Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#8671 - ppp.log file includes sudo messages

Attached to Project: Arch Linux
Opened by Marc St-Laurent (peart) - Saturday, 17 November 2007, 02:38 GMT
Last edited by Paul Mattal (paul) - Thursday, 10 January 2008, 04:03 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Paul Mattal (paul)
Architecture All
Severity Very Low
Priority Normal
Reported Version 2007.08-2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

I now have a ppp.log file, even though I don't have any ppp related stuff installed. Example of contents:
Nov 16 21:01:00 moocow sudo: marc : TTY=pts/1 ; PWD=/home/marc ; USER=root ; COMMAND=/usr/bin/pacman -Syu

In /etc/syslog-ng.conf, filter f_ppp is set to pick up everything sent to the local2 facility. Apparently, this includes sudo's messages.

Additional info:
* package version(s)

sudo 1.6.9p7-1
syslog-ng 2.0.5-5
(System is completely up to date)

* config and/or log files etc.

/etc/syslog-ng.conf is unchanged (Arch default).

Steps to reproduce:

Just run a command with sudo, then check if the command was logged in /var/log/ppp.log.
This task depends upon

Closed by  Paul Mattal (paul)
Thursday, 10 January 2008, 04:03 GMT
Reason for closing:  Fixed
Comment by Aaron Griffin (phrakture) - Thursday, 20 December 2007, 18:39 GMT
Does changing this to facility(ppp) still produce the desired output WITHOUT sudo information?
Comment by Marc St-Laurent (peart) - Sunday, 23 December 2007, 04:52 GMT
Aaron,

I made the change that I *think* you wanted, in my syslog-ng.conf:
filter f_ppp { facility(ppp); }; // instead of facility(local2)
Is that what you meant?

If so, the rc script complains when restarting syslog:
[root@~] /etc/rc.d/syslog-ng restart
:: Stopping Syslog-NG [DONE]
:: Starting Syslog-NG [BUSY] Warning: Unknown facility; facility='ppp'
[DONE]

Comment by Marc St-Laurent (peart) - Sunday, 23 December 2007, 05:30 GMT
Hello again,

I just dl'ed the sources to sudo. It is possible to change the logging facility using the ---with-logfac configure switch. The complete list of facilities is in /usr/include/sys/syslog.h (starting at line 122, in case you are up for some reading). I guess "auth" would be the logical choice, as auth.log contains the other sudo messages that get picked up by other filters.

I think adding this switch to sudo's PKGBUILD would be a clean solution to the problem.
Merry X-Mas,
marc
Comment by Aaron Griffin (phrakture) - Sunday, 23 December 2007, 19:50 GMT
Assigning to Paul.
Paul, could we change sudo's log facility to 'auth'?
Comment by Paul Mattal (paul) - Monday, 31 December 2007, 04:46 GMT
Implemented in 1.6.9p10-3. Will close bug after signoff.

Loading...