Bug 1534504 - sshd log format changed, lots of excess unmatched output showing up in logwatch
Summary: sshd log format changed, lots of excess unmatched output showing up in logwatch
Keywords:
Status: CLOSED DUPLICATE of bug 1422797
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: logwatch
Version: 7.3
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Synacek
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On: 1317620
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-15 11:42 UTC by Peter Bieringer
Modified: 2018-01-16 08:25 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1317620
Environment:
Last Closed: 2018-01-16 08:25:11 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Peter Bieringer 2018-01-15 11:42:34 UTC
At least on EL7.3 this is seen now also, current version:

logwatch-7.4.0-32.20130522svn140.el7.noarch

Storing /usr/share/logwatch/scripts/services/sshd from logwatch-7.4.3-6.fc27.noarch into /etc/logwatch/scripts/services/ on EL7.3 let the unexpected messages disappear

=> please push this change also to EL7.3 and later, thank you!


+++ This bug was initially created as a clone of Bug #1317620 +++

Description of problem:

After a recent openssh update, I started getting lots and lots of these
messages in logwatch mail:

 **Unmatched Entries**
 Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user : 1 time(s)
 Received disconnect from NN.NN.NN.NN port 42004:11: disconnected by user : 1 time(s)
 Disconnected from NN.NN.NN.NN port 42072 : 1 time(s)

Version-Release number of selected component (if applicable):
logwatch-7.4.1-5.20150731svn293.fc23.noarch


How reproducible:
100%

Steps to Reproduce:
1.turn on logwatch
2.update openssh-server
3.see extra message start to appear

Actual results:
extra messages

Expected results:
logwatch quiet about perfectly normal activity like logging out.

Additional info:
openssh-server-7.2p2-1.fc23.x86_64

was (I think) the update that triggered this.

I don't know why there are two different format disconnect messages, but the bit that seems to confuse logwatch was adding the port number to the message.

--- Additional comment from Jakub Jelen on 2016-03-15 03:57 EDT ---

The issue was triggered by openssh update. Full discussion on users's list [1]. This is also issue for Fedora 24 and rawhide, where landed the same update.

Can you have a look into this, or should I prepare complete dist-git patch?

[1] https://lists.fedoraproject.org/pipermail/users/2016-March/469353.html

--- Additional comment from Fedora Update System on 2016-03-15 07:44:48 EDT ---

logwatch-7.4.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54

--- Additional comment from Fedora Update System on 2016-03-15 08:00:05 EDT ---

logwatch-7.4.1-6.20150731svn293.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096

--- Additional comment from Fedora Update System on 2016-03-15 17:30:28 EDT ---

logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ee1a145a54

--- Additional comment from Fedora Update System on 2016-03-16 11:23:13 EDT ---

logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-edde0e9096

--- Additional comment from Fedora Update System on 2016-03-19 22:24:37 EDT ---

logwatch-7.4.1-6.20150731svn293.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2016-03-26 14:07:20 EDT ---

logwatch-7.4.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Frank Crawford on 2016-03-29 23:09:31 EDT ---

This patch still has a issue in that it won't match the reason code, as the format of the message is missing the space before it and is now:

Received disconnect from NN.NN.NN.NN port 43966:11: disconnected by user

but the pattern match expects a space before the reason code:

^Received disconnect from ([^ ]*) port [^ ]*: (.*)$

Also, it appears that sshd also now adds an additional message:

Disconnect from NN.NN.NN.NN port 43966

as well, once the disconnect has been completed.

--- Additional comment from Fedora Update System on 2017-09-01 07:53:43 EDT ---

logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbe77148ce

--- Additional comment from Fedora Update System on 2017-09-08 12:21:06 EDT ---

logwatch-7.4.3-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 2 Jakub Jelen 2018-01-15 11:46:23 UTC
AFAIK, this was already reported as a bug #1422797, which handles this issue.

Comment 3 Peter Bieringer 2018-01-15 11:53:46 UTC
Thank you for the update, unfortunately, this particular bug is not visible to me (not authorized), therefore potentially not found in a search in advance...

Comment 4 Jan Synacek 2018-01-16 08:25:11 UTC
Bug #1422797 is an internal clone of this one. It has already passed the QA process and is scheduled to be in RHEL-7.5 if everything goes well.

*** This bug has been marked as a duplicate of bug 1422797 ***


Note You need to log in before you can comment on or make changes to this bug.