Created attachment 603048 [details] Patch to pam_unix service script to match trailing spaces in authentication failure log entries Description of problem: logwatch drops last digit from IP address in some pam_unix authentication failure log entries. Version-Release number of selected component (if applicable): 7.4.0-13.20120619svn110.fc17 How reproducible: Fairly consistently, given PAM authentication failures with an unknown user name. Steps to Reproduce: 1. Wait for someone to try unsuccessfully to login, using an invalid user name. 2. Run "logwatch" or allow it to run from its cron job. 3. Look at authentication failures in pam_unix section and compare to log entries for the day. Actual results: --------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: unknown (58.251.161.44): 232 Time(s) unknown (58.251.161.4): 109 Time(s) Invalid Users: Unknown Account: 341 Time(s) Unknown Entries: service(sshd) ignoring max retries; 4 > 3: 39 Time(s) ---------------------- pam_unix End ------------------------- Expected results: --------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: unknown (58.251.161.44): 341 Time(s) Invalid Users: Unknown Account: 341 Time(s) Unknown Entries: service(sshd) ignoring max retries; 4 > 3: 39 Time(s) ---------------------- pam_unix End ------------------------- Additional info: The format for log entries like the following has changed recently: Aug 7 23:50:46 gilles sshd[4105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.251.161.44 When the rhost=IP part was not followed by a user=name part (i.e. when the user name was unknown), the log entry used to consistently have a single space after the IP address, and logwatch simple-mindedly expected, and dropped, that single character from the entry. Recently, these log entries no longer have the trailing space, so the pam_unix script's regular expression should be changed to match and drop zero or more trailing spaces, rather than any single character. See attached patch.
Thanks for the patch! Pushed to rawhide: http://lists.fedoraproject.org/pipermail/scm-commits/2012-September/869452.html
logwatch-7.4.0-17.20120619svn110.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/logwatch-7.4.0-17.20120619svn110.fc18
Package logwatch-7.4.0-17.20120619svn110.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing logwatch-7.4.0-17.20120619svn110.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15170/logwatch-7.4.0-17.20120619svn110.fc18 then log in and leave karma (feedback).
logwatch-7.4.0-17.20120619svn110.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.