Bug 234767
Summary: | Unmatched Entries in mails since sysklogd 1.4.2-3/#223573 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> | ||||
Component: | logwatch | Assignee: | Ivana Varekova <varekova> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | Keywords: | Reopened | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-04-13 13:55:34 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Robert Scheck
2007-04-01 18:22:49 UTC
Fixed in logwatch-7.3.4-3.fc7. Nope, not really, using logwatch-7.3.4-3 (installed on April 2nd), I got today this output within logwatch mail: --------------------- Connections (secure-log) Begin ------------------------ **Unmatched Entries** Apr 4 08:11:00 tux sshd: Accepted password for robert from 192.168.0.29 port 64128 ssh2: 1 Time(s) Apr 4 08:22:04 tux sshd: Accepted password for robert from 192.168.0.29 port 64247 ssh2: 1 Time(s) Apr 4 08:36:35 tux sshd: Accepted password for robert from 192.168.0.29 port 64500 ssh2: 1 Time(s) ---------------------- Connections (secure-log) End ------------------------- Guessing the problem appears because of the two (!) spaces between time and the host name.... Please could you attach here the part of your /var/log/secure file which contains the "accepted password" logs. Perhaps there is a problem with spaces between the ip address and word port - but I'm not sure - there is a new line in the comment so I'm not sure about the precise structure of these logs. Thanks. Created attachment 151867 [details]
Parts from /var/log/secure
It's attached to this bug report now. Thanks. Fixed in logwatch-7.3.4-5.fc7. No, it is NOT fixed. I've no clue, what you did, but you didn't fix it correct - sorry. --------------------- Connections (secure-log) Begin ------------------------ **Unmatched Entries** Apr 11 18:32:45 tux sshd: Failed password for robert from 192.168.0.29 port 36689 ssh2: 1 Time(s) ---------------------- Connections (secure-log) End ------------------------- AND what is much more a problem, you are IGNORING the "useless" logs, which should be USED (instead of ignoring!) for the following section (SSHD) which is MISSING since bug #223573 was built into Rawhide: --------------------- SSHD Begin ------------------------ Users logging in through sshd: tux: 192.168.0.1 (server.tux.netz): 1 time robert: 192.168.0.1 (server.tux.netz): 4 times 192.168.0.29 (robert.tux.netz): 3 times ---------------------- SSHD End ------------------------- I'll re-open this bug report until the SSHD section is brought back... ;-) I don't know what you tried to fix exactly, but I guess you didn't see the real problem, I tried to showed you, which unfortunately was introduced by sysklogd 1.4.2-3/#223573: Mar 29 07:04:04 tux sshd[19586]: ... Mar 29 07:04:05 tux sshd[19586]: ... Mar 29 07:13:57 tux su: ... Mar 29 09:18:28 tux sshd[5069]: ... Mar 29 09:18:28 tux sshd[5069]: ... Mar 29 15:47:04 tux sshd[5069]: ... Hey and today, sysklogd 1.4.2-4/#223573 was built in Rawhide and oho...the logging behaviour luckily was changed back: Apr 12 20:19:37 tux su: ... Apr 12 20:28:13 tux su: ... Apr 12 20:28:15 tux su: ... Apr 12 20:36:09 tux sshd[25708]: ... Apr 12 20:36:09 tux sshd[25708]: ... Apr 12 20:36:10 tux sshd[25708]: ... Okay, so I'm expecting now, that you're reverting any fixes which were done to logrotate to solve this bug report...sorry ;-) Yepp, verified a few seconds ago. Dropping Patch4 (logwatch-7.3.4-secure.patch) will fix the stuff and bring back the SSHD section within logwatch mail. Patch logwatch-7.3.4-secure.patch removes the unmatched entries from secure service log - it is the right behavior- but you are right his logs should be parsed in sshd service so the last version logwatch-7.3.4-6.fc7 parsed them too. If there is any problem please reopen this bug. |