Bug 141116 - daily logwatch mail for root has some Unknown and Unmatched Entries
daily logwatch mail for root has some Unknown and Unmatched Entries
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
3
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Ivana Varekova
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-29 09:11 EST by feily
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-07 02:48:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for matching pam_unix/crond entries correctly (657 bytes, patch)
2005-03-04 05:06 EST, Patrice Le Gurun
no flags Details | Diff

  None (edit)
Description feily 2004-11-29 09:11:41 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
There are some entries in the logwatch email which aren't so nice as
they are, some of them could be left out:

 --------------------- pam_unix Begin ------------------------ 

crond:
   Unknown Entries:
      session closed for user root: 25 Time(s)
      session opened for user root by (uid=0): 25 Time(s)

gdm:
   Unknown Entries:
      authentication failure; logname= uid=0 euid=0 tty=:0 ruser=
rhost= : 1 Time(s)
 ---------------------- pam_unix End -------------------------

--------------------- Cron Begin ------------------------ 

**Unmatched Entries**
STARTUP (V5.0)
STARTUP (V5.0)

 ---------------------- Cron End ------------------------- 

--------------------- dhcpd Begin ------------------------ 

DHCP Server Listening On:
   LPF/eth1/00:e0:7d:c6:77:b7/192.168.0.0/24: 2 Time(s)
           (above is probably useful, don't know)

Unknown Entries:
   Internet Systems Consortium DHCP Server V3.0.1: 2 Time(s)


 ---------------------- dhcpd End ------------------------- 

--------------------- Connections (secure-log) Begin -------------

**Unmatched Entries**
userhelper[5695]: running '/sbin/poweroff' with root privileges on
behalf of 'pt'

---------------------- Connections (secure-log) End--------------


Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
Look into your local daily logwatch email.
The discription should be self speaking.

Additional info:
Comment 1 Patrice Le Gurun 2005-03-04 03:42:02 EST
I also have this comportement on my fc3 box.
The problem with pam_unix/crond entries does not appear on fc2. Maybe
a regexp mispelled ?

Extract of my logwatch mail with fc2 :
[BEGIN]
################### LogWatch 5.2.2 (06/23/04) #################### 
       Processing Initiated: Fri Aug 20 09:05:26 2004
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: patrice.moi.fr
################################################################ 

[...]
--------------------- pam_unix Begin ------------------------ 

su:
   Sessions Opened:
      (uid=0) -> postgres: 5 Time(s)
      patrice(uid=500) -> root: 1 Time(s)


---------------------- pam_unix End ------------------------- 
[END]
Comment 2 Patrice Le Gurun 2005-03-04 05:06:38 EST
Created attachment 111656 [details]
Patch for matching pam_unix/crond entries correctly

Previously, logwatch search for pam_unix/crond entries by matching the 'cron'
service. But there entries are using the 'crond' service. So this patch correct
this.
Comment 3 Ivana Varekova 2005-06-27 10:06:27 EDT
Hello, 
could you please try the last logwatch version (logwatch-6.1.2-1), this version
should fix all these problems. 
Ivana Varekova
Comment 4 feily 2005-06-30 12:20:49 EDT
The new version removed a lot of useless output, but there are some issues left
and there are some entries i have never seen before:

 --------------------- Selinux Audit Begin ------------------------ 

 *** Denials ***
  system_u system_u (file): 4 times
 
 **Unmatched Entries** 
  audit: initializing netlink socket (disabled)
  audit(1119776774.666:1): initialized
  Init complete, audit pid set to: 1801
  The audit daemon is exiting.
  audit: initializing netlink socket (disabled)
  audit(1119799296.787:1): initialized
  Init complete, audit pid set to: 1799
  The audit daemon is exiting. 
 ---------------------- Selinux Audit End ------------------------- 

  
 --------------------- Connections (secure-log) Begin ------------------------ 

 
 **Unmatched Entries**
 userhelper[10135]: pam_timestamp: updated timestamp file
`/var/run/sudo/pt/unknown:root'
 userhelper[10139]: running '/usr/share/system-config-users/system-config-users'
with root privileges on behalf of 'pt'
 
