Menu
▾
▴
Re: [Sshguard-users] Parser changes for FreeBSD
|
From: Mij <mi...@bi...> - 2007-10-31 21:13:45
|
hello Eric, please file this mail on the feature request tracker http://sourceforge.net/tracker/?group_id=188282 I'm not sure I will handle it, partly because I guess a marginal fraction of the users enables this syslogd option and it might not worth the effert. I will inspect the problem better this week end and provide a patch for you if it does not take too much time (specifically handling the variability of v's could be boring) bye On 31/ott/07, at 01:07, Eric W. Bates wrote: > FreeBSD syslogd has an option to make it more verbose when writing > logs. > I'm old and slow; so I find the option helpful. Unfortunately using > the option spoils sshguard's parser. > > I took a stab a reworking attack_parser.y to deal with the extra text. > I'm out of depth with yacc; so instead of a working patch, I have a > feature request. > > From syslogd(8) > > -v Verbose logging. If specified once, the numeric > facility > > and priority are logged with each locally-written > message. > If specified more than once, the names of the > facility and > priority are logged with each locally-written message. > > If you specify -vv here is an example: > > Oct 28 09:34:23 <auth.info> 235 sshd[73761]: Invalid user > administrator > from 210.188.220.65 > Oct 28 09:34:30 <auth.info> 235 sshd[73763]: Invalid user > administrator > from 210.188.220.65 > > This also demonstrates another parsing problem: my host is named > '235.dhcp.mydomain.tld'; so the host name appears in the log as '235' > which also causes a parsing failure. > > My attempt to fix both problems: > > *** attack_parser.y.orig Tue Oct 30 15:08:41 2007 > --- attack_parser.y Tue Oct 30 15:36:13 2007 > *************** > *** 49,55 **** > */ > syslogent: > /* timestamp host name procname[pid]: logmsg */ > ! TIMESTAMP_SYSLOG host name procname '[' INTEGER ']' ':' > logmsg NEWLINE > ; > > /* a multilog-generated log entry */ > --- 49,55 ---- > */ > syslogent: > /* timestamp host name procname[pid]: logmsg */ > ! TIMESTAMP_SYSLOG verbose host name procname '[' INTEGER ']' ':' > logmsg NEWLINE > ; > > /* a multilog-generated log entry */ > *************** > *** 60,65 **** > --- 60,66 ---- > /* name of a host */ > host name: > WORD > + | INTEGER > | HOSTADDR { } > ; > > *************** > *** 69,74 **** > --- 70,81 ---- > | WORD '(' WORD ')' > ; > > + /* optional facility and priority when 'verbose' logging is on */ > + verbose: > + '<' WORD '.' WORD '>' > + | '' > + ; > + > /* the "payload" of a log entry: the oridinal message generated > from > a process */ > logmsg: > sshmsg { attackparser_service = SERVICES_SSH; } > *************** > *** 145,149 **** > %% > > void yyerror(char *msg) { /* do nothing */ } > - > - > --- 152,154 ---- > > > Also note that when I use bison 2.3 to compile attack_parser.y, the > resultant attack_parser.h bears no resemblance to the attack_parser.h > file include in the distribution source. In fact gcc fails with a > bunch > of function undefined errors. However, swapping in the include > file as > provided in the distribution does allow it to build. It just still > won't parse my ssh log. [sigh] > > Thanks for your time. > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
