Logwatch puzzles
David G. Miller
dave at davenjudy.org
Sun Apr 9 14:23:34 UTC 2006
Craig White <craigwhite at azapple.com> wrote:
> On Sun, 2006-04-09 at 10:52 +0100, Anne Wilson wrote:
>
>>> On Saturday 08 April 2006 15:25, Anne Wilson wrote:
>>
>>
>>>> > On Saturday 08 April 2006 14:14, Craig White wrote:
>>>
>>>
>>>>> > > On Sat, 2006-04-08 at 10:27 +0100, Anne Wilson wrote:
>>>>
>>>>
>>>>>> > > > This box runs samba in order to serve up a public directory. I'm
>>>>>> > > > seeing many lines in Logwatch that do not appear in the main server
>>>>>> > > > Logwatch, and trying to understand what is causing them. I find this
>>>>>> > > > puzzling, for instance:
>>>>>> > > >
>>>>>> > > > nmbd/nmbd_incomingrequests.c:process_name_query_request(454)
>>>>>> > > > process_name_query_request: Name query from 192.168.0.80 on subnet
>>>>>> > > > 192.168.0.70 for name LYDGATE.LAN<1d> : 91 Time(s)
>>>>>> > > >
>>>>>> > > > 192.168.0.70 is this box, and 192.168.0.80 was active for a
>>>>>> > > > considerable time yesterday, but "on subnet 192.168.0.70" sounds odd?
>>>>>> > > >
>>>>>> > > > There are other lines that seem to suggest that it is trying to connect
>>>>>> > > > to a windows active domain. There is a W2K box on the lan, for which I
>>>>>> > > > have no access, so can't answer for its configuration, but again, I
>>>>>> > > > don't see any such lines on the main server Logwatch.
>>>>>> > > >
>>>>>> > > > Both boxes have Logwatch set to level Low.
>>>>>> > > >
>>>>>> > > > I've tried googling, but although I've found dozens of entries with
>>>>>> > > > similar phrases, none that I've read so far seem to fit my
>>>>>> > > > circumstances. What I really need now is some suggestions for
>>>>>> > > > troubleshooting this. I know I could just ignore them, but among all
>>>>>> > > > that crud there could be hiding something that I need to see, but would
>>>>>> > > > miss.
>>>>>
>>>>>
>>>>> > >
>>>>> > > ----
>>>>> > > yeah it does sound odd but perusing /var/log/samba/nmbd.log on a few
>>>>> > > servers - including those with multiple ip addresses shows that this is
>>>>> > > the terminology used in samba logging. I suppose to answer definitively,
>>>>> > > one would go through the source code.
>>>>
>>>>
>>>> >
>>>> > As a temporary measure I'll try to set exclude lines in Logwatch for the
>>>> > most obvious groups of lines, in the hope that I can more easily see what
>>>> > else is there.
>>>> >
>>>
>>>
>>> I've hit a problem, seen in this report:
>>>
>>> Anacron job 'cron.daily'
>>> /etc/cron.daily/0logwatch:
>>>
>>> Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE
>>> winbindd*/ at /etc/cron.daily/0logwatch line 1113, <TESTFILE> line 2.
>>>
>>> Obviously this is not a file that I have altered in any way, so it has to be
>>> what it is reading that is the problem. The lines it refers to are
>>>
>>> IGNORE: for my $ignore_filter (@IGNORE) {
>>> chomp $ignore_filter;
>>> if ($ThisLine =~ m/$ignore_filter/) {
>>> $Ignored++;
>>> next LINE;
>>>
>>> I believe the line that it is objecting to was
>>> *winbindd*
>>>
>>> Presumably it doesn't like the '*' as a starting point. How, then, can I
>>> ignore all lines concerned with winbindd?
>>
>>
>----
>just guessing that you did some editing within the 'samba.conf' file in
>the log.d services directory that maybe has caused this issue.
>
>Craig
>
Sounds like you just want winbindd as your matcher in your @IGNORE
array. This will match any line that contains the string winbindd. You
don't need anything in front of or behind winbindd to tell perl to skip
anything since the perl pattern match will be true if $ThisLine contains
the string winbindd anywhere.
If you needed something to skip over the first part of the line, you'd
want a perl regular expression instead of what you would use for grep
and friends. This would be something like /.*winbindd.*/ with ".*"
being the perl matcher roughly equivalent to grep's "*".
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
More information about the users
mailing list