Bug 1534504

At least on EL7.3 this is seen now also, current version:

logwatch-7.4.0-32.20130522svn140.el7.noarch

Storing /usr/share/logwatch/scripts/services/sshd from logwatch-7.4.3-6.fc27.noarch into /etc/logwatch/scripts/services/ on EL7.3 let the unexpected messages disappear

=> please push this change also to EL7.3 and later, thank you!


+++ This bug was initially created as a clone of Bug #1317620 +++

Description of problem:

After a recent openssh update, I started getting lots and lots of these
messages in logwatch mail:

 **Unmatched Entries**
 Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user : 1 time(s)
 Received disconnect from NN.NN.NN.NN port 42004:11: disconnected by user : 1 time(s)
 Disconnected from NN.NN.NN.NN port 42072 : 1 time(s)

Version-Release number of selected component (if applicable):
logwatch-7.4.1-5.20150731svn293.fc23.noarch


How reproducible:
100%

Steps to Reproduce:
1.turn on logwatch
2.update openssh-server
3.see extra message start to appear

Actual results:
extra messages

Expected results:
logwatch quiet about perfectly normal activity like logging out.

Additional info:
openssh-server-7.2p2-1.fc23.x86_64

was (I think) the update that triggered this.

I don't know why there are two different format disconnect messages, but the bit that seems to confuse logwatch was adding the port number to the message.

--- Additional comment from Jakub Jelen on 2016-03-15 03:57 EDT ---

The issue was triggered by openssh update. Full discussion on users's list [1]. This is also issue for Fedora 24 and rawhide, where landed the same update.

Can you have a look into this, or should I prepare complete dist-git patch?

[1] https://lists.fedoraproject.org/pipermail/users/2016-March/469353.html

--- Additional comment from Fedora Update System on 2016-03-15 07:44:48 EDT ---

logwatch-7.4.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54

--- Additional comment from Fedora Update System on 2016-03-15 08:00:05 EDT ---

logwatch-7.4.1-6.20150731svn293.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096

--- Additional comment from Fedora Update System on 2016-03-15 17:30:28 EDT ---

logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54

--- Additional comment from Fedora Update System on 2016-03-16 11:23:13 EDT ---

logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096

--- Additional comment from Fedora Update System on 2016-03-19 22:24:37 EDT ---

logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2016-03-26 14:07:20 EDT ---

logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Frank Crawford on 2016-03-29 23:09:31 EDT ---

This patch still has a issue in that it won't match the reason code, as the format of the message is missing the space before it and is now:

Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user

but the pattern match expects a space before the reason code:

^Received disconnect from ([^ ]*) port [^ ]*: (.*)$

Also, it appears that sshd also now adds an additional message:

Disconnect from NN.NN.NN.NN port 43966

as well, once the disconnect has been completed.

--- Additional comment from Fedora Update System on 2017-09-01 07:53:43 EDT ---

logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbe77148ce

--- Additional comment from Fedora Update System on 2017-09-08 12:21:06 EDT ---

logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.