iptables service not functionnal - Solution included
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logwatch (Ubuntu) |
Expired
|
Medium
|
Unassigned |
Bug Description
logwatch does not include blocked connexions (iptables). As this is an entry point in monitoring servers and because blocked connexion can be a symptom of break-in attempts, having no report on them while you expect to can be a big problem
Sorry for not submitting a patch, this is beyond my knowledge and time, but since it's three lines of code, here's my fix with a bit of explanation :
in /usr/share/
LogFile = /var/log/kern.log
After doing so, the logfile are not parsed properly. While you now get reports, the aggregation is not acurate
Basically, the cleanup regexp does not account for the fact that for small kernel timestamps, there is a space at the beginning of the stamp.
in /usr/share/
The old regexp is :
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\d+\.\d+\] )?//;
The right regexp would be :
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[ *\d+\.\d+\] )?//;
Here is an example of a log line that would not work, because of the space in the timestamp "[ 1690.227087]"
Apr 18 18:05:37 rack1 kernel: [ 1690.227087] fw: IN= OUT=eth0 SRC=166.78.158.192 DST=72.14.183.239 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP
SPT=123 DPT=123 LEN=56
have fun,
Frank
information type: | Private Security → Public Security |
Changed in logwatch (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
The regex upstream and in Xenial is:
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\s*\d+\.\d+\] )?//;
which should account for whatever whitespace might be in the log. Can you confirm, if possible?