Description of problem: After a recent openssh update, I started getting lots and lots of these messages in logwatch mail: **Unmatched Entries** Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user : 1 time(s) Received disconnect from NN.NN.NN.NN port 42004:11: disconnected by user : 1 time(s) Disconnected from NN.NN.NN.NN port 42072 : 1 time(s) Version-Release number of selected component (if applicable): logwatch-7.4.1-5.20150731svn293.fc23.noarch How reproducible: 100% Steps to Reproduce: 1.turn on logwatch 2.update openssh-server 3.see extra message start to appear Actual results: extra messages Expected results: logwatch quiet about perfectly normal activity like logging out. Additional info: openssh-server-7.2p2-1.fc23.x86_64 was (I think) the update that triggered this. I don't know why there are two different format disconnect messages, but the bit that seems to confuse logwatch was adding the port number to the message.
Created attachment 1136417 [details] proposed patch for the second issue The issue was triggered by openssh update. Full discussion on users's list [1]. This is also issue for Fedora 24 and rawhide, where landed the same update. Can you have a look into this, or should I prepare complete dist-git patch? [1] https://lists.fedoraproject.org/pipermail/users/2016-March/469353.html
logwatch-7.4.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54
logwatch-7.4.1-6.20150731svn293.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096
logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54
logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096
logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This patch still has a issue in that it won't match the reason code, as the format of the message is missing the space before it and is now: Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user but the pattern match expects a space before the reason code: ^Received disconnect from ([^ ]*) port [^ ]*: (.*)$ Also, it appears that sshd also now adds an additional message: Disconnect from NN.NN.NN.NN port 43966 as well, once the disconnect has been completed.
logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbe77148ce
logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.