From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: There are some entries in the logwatch email which aren't so nice as they are, some of them could be left out: --------------------- pam_unix Begin ------------------------ crond: Unknown Entries: session closed for user root: 25 Time(s) session opened for user root by (uid=0): 25 Time(s) gdm: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= : 1 Time(s) ---------------------- pam_unix End ------------------------- --------------------- Cron Begin ------------------------ **Unmatched Entries** STARTUP (V5.0) STARTUP (V5.0) ---------------------- Cron End ------------------------- --------------------- dhcpd Begin ------------------------ DHCP Server Listening On: LPF/eth1/00:e0:7d:c6:77:b7/192.168.0.0/24: 2 Time(s) (above is probably useful, don't know) Unknown Entries: Internet Systems Consortium DHCP Server V3.0.1: 2 Time(s) ---------------------- dhcpd End ------------------------- --------------------- Connections (secure-log) Begin ------------- **Unmatched Entries** userhelper[5695]: running '/sbin/poweroff' with root privileges on behalf of 'pt' ---------------------- Connections (secure-log) End-------------- Version-Release number of selected component (if applicable): logwatch-5.2.2-1 How reproducible: Always Steps to Reproduce: Look into your local daily logwatch email. The discription should be self speaking. Additional info:
I also have this comportement on my fc3 box. The problem with pam_unix/crond entries does not appear on fc2. Maybe a regexp mispelled ? Extract of my logwatch mail with fc2 : [BEGIN] ################### LogWatch 5.2.2 (06/23/04) #################### Processing Initiated: Fri Aug 20 09:05:26 2004 Date Range Processed: yesterday Detail Level of Output: 0 Logfiles for Host: patrice.moi.fr ################################################################ [...] --------------------- pam_unix Begin ------------------------ su: Sessions Opened: (uid=0) -> postgres: 5 Time(s) patrice(uid=500) -> root: 1 Time(s) ---------------------- pam_unix End ------------------------- [END]
Created attachment 111656 [details] Patch for matching pam_unix/crond entries correctly Previously, logwatch search for pam_unix/crond entries by matching the 'cron' service. But there entries are using the 'crond' service. So this patch correct this.
Hello, could you please try the last logwatch version (logwatch-6.1.2-1), this version should fix all these problems. Ivana Varekova
The new version removed a lot of useless output, but there are some issues left and there are some entries i have never seen before: --------------------- Selinux Audit Begin ------------------------ *** Denials *** system_u system_u (file): 4 times **Unmatched Entries** audit: initializing netlink socket (disabled) audit(1119776774.666:1): initialized Init complete, audit pid set to: 1801 The audit daemon is exiting. audit: initializing netlink socket (disabled) audit(1119799296.787:1): initialized Init complete, audit pid set to: 1799 The audit daemon is exiting. ---------------------- Selinux Audit End ------------------------- --------------------- Connections (secure-log) Begin ------------------------ **Unmatched Entries** userhelper[10135]: pam_timestamp: updated timestamp file `/var/run/sudo/pt/unknown:root' userhelper[10139]: running '/usr/share/system-config-users/system-config-users' with root privileges on behalf of 'pt' ---------------------- Connections (secure-log) End ------------------------- --------------------- SSHD Begin ------------------------ SSHD Killed: 2 Time(s) SSHD Started: 2 Time(s) Failed to bind: 0.0.0.0 port 22 (Address already in use) : 2 Time(s) ---------------------- SSHD End ------------------------- --------------------- XNTPD Begin ------------------------ XNTPD Killed: 2 Time(s) XNTPD Started: 2 Time(s) Time Reset 2 times (total: -1.887680 s average: -0.943840 s) **Unmatched Entries** Listening on interface wildcard, 0.0.0.0#123 Listening on interface wildcard, ::#123 Listening on interface lo, 127.0.0.1#123 Listening on interface eth0, 192.168.0.4#123 kernel time sync status 0040 synchronized to LOCAL(0), stratum 10 kernel time sync disabled 0041 synchronized to 192.168.0.1, stratum 3 kernel time sync enabled 0001 synchronized to LOCAL(0), stratum 10 synchronized to 192.168.0.1, stratum 3 Listening on interface wildcard, 0.0.0.0#123 Listening on interface wildcard, ::#123 Listening on interface lo, 127.0.0.1#123 Listening on interface eth0, 192.168.0.4#123 kernel time sync status 0040 synchronized to LOCAL(0), stratum 10 kernel time sync disabled 0041 synchronized to 192.168.0.1, stratum 4 kernel time sync enabled 0001 synchronized to LOCAL(0), stratum 10 synchronized to 192.168.0.1, stratum 4 ---------------------- XNTPD End ------------------------- --------------------- yum Begin ------------------------ **Unmatched Entries** Erased: nvidia-glx Erased: kernel-module-nvidia-2.6.11-1.1369_FC4 ---------------------- yum End -------------------------
Erased packages in yum logs are now correctly matched by logwatch-6.1.2-2
Hello, thank you for your notice. Could you please test the last logwatch (logwatch-6.1.2-4) there should be fixed "secure" service section. Please attach comment if there is any problem. sshd section looks right, XNTPD and Selinux Audit sections was not fixed yet.
