[logs] logsurfer: test config file: ´.*´ - - - 0 exec "/bin/echo $0"

Jim Prewett download at hpc.unm.edu
Fri Oct 30 08:48:22 PDT 2009 

Hello,

First, I would like to suggest that you try Logsurfer+ instead of 
Logsurfer.  It has a couple of additional features and its development is 
still active :)  I'm /technically/ listed as a developer of Logsurfer+, 
but I think thats only for my moral support :)  I do /honestly/ think it 
is a better way to go. :)

Are you specifying the filename of the input file? (or, are you typing any 
input to STDIN when running logsurfer?)

I was able to use Logsurfer+ version 1.7 with the config file:
'.*' - - - 0 exec "/bin/echo $0"

and it dutifully printed each line of input.

HTH,
Jim

James E. Prewett                    Jim at Prewett.org download at hpc.unm.edu 
Systems Team Leader           LoGS: http://www.hpc.unm.edu/~download/LoGS/ 
Designated Security Officer         OpenPGP key: pub 1024D/31816D93    
HPC Systems Engineer III   UNM HPC  505.277.8210

On Thu, 29 Oct 2009, J4 wrote:

> Dear all log analysers,
> 
> 	I compiled & installed logsurfer1.5b from Source Forge.
> 
> The logsurfer man page states that when I use a configuration file
> containing this line then all std in ought to be sent to std out.
> ´.*´ - - - 0 exec "/bin/echo $0"
> 
> Just to check that echo is there,
> # which echo
> /bin/echo
> 
> 
> However, this does not happen in my case:
> 
> # logsurfer -c testfile
> warning: logsurfer started as root
> de
> ^Cexiting program - please wait...
> dumping state to /dev/null
> sending timeout to contexts...
> cleaning up memory...
> 
> Is there something that I have missed?
> 
> Here follows the trace, in case someone really wants to read it.  I
> think that you can ignore the access("/etc/ld.so.preload", because I
> think its an environmental check for Debian world and this is an
> openSUSE 11.0 (X86-64) system.
> 
> 
> # strace logsurfer -c testfile
> execve("/usr/local/bin/logsurfer", ["logsurfer", "-c", "testfile"], [/*
> 59 vars */]) = 0
> brk(0)                                  = 0x611000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7fd03e32b000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7fd03e32a000
> access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=72946, ...}) = 0
> mmap(NULL, 72946, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd03e318000
> close(3)                                = 0
> open("/lib64/libc.so.6", O_RDONLY)      = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\345\1\0\0\0\0\0"...,
> 832) = 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=1495120, ...}) = 0
> mmap(NULL, 3506872, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0x7fd03ddb6000
> fadvise64(3, 0, 3506872, POSIX_FADV_WILLNEED) = 0
> mprotect(0x7fd03df05000, 2097152, PROT_NONE) = 0
> mmap(0x7fd03e105000, 20480, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14f000) = 0x7fd03e105000
> mmap(0x7fd03e10a000, 17080, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd03e10a000
> close(3)                                = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7fd03e317000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7fd03e316000
> arch_prctl(ARCH_SET_FS, 0x7fd03e3166f0) = 0
> open("/dev/urandom", O_RDONLY)          = 3
> read(3, "\313\323Mb(\232\216\r", 8)     = 8
> close(3)                                = 0
> mprotect(0x7fd03e105000, 16384, PROT_READ) = 0
> mprotect(0x60e000, 4096, PROT_READ)     = 0
> mprotect(0x7fd03e32c000, 4096, PROT_READ) = 0
> munmap(0x7fd03e318000, 72946)           = 0
> getuid()                                = 0
> write(2, "warning: logsurfer started as ro"..., 35warning: logsurfer
> started as root
> ) = 35
> brk(0)                                  = 0x611000
> brk(0x632000)                           = 0x632000
> open("testfile", O_RDONLY)              = 3
> read(3, "\302\264.*\302\264 - - - 0 exec \"/bin/echo $"..., 1023) = 35
> read(3, "", 1023)                       = 0
> close(3)                                = 0
> rt_sigaction(SIGUSR1, {0x402c25, [], SA_RESTORER|SA_RESTART,
> 0x7fd03dde8660}, NULL, 8) = 0
> rt_sigaction(SIGHUP, {0x402e02, [], SA_RESTORER|SA_RESTART,
> 0x7fd03dde8660}, NULL, 8) = 0
> rt_sigaction(SIGTERM, {0x402c53, [], SA_RESTORER|SA_RESTART,
> 0x7fd03dde8660}, NULL, 8) = 0
> rt_sigaction(SIGINT, {0x402c53, [], SA_RESTORER|SA_RESTART,
> 0x7fd03dde8660}, NULL, 8) = 0
> read(0, de
> "de\n", 4095)                   = 3
> wait4(-1, NULL, WNOHANG, NULL)          = -1 ECHILD (No child processes)
> read(0, ^C <unfinished ...>
> exiting program - please wait...
> dumping state to /dev/null
> sending timeout to contexts...
> cleaning up memory...
> 
> Best regards, S.
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

More information about the LogAnalysis mailing list