 ---------------------- Connections (secure-log) End ------------------------- 

 
 --------------------- SSHD Begin ------------------------ 

 
 SSHD Killed: 2 Time(s)
 
 SSHD Started: 2 Time(s)
 
 Failed to bind:
    0.0.0.0 port 22 (Address already in use) : 2 Time(s)
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- XNTPD Begin ------------------------ 

 
 XNTPD Killed: 2 Time(s)
 
 XNTPD Started: 2 Time(s)
 
 Time Reset 2 times (total: -1.887680 s  average: -0.943840 s)
 
 **Unmatched Entries**
 Listening on interface wildcard, 0.0.0.0#123
 Listening on interface wildcard, ::#123
 Listening on interface lo, 127.0.0.1#123
 Listening on interface eth0, 192.168.0.4#123
 kernel time sync status 0040
 synchronized to LOCAL(0), stratum 10
 kernel time sync disabled 0041
 synchronized to 192.168.0.1, stratum 3
 kernel time sync enabled 0001
 synchronized to LOCAL(0), stratum 10
 synchronized to 192.168.0.1, stratum 3
 Listening on interface wildcard, 0.0.0.0#123
 Listening on interface wildcard, ::#123
 Listening on interface lo, 127.0.0.1#123
 Listening on interface eth0, 192.168.0.4#123
 kernel time sync status 0040
 synchronized to LOCAL(0), stratum 10
 kernel time sync disabled 0041
 synchronized to 192.168.0.1, stratum 4
 kernel time sync enabled 0001
 synchronized to LOCAL(0), stratum 10
 synchronized to 192.168.0.1, stratum 4
 
 ---------------------- XNTPD End ------------------------- 

 
 --------------------- yum Begin ------------------------ 
 
 **Unmatched Entries**
 Erased: nvidia-glx
 Erased: kernel-module-nvidia-2.6.11-1.1369_FC4
 
 ---------------------- yum End ------------------------- 
Comment 5 feily 2005-06-30 16:13:57 EDT
Erased packages in yum logs are now correctly matched by logwatch-6.1.2-2
Comment 6 Ivana Varekova 2005-09-19 09:37:24 EDT
Hello, thank you for your notice.
Could you please test the last logwatch (logwatch-6.1.2-4) there should be fixed
"secure" service section. Please attach comment if there is any problem. 
sshd section looks right, XNTPD and Selinux Audit sections was not fixed yet.
 


Comment 7 Ivana Varekova 2005-09-29 07:42:37 EDT
Hello,
there is change in "sshd" section in the last version (logwatch-6.1.2-5). This
change should fix your problem, with this section. 
Comment 8 feily 2005-09-29 08:48:36 EDT
Hello,
with logwatch-6.1.2-5, the line

0.0.0.0 port 22 (Address already in use) : 2 Time(s)

disappeared
Comment 9 Ivana Varekova 2005-09-29 09:24:36 EDT
Hello,
Yes, this line was caused by bug 120302. I thought you report this problem.  
Do you test "secure" service changes?
You report problems in two remaining sections (XNTPD and Selinux Audit sections)
this problems should be still present in logwatch-6.1.2-5 and they should be fixed. 
Comment 10 Ivana Varekova 2005-09-30 05:06:49 EDT
Hello, logwatch-6.1.2-6 version should fixed your problem with logwatch audit
log output. 
The last problem is xntpd section. Could you please attach your message* log
file containing xntpd logs you mentioned.
Comment 11 feily 2005-10-01 11:22:53 EDT
The secure section seems to be ok.
The sshd section looks like this:

--------------------- SSHD Begin ------------------------ 

 
 SSHD Killed: 1 Time(s)
 
 SSHD Started: 1 Time(s)
 
 Failed to bind:
 
