search

jtmoon79 / super-speedy-syslog-searcher

Speedily search and merge log messages by datetime
MIT License
34 stars 1 forks source link

parsing FreeBSD `utx.lastlogin` fails #107

Open jtmoon79 opened 1 year ago

jtmoon79 commented 1 year ago

Summary

FreeBSD 13 file /var/log/utx.lastlogin is not processed by s4. Error message

ERROR: find_entry(0) failed; buffer of len 280 given too little data 197 for "/var/log/utx.lastlogin"

I suspect it's an older version of UTMPX format like UTMP.

Current behavior

$ s4 /var/log/utx.lastlogin  -s
ERROR: find_entry(0) failed; buffer of len 280 given too little data 197 for "/var/log/utx.lastlogin"

Files:

File: /var/log/utx.lastlogin
  About:
      filetype      : UTMP
      logmessagetype: utmpx entries
      MIME guess    : MimeGuess([])
  Printed:
      bytes         : 0
      utmpx         : 0
  Processed:
      file size     : 197 (0xC5) (bytes)
      bytes         : 197 (0xC5)
      bytes total   : 197 (0xC5)
      block size    : 65535 (0xFFFF)
      blocks        : 1
      blocks total  : 1
      blocks high   : 1
      utmpx         : 0
      utmpx high    : 0
  Processing Stores:
      storage: UtmpxReader::find_entry()                           : hit 0, miss 1,  0.0%
      storage: BlockReader::read_block() blocks                    : hit 0, miss 1,  0.0%, put 1
      caching: BlockReader::read_block() LRU cache                 : hit 0, miss 1,  0.0%, put 1
  Processing Drops:
      streaming: BlockReader::drop_block()    : Ok 0, Err 0
      streaming: UtmpxReader::drop_entry()    : Ok 0, Err 0
  Error: buffer of len 280 given too little data 197

Program Summary:

Paths considered      : 1
Paths not processed   : 0
Files processed       : 1
Files printed         : 0
Printed bytes         : 0
Printed lines         : 0
Printed syslines      : 0
Printed utmpx         : 0
Printed evtx events   : 0
Printed journal events: 0
Datetime filter -a    :
Datetime printed first:
Datetime printed last :
Datetime filter -b    :
Datetime Now          : 2023-04-22T22:59:00-07:00 (2023-04-23T05:59:00+00:00)
Channel Receive ok    : 1
Channel Receive err   : 0
jtmoon79 commented 1 year ago

File

$ ./tools/hexdump.py utx.lastlogin
0x04, 0x00, 0x05, 0xf9, 0xf3, 0xc5, 0x0f, 0x1e,
0x27, 0x70, 0x74, 0x73, 0x2f, 0x30, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x99, 0x72, 0x6f, 0x6f,
0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x74, 0x73,
0x2f, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x62, 0x6f,
0x6f, 0x2e, 0x62, 0x6f, 0x6f, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00,
printed 197 bytes
jtmoon79 commented 1 year ago

Similar context as #103