Project

General

Profile

Bug #291

prelude lml refuses to read a logfile

Added by almost 13 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

the file is perfectly readable by the user i run prelude as:

barthek@bdubuntu:~$ id
uid=1000(barthek) gid=1000(barthek) groups=4(adm),6(disk),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(lpadmin),111(scanner),114(admin),117(fuse),127(sambashare),1000(barthek),1001(vboxusers)
barthek@bdubuntu:~$ ls l /var/log/auth.log
-rw-r----
1 syslog adm 72376 2008-06-04 15:45 /var/log/auth.log

yet prelude-lml refuses to read it with error:

04 Jun 15:45:55 (process:9362) WARNING: /var/log/auth.log is not available for reading to uid 1000/gid 1000.

History

#1 Updated by over 12 years ago

Check via lsattr if you have any extended attributes set. And check if you have selinux enabled. If do - turn it off, reboot and try to run prelude-lml again.

#2 Updated by Yoann VANDOORSELAERE over 12 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

(In r11064) Deprecate Gamin/FAM support in favor of libev. The previous implementation
had problem on SELinux enabled system. This remove a lot of code working
around FAM specific issue. Additionally, we use libev for monitoring the
UDP server socket.

The metadata format has changed, and we now use Gcrypt to generate a checksum,
this provide a nice performance improvement by preventing the ftruncate()
syscall prior saving metadata.

When an user specify a file to be monitored that isn't available for reading,
use libev to be notified of this file stat change anyway, until it can be
monitored.

Include 'original' file information in IDMEF generated alert for logfile
modification.

Make sure we use FILE_SERVER_METADATA_FLAGS_LAST when neither HEAD/TAIL
metadata are specified (fix a bug with --metadata=nowrite).

Rely on the kernel in place of our own function for checking file acces,
this should fix #291.

#3 Updated by Yoann VANDOORSELAERE almost 12 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (0.9.14)

Also available in: Atom PDF