From owner-freebsd-questions@FreeBSD.ORG  Sun Aug 17 22:50:21 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2AA6537B401
	for <freebsd-questions@freebsd.org>;
	Sun, 17 Aug 2003 22:50:21 -0700 (PDT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6F4A343FA3
	for <freebsd-questions@freebsd.org>;
	Sun, 17 Aug 2003 22:50:20 -0700 (PDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.9/8.12.9) id h7I5oJe8007547;
	Mon, 18 Aug 2003 00:50:19 -0500 (CDT)
	(envelope-from dan)
Date: Mon, 18 Aug 2003 00:50:19 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Kris Kennaway <kris@obsecurity.org>
Message-ID: <20030818055019.GF2653@dan.emsphone.com>
References: <v04210101bb65e6df4e60@[192.168.1.27]>
	<20030818052132.GA70374@rot13.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030818052132.GA70374@rot13.obsecurity.org>
X-OS: FreeBSD 5.1-CURRENT
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.4i
cc: freebsd-questions@freebsd.org
cc: Ralph Dratman <ralph@maxsoft.com>
Subject: Re: Fragments of kernel log text in "security run" message
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2003 05:50:21 -0000

In the last episode (Aug 17), Kris Kennaway said:
> On Sun, Aug 17, 2003 at 10:39:49PM -0400, Ralph Dratman wrote:
> 
> > Recently, though, I've been seeing small fragments of text in the 
> > "kernel log" portion of that report. This happens almost every day 
> > now. Following are a few examples. There is just one fragment per 
> > report.
> > ---------------------------------
> > kq9.net kernel log messages:
> > >copeid 0x4
> > 
> > kq9.net kernel log messages:
> > >8>.
> 
> I get this as well on RELENG_4...I wish I knew why.  Often it causes
> syslogd to log it at LOG_EMERG priority (=spams every logged in user
> with the truncated message).

I think this happens after the kernel's message buffer starts rolling
over.  The very first line in the dmesg output sometimes gets cut in
half, so diff prints it as a change block, and the security script
prints the "add" portion.  Maybe the check_diff function should remove
the first line of the dmesg output before doing the diff?

-- 
	Dan Nelson
	dnelson@allantgroup.com