Logwatch support for ProFTPD
Sorry to make my first post in two weeks be a boring technical one, but I've been too busy to let my mind ponder the vagaries of the universe lately.
I use LogWatch on a Linux box to keep me up to date on the previous day's hacking attempts, disk usage, backup status, and so on.It includes a module for use with ProFTP, the FTP server, but it never worked right. I tooled around Google for a while trying to find a version that worked, but only found others looking for the same thing with no solution. So I took matters into my own hands and updated the filter to correctly parse current ProFTP message log files.
A lot of this is untested, but the corrections mostly involved what seemed to be a pretty simple change in the the log format from whenever the script was originally created. I also added some code to summarize "unmatched" entries rather than spewing out every single one of them so my logwatch emails won't be gigantic if I missed something... If anyone uses this script and finds that it doesn't properly parse anything, post a comment or send me an email with a copy of any offending log entries, and I'll update the filter.
Download proftpd-messages
On my Fedora box this is /etc/log.d/scripts/services/proftpd-messages. I also added an option to "summarize unmatched entries" which means that if the script can't figure out what to do with a log entry, instead of copying every unmatched line (of which there might be a lot, if there was a hacking attempt or other repeated error of some kind that isn't handled yet by the script) into the logwatch message, it will summarize the "unmatched" entries the same as any other one that is recognized. To enable this, set:
$ftpd_ignore_unmatched = 2
in /etc/log.d/scripts/services/proftpd-messages.conf
Update 3/21/2007: I fixed a few bugs and added support for some more messages that weren't handled by the old script. The current version is now at the link above.
Also, in an exchange with the current developer of this script on the logwatch-devel list, I suspect that the problems with this script have to do with operating system. He is running on Solaris and the log format that his installation of ProFTPD produces remains consistent with the "old" version of the script. So, chances are, this script will be good for Linux but maybe not for other *nix variants such as Solaris. The next official release will likely be capable of handling either format log file, though.
Update 3/27/2007: The original changes I made have been committed to the CVS, so the latest version will work for either log format. I have a few other additions that I need to extract from this version, but consider the CVS version better at this point.
3 comments:
I am trying this out on Ubuntu but dont notice anything new in my logwatch reports.
Where should Proftpd put its log file and what should it be called? Thanks for all this work!
Added the line
logfiles/messages: LogFile = syslog
to /etc/logwatch/conf/override.conf
and its working.
There may have been a lot of other changes since this was posted - per my 3/2007 update. There is a very good chance that the current development version on www.logwatch.org is better than the one I'm discussing here.
Post a Comment