145364 – default tenshi.conf has bad entries for sshd

Bug 145364 - default tenshi.conf has bad entries for sshd

Summary: default tenshi.conf has bad entries for sshd

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Hosted Projects
Classification:	Unclassified
Component:	Tenshi (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Tenshi Group User

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-08-28 08:38 UTC by Andrew Gaffney (RETIRED)
Modified:	2006-08-29 06:56 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Gaffney (RETIRED) gentoo-dev

2006-08-28 08:38:30 UTC

The default tenshi.conf contains entries like:

report   ^sshd: Accepted rsa for (.+) from (.+) port (.+)
root     ^sshd\(pam_unix\): session opened for user root by root\(uid=0\)
root     ^sshd\(pam_unix\): session opened for user root by \(uid=0\)

But sshd log entries have the PID in brackets before the colon. I had to modify the regexes as follows to get tenshi to pick them up:

report   ^sshd\[\d+\]: Accepted rsa for (.+) from (.+) port (.+)
root     ^sshd\(pam_unix\)\[\d+\]: session opened for user root by root\(uid=0\)
root     ^sshd\(pam_unix\)\[\d+\]: session opened for user root by \(uid=0\)

Default regexes for other types of entries may have the same problem. I haven't looked too much into it yet, as I've only been using tenshi for ~10 minutes.

Comment 1 Rob Holland 2006-08-29 06:46:12 UTC

Maybe you should have started those 10 minutes by reading the man page? ;)

Please see: set hidepid

This is turned on in the default configuration file, alongside the default regex examples which rely on that behaviour.

Comment 2 Andrea Barisani (RETIRED) gentoo-dev

2006-08-29 06:56:12 UTC

Marking as INVALID.