Bug 1317620 - sshd log format changed, lots of excess unmatched output showing up in logwatch
Summary: sshd log format changed, lots of excess unmatched output showing up in logwatch
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: logwatch
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1534504
TreeView+ depends on / blocked
 
Reported: 2016-03-14 17:07 UTC by Tom Horsley
Modified: 2018-01-15 11:42 UTC (History)
6 users (show)

Fixed In Version: logwatch-7.4.1-6.20150731svn293.fc23 logwatch-7.4.2-2.fc24 logwatch-7.4.3-6.fc26
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1534504 (view as bug list)
Environment:
Last Closed: 2017-09-08 16:21:06 UTC


Attachments (Terms of Use)
proposed patch for the second issue (804 bytes, patch)
2016-03-15 07:57 UTC, Jakub Jelen
no flags Details | Diff

Description Tom Horsley 2016-03-14 17:07:26 UTC
Description of problem:

After a recent openssh update, I started getting lots and lots of these
messages in logwatch mail:

 **Unmatched Entries**
 Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user : 1 time(s)
 Received disconnect from NN.NN.NN.NN port 42004:11: disconnected by user : 1 time(s)
 Disconnected from NN.NN.NN.NN port 42072 : 1 time(s)

Version-Release number of selected component (if applicable):
logwatch-7.4.1-5.20150731svn293.fc23.noarch


How reproducible:
100%

Steps to Reproduce:
1.turn on logwatch
2.update openssh-server
3.see extra message start to appear

Actual results:
extra messages

Expected results:
logwatch quiet about perfectly normal activity like logging out.

Additional info:
openssh-server-7.2p2-1.fc23.x86_64

was (I think) the update that triggered this.

I don't know why there are two different format disconnect messages, but the bit that seems to confuse logwatch was adding the port number to the message.

Comment 1 Jakub Jelen 2016-03-15 07:57:39 UTC
Created attachment 1136417 [details]
proposed patch for the second issue

The issue was triggered by openssh update. Full discussion on users's list [1]. This is also issue for Fedora 24 and rawhide, where landed the same update.

Can you have a look into this, or should I prepare complete dist-git patch?

[1] https://lists.fedoraproject.org/pipermail/users/2016-March/469353.html

Comment 2 Fedora Update System 2016-03-15 11:44:48 UTC
logwatch-7.4.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54

Comment 3 Fedora Update System 2016-03-15 12:00:05 UTC
logwatch-7.4.1-6.20150731svn293.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096

Comment 4 Fedora Update System 2016-03-15 21:30:28 UTC
logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54

Comment 5 Fedora Update System 2016-03-16 15:23:13 UTC
logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096

Comment 6 Fedora Update System 2016-03-20 02:24:37 UTC
logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-03-26 18:07:20 UTC
logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Frank Crawford 2016-03-30 03:09:31 UTC
This patch still has a issue in that it won't match the reason code, as the format of the message is missing the space before it and is now:

Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user

but the pattern match expects a space before the reason code:

^Received disconnect from ([^ ]*) port [^ ]*: (.*)$

Also, it appears that sshd also now adds an additional message:

Disconnect from NN.NN.NN.NN port 43966

as well, once the disconnect has been completed.

Comment 9 Fedora Update System 2017-09-01 11:53:43 UTC
logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbe77148ce

Comment 10 Fedora Update System 2017-09-08 16:21:06 UTC
logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.