Bug #291
prelude lml refuses to read a logfile
0%
Description
the file is perfectly readable by the user i run prelude as:
barthek@bdubuntu:~$ id
uid=1000(barthek) gid=1000(barthek) groups=4(adm),6(disk),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(lpadmin),111(scanner),114(admin),117(fuse),127(sambashare),1000(barthek),1001(vboxusers)
barthek@bdubuntu:~$ ls l /var/log/auth.log 1 syslog adm 72376 2008-06-04 15:45 /var/log/auth.log
-rw-r----
yet prelude-lml refuses to read it with error:
04 Jun 15:45:55 (process:9362) WARNING: /var/log/auth.log is not available for reading to uid 1000/gid 1000.
History
#1 Updated by over 15 years ago
Check via lsattr if you have any extended attributes set. And check if you have selinux enabled. If do - turn it off, reboot and try to run prelude-lml again.
#2 Updated by Yoann VANDOORSELAERE over 15 years ago
- Status changed from New to Closed
- Resolution set to fixed
(In r11064) Deprecate Gamin/FAM support in favor of libev. The previous implementation
had problem on SELinux enabled system. This remove a lot of code working
around FAM specific issue. Additionally, we use libev for monitoring the
UDP server socket.
The metadata format has changed, and we now use Gcrypt to generate a checksum,
this provide a nice performance improvement by preventing the ftruncate()
syscall prior saving metadata.
When an user specify a file to be monitored that isn't available for reading,
use libev to be notified of this file stat change anyway, until it can be
monitored.
Include 'original' file information in IDMEF generated alert for logfile
modification.
Make sure we use FILE_SERVER_METADATA_FLAGS_LAST when neither HEAD/TAIL
metadata are specified (fix a bug with --metadata=nowrite).
Rely on the kernel in place of our own function for checking file acces,
this should fix #291.
#3 Updated by Yoann VANDOORSELAERE almost 15 years ago
- Project changed from PRELUDE SIEM to Prelude-LML
- Category deleted (
4) - Target version deleted (
0.9.14)