I have a line that matches my iptables outputs that is giving me no end of grief. It seems like when it sends the report as it is scheduled that the lines completely ignore the pattern matching and display the entire line. The subject does reflect the correct rule (the only line defined for that). However, when I stop tenshi and it flushes out its queues it does format the line correctly in the email it sends. This is the line in the tenshi.conf file set queue security tenshi@xxxx.org tom_g@yyy.org,bill@explosivo.com [0 8-20/2,4 * * *] This is the pattern line: security ^FW_RULE.+DENY.*(LEN.*)PROTO=.+(SPT=.+)DPT=\d+(.*) Sometimes I get the correct format in an email like so: 1: FW_RULE 19 -- DENY IN=eth1 OUT=eth0 SRC=81.156.60.84 DST=172.16.1.3 ___PROTO=TCP ___DPT=135___ But sometimes I will get a report that comes by itself, or a second after with lines that look like this: 1: FW_RULE 19 -- DENY IN=eth0 OUT=eth1 SRC=172.16.58.94 DST=10.0.1.1 LEN=32 TOS=0x00 PREC=0x00 TTL=63 ID=12469 PROTO=UDP SPT=49880 DPT=192 LEN=12 It is also an all or nothing thing... The report is either all one way, or all another way. Its also strange that I can get two security reports sent to me. There is only one rule in the conf file that issues to the security queue (shown above). Reproducible: Always Steps to Reproduce: 1.To get a bad report just wait until the scheduled report happens, not 100% but I get at least one bad report. 2.Shutdown tenshi... the reports sent at termination are always formatted correctly. 3. Actual Results: Get bad formatted report Expected Results: Report should have been formatted differently
Mmmh, looks like the problem is cause by the second 'LEN' in the unmasked log entry. You have LEN=32 and LEN=12 at the end, could you try removing (LEN.*) from your regexp?
I have modified my pattern line to this: security ^FW_RULE.+DENY.*DST=\S*(.+)PROTO=.+(SPT=.+)DPT=\d+(.*) and it looked like it was working at first, but in my last report I got many entries that looked like this: FW_RULE 17 -- DENY IN=eth1 OUT=eth0 SRC=205.241.45.32 DST=172.16.1.5 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=61755 DF PROTO=TCP SPT=3965 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 Also - the report was generated at 4:30, while my rule for sending the report (I think) says the start of any hour between 8am and 8pm. set queue security tenshi@stalingrad.watkinson.org tom_gromak@watkinson.org,bill@explosivo.com [0 8-20 * * *] I guess I am having trouble with this...
Mmh could you try something like this maybe? ^FW_RULE (.+) DENY (.+) DST=.+ (.+) PROTO=.+ (.+) DPT=.+ Also could you have something like 'security ^FW_RULE' after that so that you can see what's not catched by that but in the security queue? Also are you using 0.3.1 version of tenshi? If not could you upgrade please, that should fix any crontab problem.
Yeah, I was on the 3.1 version. I am not sure what was going on. I think part of the problem was my regex, and another part was not understanding exactly how it worked its way through them. I've also discovered that there was some intermitten mail problems (unrelated) that were causing some emails to arrive after newer emails which I think just confused me and what I was trying. I'd love to see something like a "tenshi cookbook" online or something. Maybe just more examples... like I have no idea what the group ^something does... anyway, I'd say this ticket is closed. Sorry it took so long to get back here.