Hello, there is change in "sshd" section in the last version (logwatch-6.1.2-5). This change should fix your problem, with this section.
Hello, with logwatch-6.1.2-5, the line 0.0.0.0 port 22 (Address already in use) : 2 Time(s) disappeared
Hello, Yes, this line was caused by bug 120302. I thought you report this problem. Do you test "secure" service changes? You report problems in two remaining sections (XNTPD and Selinux Audit sections) this problems should be still present in logwatch-6.1.2-5 and they should be fixed.
Hello, logwatch-6.1.2-6 version should fixed your problem with logwatch audit log output. The last problem is xntpd section. Could you please attach your message* log file containing xntpd logs you mentioned.
The secure section seems to be ok. The sshd section looks like this: --------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s) Failed to bind: ---------------------- SSHD End ------------------------- Selinux: --------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 1 **Unmatched Entries** audit(1128106720.074:21): SELinux: unrecognized netlink message type=1009 for sclass=49 audit(1128106720.074:21): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfaf8260 a2=80510f8 a3=bfafe688 items=0 pid=6737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" audit(1128106720.074:21): saddr=100000000000000000000000 audit(1128106720.074:21): nargs=6 a0=3 a1=bfafc4ec a2=10 a3=0 a4=bfafe688 a5=c audit(1128106720.175:22): SELinux: unrecognized netlink message type=1009 for sclass=49 audit(1128106720.175:22): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfaf8250 a2=80510f8 a3=bfafe678 items=0 pid=6737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" audit(1128106720.175:22): saddr=100000000000000000000000 audit(1128106720.175:22): nargs=6 a0=3 a1=bfafc4dc a2=10 a3=0 a4=bfafe678 a5=c ---------------------- Selinux Audit End ------------------------- xntpd is unchanged, of course. Thanks for taking the time to fix these problems!
sorry, forgot the messages log. xntpd logwatch for 2005-Sep-30: --------------------- XNTPD Begin ------------------------ XNTPD Killed: 1 Time(s) XNTPD Started: 1 Time(s) **Unmatched Entries** Listening on interface wildcard, 0.0.0.0#123 Listening on interface wildcard, ::#123 Listening on interface lo, 127.0.0.1#123 Listening on interface eth0, 192.168.0.4#123 kernel time sync status 0040 synchronized to LOCAL(0), stratum 10 kernel time sync disabled 0041 synchronized to 192.168.0.1, stratum 4 ---------------------- XNTPD End --------------------- grep ntp /var/log/messages for 2005-Sep-30: Sep 30 20:42:16 buero4 kernel: SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts Sep 30 20:42:20 buero4 ntpd[2204]: ntpd 4.2.0a Thu Apr 14 07:47:25 EDT 2005 (1) Sep 30 20:42:20 buero4 ntpd[2204]: precision = 2.000 usec Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface wildcard, 0.0.0.0#123 Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface wildcard, ::#123 Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface lo, 127.0.0.1#123 Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface eth0, 192.168.0.4#123 Sep 30 20:42:20 buero4 ntpd[2204]: kernel time sync status 0040 Sep 30 20:42:21 buero4 ntpd[2204]: frequency initialized 18.057 PPM from /var/lib/ntp/drift Sep 30 20:45:37 buero4 ntpd[2204]: synchronized to LOCAL(0), stratum 10 Sep 30 20:45:37 buero4 ntpd[2204]: kernel time sync disabled 0041 Sep 30 20:46:39 buero4 ntpd[2204]: synchronized to 192.168.0.1, stratum 4 Sep 30 20:58:37 buero4 ntpd[2204]: ntpd exiting on signal 15
Hello, the problem with sshd part and Selinux audit part should be fixed in the last version - logwatch-6.1.2-7. Could you please test this version? The next problem is fixed in the last upstream version. So this problem will be fixed when the next stable logwatch version will be released. Thanks for your help.
Hello, sshd and Selinux audit looks good in logwatch-6.1.2-7.
The last problem - XNTDP will be fixed in the next upstream version. I'm closing this bug. If there is any problem feel free to reopen it.