logwatch.noarch 7.11-1.fc41 fedora fails to appropriately process some sshd log lines. eg. sshd-session: Disconnected from user $USER $IP port \d* and sshd-session: Received disconnect from $IP port \d*:\d*: disconnected by user entries are counted individually "1 Time(s)" not say "100 Time(s)" Reproducible: Always Steps to Reproduce: 1. run logwatch 2. watch for output like sshd-session: Disconnected from user $USER $IP port \d* 3. if you do lots of say rsync's or ssh connections you get lots of similar lines that would normally be summarised. Actual Results: 100 ssh connections by the same user from the same IP result in 100 logwatch lines. sshd-session: Disconnected from user $USER $IP port \d*: 1 Time(s) Expected Results: 100 ssh connections by the same user from the same IP result in 1 logwatch line like, sshd-session: Disconnected from user $USER $IP port \d*: 100 Time(s) Occurred in transition from FC40 to FC41
Out of interest, do you know if this also in FC40, or just in FC41?
Only in FC41.
This is actually a bit strange, as sshd-session: Disconnected from user $USER $IP port \d* message is supposed to be suppressedand so not counted or printed. Although sshd-session: Received disconnect from $IP port \d*:\d*: disconnected by user is counted, in certain cases. I haven't yet upgraded to FC41, but will shortly and see what I can find, as I suspect that there is a minor difference in FC41 version of sshd that doesn't quite match. Also, is the count listed under "**Unmatched Entries**" header, or under "Received disconnect:" header?
Ahh, I think I've found most of the issue, you report the service name is "sshd-session", but the current RPM only matches "sshd" not "sshd-session", which was introduced in OpenSSH 9.8. There is a fix upstream for it which I will pull soon and get it out, although a quick test is to change the line in /usr/share/logwatch/default.conf/services/sshd.conf from: *OnlyService = sshd to *OnlyService = (sshd|sshd-session) (Note there are stardard ways to fix this, what I suggest is just a quick test.)
Yes, I think the real problem is sshd changing it's logging format without telling logwatch... Not that they have to but... Reminds me of a song, "Wouldn't it be nice..." :-) Do you mean create a new "service" file for sshd-session in, /usr/share/logwatch/default.conf/services/ ?
No, because the file name matches the script run, which in this case is sshd. So, it is edit the sshd.conf file, as the line *OnlyService lists the matching services to pull out of the file or journalctl. Currently it only matches sshd, which is what older versions of OpenSSH listed, but it looks like recently they have added sshd-session, so we need to add that to the matches.
Oops sorry - you asked, Also, is the count listed under "**Unmatched Entries**" header, or under "Received disconnect:" header? It's between, --------------------- Connections (secure-log) Begin ------------------------ & ---------------------- Connections (secure-log) End -------------------------
Okay, that adds an extra minor item to sort out. We need to add ssh-session to the secure.conf file as well, but to $ignore_services line. I'll have to add something about it shortly.
Sorry Frank I've been rather caught up with too many other jobs - ah, retirement - nothing to do! I've now changed (on one machine) /usr/share/logwatch/default.conf/services/... sshd.conf changed from (line 22), *OnlyService = sshd to, *OnlyService = (sshd|sshd-session) secure.conf changed from (line 27), $ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd to, $ignore_services = sshd sshd-session Pluto stunnel proftpd saslauthd imapd postfix/smtpd & it works as expected.
I'll release a patch for this in the next few days, but as well, a new release of logwatch will also be out in the next month, which will have a permanent fix and I'll get the out ASAP.
FEDORA-2024-1303906716 (logwatch-7.11-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-1303906716
FEDORA-2024-1303906716 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-1303906716` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-1303906716 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-1303906716 (logwatch-7.11-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
logwatch-7.11-2.fc41 was installed Tue 31 Dec 2024 01:00:05 It has reversed the changes I made above & the "bug" is back. Sorry I'm a bit slow at the moment & can't sit long at the computer... 2nd hip replaced on the 18th Dec.
That is annoying, let me take another look at it. I wonder if it is picking up the mods to the config files correctly, as it looked to be working for me.
I think I may have misinterpreted the errors now appearing, they include pam_unix... --------------------- SSHD Begin ------------------------ **Unmatched Entries** DATE/TIME HOST sshd-session[PIDX]: Accepted publickey for USER from IP port 51560 ssh2: KEY DETAIL : 1 Time DATE/TIME HOST sshd-session[PIDX]: pam_unix(sshd:session): session closed for user USERNAME : 1 Time DATE/TIME HOST sshd-session[PIDX]: pam_unix(sshd:session): session opened for user USER(uid=UID) by USER(uid=0) : 1 Time DATE/TIME HOST sshd-session[PIDY]: Received disconnect from IP port PORT:NN: disconnected by user : 1 Time ... ---------------------- SSHD End ------------------------- for each login. (Note the PIDS are not ordered & some logging appears to be being lost.) So it looks like the logging itself has changed!
Ahh, that is a different issue, and probably means that there needs to be a bit of a fix in the script that parses SSHD. I will look at it over the next few days and see what I can find. Also, I assume that you have cleaned it up by adding the DATE/TIME, HOST, USER, etc fields, i.e. it wasn't like that in your actual logwatch report?
> Also, I assume that you have cleaned it up by adding the DATE/TIME, HOST, USER, etc fields, i.e. it wasn't like that in your actual logwatch report? Yes.
Having looked a little, I think it's likely to be a moving target for a while, till the sshd maintainers finish deciding on how sshd will log...
I think that will be never, as they keep changing it every update, however, it usually is pretty good with any release.
Okay, now I've got my F41 host running properly I see what the issue is, and I missed a line in the fix. I'm adding it and it should be available soon.
FEDORA-2025-3fa56f0538 (logwatch-7.11-3.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-3fa56f0538
FEDORA-2025-3fa56f0538 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3fa56f0538` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3fa56f0538 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-3fa56f0538 (logwatch-7.11-3.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.