 ---------------------- SSHD End ------------------------- 

Selinux:
--------------------- Selinux Audit Begin ------------------------ 

  Number of audit daemon starts: 1 
 
  Number of audit daemon stops: 1 
 
 **Unmatched Entries** 
  audit(1128106720.074:21): SELinux:  unrecognized netlink message type=1009 for
sclass=49
  audit(1128106720.074:21): arch=40000003 syscall=102 success=no exit=-22 a0=b
a1=bfaf8260 a2=80510f8 a3=bfafe688 items=0 pid=6737 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
  audit(1128106720.074:21): saddr=100000000000000000000000
  audit(1128106720.074:21): nargs=6 a0=3 a1=bfafc4ec a2=10 a3=0 a4=bfafe688 a5=c
  audit(1128106720.175:22): SELinux:  unrecognized netlink message type=1009 for
sclass=49
  audit(1128106720.175:22): arch=40000003 syscall=102 success=no exit=-22 a0=b
a1=bfaf8250 a2=80510f8 a3=bfafe678 items=0 pid=6737 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
  audit(1128106720.175:22): saddr=100000000000000000000000
  audit(1128106720.175:22): nargs=6 a0=3 a1=bfafc4dc a2=10 a3=0 a4=bfafe678 a5=c
 
 ---------------------- Selinux Audit End ------------------------- 

xntpd is unchanged, of course.
Thanks for taking the time to fix these problems!
Comment 12 feily 2005-10-01 11:29:42 EDT
sorry, forgot the messages log.

xntpd logwatch for 2005-Sep-30:
--------------------- XNTPD Begin ------------------------ 

 
 XNTPD Killed: 1 Time(s)
 
 XNTPD Started: 1 Time(s)
 
 **Unmatched Entries**
 Listening on interface wildcard, 0.0.0.0#123
 Listening on interface wildcard, ::#123
 Listening on interface lo, 127.0.0.1#123
 Listening on interface eth0, 192.168.0.4#123
 kernel time sync status 0040
 synchronized to LOCAL(0), stratum 10
 kernel time sync disabled 0041
 synchronized to 192.168.0.1, stratum 4
 
 ---------------------- XNTPD End ---------------------  

grep ntp /var/log/messages for 2005-Sep-30:

Sep 30 20:42:16 buero4 kernel: SELinux: initialized (dev eventpollfs, type
eventpollfs), uses genfs_contexts
Sep 30 20:42:20 buero4 ntpd[2204]: ntpd 4.2.0a@1.1190-r Thu Apr 14 07:47:25 EDT
2005 (1)
Sep 30 20:42:20 buero4 ntpd[2204]: precision = 2.000 usec
Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface wildcard, 0.0.0.0#123
Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface wildcard, ::#123
Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface lo, 127.0.0.1#123
Sep 30 20:42:20 buero4 ntpd[2204]: Listening on interface eth0, 192.168.0.4#123
Sep 30 20:42:20 buero4 ntpd[2204]: kernel time sync status 0040
Sep 30 20:42:21 buero4 ntpd[2204]: frequency initialized 18.057 PPM from
/var/lib/ntp/drift
Sep 30 20:45:37 buero4 ntpd[2204]: synchronized to LOCAL(0), stratum 10
Sep 30 20:45:37 buero4 ntpd[2204]: kernel time sync disabled 0041
Sep 30 20:46:39 buero4 ntpd[2204]: synchronized to 192.168.0.1, stratum 4
Sep 30 20:58:37 buero4 ntpd[2204]: ntpd exiting on signal 15
Comment 13 Ivana Varekova 2005-10-03 09:58:22 EDT
Hello, 
the problem with sshd part and Selinux audit part should be fixed in the last
version - logwatch-6.1.2-7. Could you please test this version?
The next problem is fixed in the last upstream version. So this problem will be
fixed when the next stable logwatch version will be released. 
Thanks for your help.
Comment 14 feily 2005-10-07 02:06:47 EDT
Hello,
sshd and Selinux audit looks good in logwatch-6.1.2-7.
Comment 15 Ivana Varekova 2005-10-07 02:48:36 EDT
The last problem - XNTDP will be fixed in the next upstream version. I'm closing
this bug.
If there is any problem feel free to reopen it. 

Note You need to log in before you can comment on or make changes to this bug.