporting in pam_unix to replace uids with names in two
+ places.
-- Willi Mann <willi at wm1.at> Sat, 16 Sep 2006 21:04:24 +0200
Added: trunk/patches/00-fileisnodirectory-from-upstream.diff
===================================================================
--- trunk/patches/00-fileisnodirectory-from-upstream.diff (rev 0)
+++ trunk/patches/00-fileisnodirectory-from-upstream.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,25 @@
+===================================================================
+RCS file: /var/cvs/logwatch/scripts/logwatch.pl,v
+retrieving revision 1.178
+retrieving revision 1.179
+diff -u -r1.178 -r1.179
+--- logwatch/scripts/logwatch.pl 2006/09/16 04:04:14 1.178
++++ logwatch/scripts/logwatch.pl 2006/09/20 16:48:02 1.179
+@@ -1,7 +1,7 @@
+ #!/usr/bin/perl -w
+ use strict;
+ ##########################################################################
+-# $Id: logwatch.pl,v 1.178 2006/09/16 04:04:14 kirk Exp $
++# $Id: logwatch.pl,v 1.179 2006/09/20 16:48:02 mike Exp $
+ ##########################################################################
+ # Most current version can always be found at:
+ # ftp://ftp.logwatch.org/pub/redhat/RPMS
+@@ -896,7 +896,7 @@
+
+ foreach my $ThisFile (@FileList) {
+ #Existence check for files -mgt
+- next unless (-e $ThisFile);
++ next unless (-f $ThisFile);
+ if (! -r $ThisFile) {
+ print "File $ThisFile is not readable. Check permissions.";
+ if ($> != 0) {
Added: trunk/patches/01-unmatchedsecure.diff
===================================================================
--- trunk/patches/01-unmatchedsecure.diff (rev 0)
+++ trunk/patches/01-unmatchedsecure.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,14 @@
+# These are reported in pam_unix in Debian anyway
+diff -ur logwatch-7.3.1.b/scripts/services/secure logwatch-7.3.1/scripts/services/secure
+--- logwatch-7.3.1.b/scripts/services/secure 2006-09-15 17:40:58.000000000 +0200
++++ logwatch-7.3.1/scripts/services/secure 2006-09-21 15:04:53.000000000 +0200
+@@ -174,6 +174,9 @@
+ ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: session /) or
+ ( $ThisLine =~ /^ipop3d\[\d+\]:/) or
+ ( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or
++ ( $ThisLine =~ /^su\[\d+\]: FAILED su for \S+ by \S+/) or #debian: done in pam_unix
++ ( $ThisLine =~ /^login\[\d+\]: ROOT LOGIN on '\S+'/) or #debian: done in pam_unix (Similar message on other system is reported)
++ ( $ThisLine =~ /^login\[\d+\]: FAILED LOGIN \(\d+\) on '\S+' FOR `\S+', Authentication failure/) or #debian: done in pam_unix
+ ( $ThisLine =~ /^pam_limits\[\d+\]/ ) or
+ ( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or # done in pam_unix
+ ( $ThisLine =~ /^cyrus\/lmtpd\[\d+\]: [^ ]+ server step [12]/ ) or
Added: trunk/patches/02-debspecific-disable-su-reporting-in-secure.diff
===================================================================
--- trunk/patches/02-debspecific-disable-su-reporting-in-secure.diff (rev 0)
+++ trunk/patches/02-debspecific-disable-su-reporting-in-secure.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,18 @@
+diff -ur logwatch-7.3.1.b/scripts/services/secure logwatch-7.3.1/scripts/services/secure
+--- logwatch-7.3.1.b/scripts/services/secure 2006-09-21 19:15:53.000000000 +0200
++++ logwatch-7.3.1/scripts/services/secure 2006-09-21 19:20:59.000000000 +0200
+@@ -376,11 +376,11 @@
+ } elsif ($ThisLine =~ /^pam_pwdfile\[\d+\]: password too short or NULL/) {
+ $pwd_file_too_short++;
+ } elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/ttyp([0-9a-z]+)/) ) {
+- $Su_User{$User}{$Su}++;
++ #$Su_User{$User}{$Su}++; #disabled for debian: reported in pam_unix
+ } elsif ( ($Su,$User) = ($ThisLine =~ /^su: \(to ([^ ]+)\) ([^ ]+) on (?:none|\/dev\/(pts\/|ttyp)([0-9]+))/) ) {
+- $Su_User{$User}{$Su}++;
++ #$Su_User{$User}{$Su}++; # -|-
+ } elsif ( ($Su,$User) = ($ThisLine =~ /^su\[\d+\]: Successful su for (\S+) by (\S+)/) ) {
+- $Su_User{$User}{$Su}++;
++ #$Su_User{$User}{$Su}++; # -|-
+ } elsif ($ThisLine =~ /^userhelper\[\d+\]: running '([^']+)' with ([^']+) privileges on behalf of '([^']+)'/) {
+ $Executed_app{"$1,$2,$3"}++;
+ } elsif ( ($User) = $ThisLine =~ /change user `([^']+)' password/) {
Added: trunk/patches/03-pam_unix-resolve-session-opened-by.diff
===================================================================
--- trunk/patches/03-pam_unix-resolve-session-opened-by.diff (rev 0)
+++ trunk/patches/03-pam_unix-resolve-session-opened-by.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,28 @@
+#Reasons for this patch:
+#- In debian, the user that initiates a su command is reported only by his id,
+# not by his name, so look it up.
