Index: /trunk/configure.ac =================================================================== --- /trunk/configure.ac (revision 580) +++ /trunk/configure.ac (revision 581) @@ -12,5 +12,5 @@ dnl start dnl -AM_INIT_AUTOMAKE(samhain, 4.5.0) +AM_INIT_AUTOMAKE(samhain, 4.5.1) AC_DEFINE([SAMHAIN], 1, [Application is samhain]) AC_CANONICAL_HOST Index: /trunk/docs/Changelog =================================================================== --- /trunk/docs/Changelog (revision 580) +++ /trunk/docs/Changelog (revision 581) @@ -1,2 +1,6 @@ +4.5.1 (08-09-2024): + * fix for regression in SHELL option for log file monitoring + (issue reported by ssha) + 4.5.0 (31-10-2023): * fix for reading file attributes on Linux file systems Index: /trunk/src/sh_log_check.c =================================================================== --- /trunk/src/sh_log_check.c (revision 580) +++ /trunk/src/sh_log_check.c (revision 581) @@ -852,5 +852,5 @@ entry = SH_ALLOC(sizeof(struct task_entry)); - status = sh_ext_popen_init (&(entry->task), logfile->filename, logfile->filename, NULL); + status = sh_ext_popen_init (&(entry->task), logfile->filename, NULL, NULL); if (0 == status) { Index: /trunk/test/testrc_1 =================================================================== --- /trunk/test/testrc_1 (revision 580) +++ /trunk/test/testrc_1 (revision 581) @@ -89,7 +89,54 @@ # dir=1/home/rainer -#[SuidCheck] -#SuidCheckActive=T +[SuidCheck] +SuidCheckActive=false #SuidCheckExclude=/home + +[ProcessCheck] +# +# Activate (default is on) +# +ProcessCheckActive = no + +[PortCheck] +# +# Activate (default is on) +# +PortCheckActive = no + + +[Logmon] + +# +# Switch on the module +# +LogmonActive = yes + +# Check every second +# +LogmonInterval = 1 + +# Strip PIDs from syslog messages +# +Logmonhidepid = true + +# Define a queue with severity 'crit'. +# This is a 'report' queue, hence 'interval' (10) +# will be ignored. +# +LogmonQueue = q1:10:report:crit + +# Monitor disks to check for full /dev/sda1 +# +LogmonWatch = SHELL:df -h + +# Warn about disk /dev/sda1 nearly full (80% or more. Use a +# non-capturing subexpression [the (?:8|9)] for the percentage full. +# +LogmonRule = q1:/dev/nvme1n1p4\s+[0-9GM.]+\s+[0-9GM.]+\s+[0-9GM.]+\s+(?:8|9).%.* + +LogmonDeadtime = 120 +LogmonRule = trash:.* + [EventSeverity]