Description of problem: The rule for "failed login" in the ssh section does not match all entries. This seems to be a side affect of the fix for 139606 Version-Release number of selected component (if applicable): logwatch-6.0.1-2 How reproducible: Always Actual results: Failed logins from these: admin/password from ::ffff:212.12.131.2: 2 Time(s) guest/password from ::ffff:212.12.131.2: 2 Time(s) info/password from ::ffff:212.12.131.2: 1 Time(s) **Unmatched Entries** Failed password for root from ::ffff:212.12.131.2 port 44602 ssh2 Failed password for mysql from ::ffff:212.12.131.2 port 45302 ssh2 Failed password for ftp from ::ffff:212.12.131.2 port 54963 ssh2 Failed password for root from ::ffff:212.12.131.2 port 55265 ssh2 (Some lines snipped) Expected results: Failed logins from these: admin/password from ::ffff:212.12.131.2: 2 Time(s) apache/password from ::ffff:212.12.131.2: 1 Time(s) ftp/password from ::ffff:212.12.131.2: 1 Time(s) mysql/password from ::ffff:212.12.131.2: 1 Time(s) root/password from ::ffff:212.12.131.2: 4 Time(s) (Some lines snipped) Additional info: This patch fixes the rule: --- ../../scripts.bak/services/sshd 2005-05-19 15:12:12.000000000 +0100 +++ sshd 2005-06-28 20:21:18.000000000 +0100 @@ -112,7 +112,7 @@ } else { $Users{$2}{$3}{"(all)"}++; } - } elsif ( $ThisLine =~ m/^Failed (\S+) for (invalid user )(\S+) from ([^ ] +) port (\d+)/ ) { #openssh + } elsif ( $ThisLine =~ m/^Failed (\S+) for (invalid user )?(\S+) from ([^ ] +) port (\d+)/ ) { #openssh if ( $Debug >= 5 ) { print STDERR "DEBUG: Found -Failed login- line\n"; }
Created attachment 116082 [details] Rule correction
This bug is fixed in the last version (logwatch-6.1.2-2).