+#- For failures, logwatch assumed the initiating users would be reported in logname.
+# At least in debian, it's not
+diff -ur logwatch-7.3.1.b/scripts/services/pam_unix logwatch-7.3.1/scripts/services/pam_unix
+--- logwatch-7.3.1.b/scripts/services/pam_unix 2006-09-15 17:40:58.000000000 +0200
++++ logwatch-7.3.1/scripts/services/pam_unix 2006-09-21 20:09:03.000000000 +0200
+@@ -146,12 +146,16 @@
+ $data{$service}{'Unknown Entries'}{$line}++;
+ }
+ } elsif (($service eq 'su') or ($service eq 'sudo') or ($service eq 'su-l')) {
+- if ($line =~ s/^authentication failure; logname=(.*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) {
++ if ( my ($logname, $uid, $ruser, $user) = ($line =~ /^authentication failure; logname=(\S*)\s+uid=(\d+) (?:.*ruser=(\S*)\s+)?.*user=(\S*)$/)) {
++ $line = ($logname or $ruser)."($uid) -> $user";
+ $data{$service}{'Authentication Failures'}{$line}++;
+ } elsif ($line =~ /session closed for user/) {
+ # ignore this line
+- } elsif ($line =~ s/session opened for user (.+) by (.+)$/$2 -> $1/) {
+- $data{$service}{'Sessions Opened'}{$line}++;
++ } elsif (my ($nam, $byid) = ($line =~ /session opened for user (.+) by (.+)$/)) {
++ #resolve uid to name if possible
++ $byid =~ s/\(uid=(\d+)\)/$1/;
++ my $onam = getpwuid($byid) or $byid;
++ $data{$service}{'Sessions Opened'}{"$onam -> $nam"}++;
+ } else {
+ $data{$service}{'Unknown Entries'}{$line}++;
+ }
Added: trunk/patches/04-cron-no-reboot-jobs-no-sys-reboot.diff
===================================================================
--- trunk/patches/04-cron-no-reboot-jobs-no-sys-reboot.diff (rev 0)
+++ trunk/patches/04-cron-no-reboot-jobs-no-sys-reboot.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,11 @@
+diff -ur logwatch-7.3.1.b/scripts/services/cron logwatch-7.3.1/scripts/services/cron
+--- logwatch-7.3.1.b/scripts/services/cron 2006-07-28 19:40:12.000000000 +0200
++++ logwatch-7.3.1/scripts/services/cron 2006-09-21 20:36:52.000000000 +0200
+@@ -84,6 +84,7 @@
+ ($ThisLine =~ /INFO \(pidfile fd = \d+\)/) or
+ ($ThisLine =~ /rsyncd/) or
+ ($ThisLine =~ /INFO \(Running \@reboot jobs\)/) or
++ ($ThisLine =~ /INFO \(Skipping \@reboot jobs -- not system startup\)/) or
+ ($ThisLine =~ /logfile turned over/) # newsyslog on OpenBSD
+ ) {
+ # Ignore
Added: trunk/patches/05-openvpn-sigterm.diff
===================================================================
--- trunk/patches/05-openvpn-sigterm.diff (rev 0)
+++ trunk/patches/05-openvpn-sigterm.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,12 @@
+diff -ur logwatch-7.3.1.b/scripts/services/openvpn logwatch-7.3.1/scripts/services/openvpn
+--- logwatch-7.3.1.b/scripts/services/openvpn 2006-08-23 23:42:57.000000000 +0200
++++ logwatch-7.3.1/scripts/services/openvpn 2006-09-21 20:43:35.000000000 +0200
+@@ -59,7 +59,7 @@
+ ($ThisLine =~ /^Re-using SSL\/TLS context/) or
+ ($ThisLine =~ /^Restart pause, \d+ second\(s\)/) or
+ ($ThisLine =~ /^SENT CONTROL/) or
