61829 – logwatch's sshd filter should scan secure logs

Bug 61829 - logwatch's sshd filter should scan secure logs

Summary: logwatch's sshd filter should scan secure logs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	logwatch
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Elliot Lee
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-03-25 00:13 UTC by Ben Liblit
Modified:	2008-05-01 15:38 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-03-25 00:19:48 UTC
Embargoed:

Attachments	(Terms of Use)
patch file implementing suggested LogFile directive change (315 bytes, patch) 2002-03-25 00:19 UTC, Ben Liblit	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2002:053	0	normal	SHIPPED_LIVE	: Race conditions in logwatch	2002-03-28 05:00:00 UTC
Red Hat Product Errata	RHSA-2002:054	0	normal	SHIPPED_LIVE	: Race conditions in logwatch	2002-03-28 05:00:00 UTC

Description Ben Liblit 2002-03-25 00:13:14 UTC

Line 243 of "/etc/log.d/scripts/services/sshd" searches for "Server listening
on" messages to count the number of times the ssh daemon was started.  Line 235
of the same file searches for "Received signal 15" messages to cound daemon
shutdowns.

The default syslog configuration places these messages in /var/log/secure. 
However, in "/etc/log.d/conf/services/sshd.conf" we find only a single LogFile
directive, for the "messages" log.  Thus, logwatch never actually finds these
sshd startup messages.

Someone should add a second LogFile line to
"/etc/log.d/conf/services/sshd.conf", as follows:

   LogFile = secure

Note that the existing "LogFile = messages" line should be retained, as some
sshd messages do still go into that logfile group.

Comment 1 Ben Liblit 2002-03-25 00:18:51 UTC

Actually, it appears that there are *no* useful sshd messages in the "messages"
logfile group.  They all go into the "secure" group.  So instead of adding a
LogFile line, you want to replace the existing one.  That is, on line 16 of
"/etc/log.d/conf/services/sshd.conf", change this:

    LogFile = messages

to this:

    LogFile = secure

Comment 2 Ben Liblit 2002-03-25 00:19:40 UTC

Created attachment 50044 [details]
patch file implementing suggested LogFile directive change

Note You need to log in before you can comment on or make changes to this bug.