Line 243 of "/etc/log.d/scripts/services/sshd" searches for "Server listening on" messages to count the number of times the ssh daemon was started. Line 235 of the same file searches for "Received signal 15" messages to cound daemon shutdowns. The default syslog configuration places these messages in /var/log/secure. However, in "/etc/log.d/conf/services/sshd.conf" we find only a single LogFile directive, for the "messages" log. Thus, logwatch never actually finds these sshd startup messages. Someone should add a second LogFile line to "/etc/log.d/conf/services/sshd.conf", as follows: LogFile = secure Note that the existing "LogFile = messages" line should be retained, as some sshd messages do still go into that logfile group.
Actually, it appears that there are *no* useful sshd messages in the "messages" logfile group. They all go into the "secure" group. So instead of adding a LogFile line, you want to replace the existing one. That is, on line 16 of "/etc/log.d/conf/services/sshd.conf", change this: LogFile = messages to this: LogFile = secure
Created attachment 50044 [details] patch file implementing suggested LogFile directive change