+- ($ThisLine =~ /^SIGTERM\[hard,\] received, process exiting/) or
++ ($ThisLine =~ /^SIGTERM\[hard,[^\]]*\] received, process exiting/) or
+ ($ThisLine =~ /^SIGUSR1\[soft,(connection-reset|ping-restart)\] received, (process|client-instance) restarting/) or
+ ($ThisLine =~ /^TCP\/UDP: Closing socket/) or
+ ($ThisLine =~ /^TCP\/UDP: Dynamic remote address changed during TCP connection establishment/) or
Added: trunk/patches/06-named-ipv6-stopping-command-channel.diff
===================================================================
--- trunk/patches/06-named-ipv6-stopping-command-channel.diff (rev 0)
+++ trunk/patches/06-named-ipv6-stopping-command-channel.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,13 @@
+Nur in logwatch-7.3.1.b: logwatch-7.3.1.
+diff -ur logwatch-7.3.1.b/scripts/services/named logwatch-7.3.1/scripts/services/named
+--- logwatch-7.3.1.b/scripts/services/named 2006-09-15 17:40:58.000000000 +0200
++++ logwatch-7.3.1/scripts/services/named 2006-09-21 20:57:55.000000000 +0200
+@@ -126,7 +126,7 @@
+ ($ThisLine =~ /^exiting/) or
+ ($ThisLine =~ /no longer listening/) or
+ ($ThisLine =~ /the default for the .* option is now/) or
+- ($ThisLine =~ /stopping command channel on [0-9.#]/) or
++ ($ThisLine =~ /stopping command channel on \S+/) or
+ ($ThisLine =~ /Malformed response from/) or
+ ($ThisLine =~ /client .+#\d+: query:/) or
+ # Do we really want to ignore these?
Added: trunk/patches/07-courier-authdaemond-nonlogs.diff
===================================================================
--- trunk/patches/07-courier-authdaemond-nonlogs.diff (rev 0)
+++ trunk/patches/07-courier-authdaemond-nonlogs.diff 2006-09-21 19:28:58 UTC (rev 50)
@@ -0,0 +1,29 @@
+diff -ur logwatch-7.3.1.b/scripts/services/courier logwatch-7.3.1/scripts/services/courier
+--- logwatch-7.3.1.b/scripts/services/courier 2006-03-13 21:02:02.000000000 +0100
++++ logwatch-7.3.1/scripts/services/courier 2006-09-21 21:15:30.000000000 +0200
+@@ -1,5 +1,5 @@
+ #
+-# Copyright 2003-2004 by Willi Mann <willi at wm1.at>
++# Copyright 2003-2006 by Willi Mann <willi at wm1.at>
+ #
+ # This program is free software; you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+@@ -30,6 +30,9 @@
+ # }
+ #
+
++# Note: In case this is wanted and if I'm asked, I might relicense the
++# generic reporting functions under Logwatch's license.
++
+ use strict;
+
+ #Could be neccessary in some environments
+@@ -382,6 +385,8 @@
+ ($ThisLine =~ /^Initializing */) or
+ ($ThisLine =~ /^Installing */) or
+ ($ThisLine =~ /^Installed: */) or
++ ($ThisLine =~ /^Installation complete: / ) or
++ ($ThisLine =~ /^stopping authdaemond children/ ) or
+ ($ThisLine =~ /^Started .\/courier.*, pid=.*, maxdels=.*, maxhost=.*, maxrcpt=.*1/ ) or
+ ($ThisLine =~ /^Waiting\. shutdown time=.*, wakeup time=.*, queuedelivering=.*, inprogress=.*/) or
+ ($ThisLine =~ /^Loading STATIC transport module libraries./) or
More information about the Pkg-logwatch-general
mailing list