From ls@Berkeley.Gambit.Msk.SU  Tue May 16 00:06:21 2000
Return-Path: <ls@Berkeley.Gambit.Msk.SU>
Received: from Berkeley.Gambit.Msk.SU (Berkeley.Gambit.Msk.SU [194.190.206.1])
	by hub.freebsd.org (Postfix) with ESMTP id 1F31A37B968
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 16 May 2000 00:06:16 -0700 (PDT)
	(envelope-from ls@Berkeley.Gambit.Msk.SU)
Received: (from ls@localhost)
	by Berkeley.Gambit.Msk.SU (8.9.3/8.9.3) id LAA15679;
	Tue, 16 May 2000 11:06:07 +0400 (MSD)
	(envelope-from ls)
Message-Id: <200005160706.LAA15679@Berkeley.Gambit.Msk.SU>
Date: Tue, 16 May 2000 11:06:07 +0400 (MSD)
From: ls@gambit.msk.su
Sender: ls@Berkeley.Gambit.Msk.SU
Reply-To: ls@gambit.msk.su
To: FreeBSD-gnats-submit@freebsd.org
Subject: /etc/security: improove the dmesg diff output
X-Send-Pr-Version: 3.2

>Number:         18587
>Category:       bin
>Synopsis:       /etc/security: improove the dmesg diff output
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 16 00:10:05 PDT 2000
>Closed-Date:    Tue Jun 29 10:16:06 GMT 2004
>Last-Modified:  Tue Jun 29 10:16:06 GMT 2004
>Originator:     ls@gambit.msk.su
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
Gambit Automated Design
>Environment:

     $FreeBSD: src/etc/security,v 1.36.2.1 2000/04/05 13:44:35 sheldonh Exp $

>Description:

	Since the dmesg output don't contain the date and time of event,
	it can contain a lot of equal entries (esp. when you run ipfw
	with logging)

>How-To-Repeat:

	$ dmesg | sort | uniq -c | sort -nr | head

>Fix:

--- etc/security.orig	Mon Apr 10 11:22:39 2000
+++ etc/security	Mon May  8 14:22:13 2000
@@ -102,7 +102,7 @@
 	if cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then :; else
 		separator
 		echo "${host} kernel log messages:"
-		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
+		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" | sed -e 's/^> //' | sort | uniq -c | sort -rn
 		mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday
 		mv ${TMP} ${LOG}/dmesg.today
 	fi

>Release-Note:
>Audit-Trail:

From: Alexander Langer <alex@big.endian.de>
To: ls@gambit.msk.su
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/18587: /etc/security: improove the dmesg diff output
Date: Tue, 16 May 2000 13:44:17 +0200

 Thus spake ls@gambit.msk.su (ls@gambit.msk.su):
 
 > 	Since the dmesg output don't contain the date and time of event,
 > 	it can contain a lot of equal entries (esp. when you run ipfw
 > 	with logging)
 
 > 	$ dmesg | sort | uniq -c | sort -nr | head
 
 What about recently booted systems?
 
 Alex
 
 -- 
 I need a new ~/.sig.
 

From: Sergei Laskavy <ls@Gambit.Msk.SU>
To: Alexander Langer <alex@big.endian.de>
Cc: ls@Gambit.Msk.SU, FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/18587: /etc/security: improove the dmesg diff output
Date: Tue, 16 May 2000 16:04:15 +0400

 > Thus spake ls@gambit.msk.su (ls@gambit.msk.su):
 
 > > 	Since the dmesg output don't contain the date and time of event,
 > > 	it can contain a lot of equal entries (esp. when you run ipfw
 > > 	with logging)
 
 > > 	$ dmesg | sort | uniq -c | sort -nr | head
 
 On Tue, May 16, 2000 at 01:44:17PM +0200, Alexander Langer wrote:
 > What about recently booted systems?
 
 Some recently booted systems will not have duplicated lines, so the new
 and old output will differ only in the order of lines.
 
 How many of us boot just before the daily cron job?
 

From: Alexander Langer <alex@big.endian.de>
To: Sergei Laskavy <ls@Gambit.Msk.SU>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/18587: /etc/security: improove the dmesg diff output
Date: Tue, 16 May 2000 14:19:04 +0200

 Thus spake Sergei Laskavy (ls@Gambit.Msk.SU):
 
 > > > 	$ dmesg | sort | uniq -c | sort -nr | head
 > Some recently booted systems will not have duplicated lines, so the new
 > and old output will differ only in the order of lines.
 
 Yes. Bad.
 
 > How many of us boot just before the daily cron job?
 
 True.
 
 Alex
 
 -- 
 I need a new ~/.sig.
 

From: Leo Bicknell <bicknell@ufp.org>
To: freebsd-gnats-submit@FreeBSD.org, ls@gambit.msk.su
Cc:  
Subject: Re: bin/18587: /etc/security: improove the dmesg diff output
Date: Tue, 10 Jul 2001 21:08:31 -0400

 Isn't this all unreliable anyway?  Since the buffer is of fixed size
 it can easily be rolled over in 24 hours by log_in_vain, icmp_bandlim,
 ipfw, or a simple full file system for a while.  Any way you slice
 it what's really needed is a way to log all of this data into a file,
 where the security script can do better post processing.  
 
 That said, doesn't:
 
 diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" | uniq -c get you most
 of the way there, and keep the order?  I think most duplicates show up
 in a row, not scattered about.
 
 -- 
 Leo Bicknell - bicknell@ufp.org
 Systems Engineer - Internetworking Engineer - CCIE 3440
 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: johan 
Responsible-Changed-When: Mon Aug 19 12:07:17 PDT 2002 
Responsible-Changed-Why:  
Over to our periodic guru. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18587 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Tue Jun 29 10:09:29 GMT 2004 
State-Changed-Why:  
I'm afraid I can't see why running output through uniq -c or various 
invocations of sort would improve the output... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18587 
>Unformatted:
