Bug 145364

Summary:	default tenshi.conf has bad entries for sshd
Product:	Gentoo Hosted Projects	Reporter:	Andrew Gaffney (RETIRED) <agaffney>
Component:	Tenshi	Assignee:	Tenshi Group User <tenshi>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Andrew Gaffney (RETIRED) gentoo-dev

2006-08-28 08:38:30 UTC

The default tenshi.conf contains entries like:

report   ^sshd: Accepted rsa for (.+) from (.+) port (.+)
root     ^sshd\(pam_unix\): session opened for user root by root\(uid=0\)
root     ^sshd\(pam_unix\): session opened for user root by \(uid=0\)

But sshd log entries have the PID in brackets before the colon. I had to modify the regexes as follows to get tenshi to pick them up:

report   ^sshd\[\d+\]: Accepted rsa for (.+) from (.+) port (.+)
root     ^sshd\(pam_unix\)\[\d+\]: session opened for user root by root\(uid=0\)
root     ^sshd\(pam_unix\)\[\d+\]: session opened for user root by \(uid=0\)

Default regexes for other types of entries may have the same problem. I haven't looked too much into it yet, as I've only been using tenshi for ~10 minutes.

Comment 1 Rob Holland 2006-08-29 06:46:12 UTC

Maybe you should have started those 10 minutes by reading the man page? ;)

Please see: set hidepid

This is turned on in the default configuration file, alongside the default regex examples which rely on that behaviour.

Comment 2 Andrea Barisani (RETIRED) gentoo-dev

2006-08-29 06:56:12 UTC

Marking as INVALID.