Logwatch not working properly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I having a problem where Logwatch is not showing any events from the
/var/log/secure log file. When I run

logwatch --print --range today --service sshd --detail 10 --debug 10

the end result shows this:

...
LogFiles that will be processed:
[0] = secure
[1] = messages

Made Temp Dir: /var/cache/logwatch/logwatch.sOga48bL with tempdir
export LOGWATCH_DATE_RANGE='today'
export LOGWATCH_GLOBAL_DETAIL='10'
export LOGWATCH_OUTPUT_TYPE='unformatted'
export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.sOga48bL/'
export LOGWATCH_DEBUG='10'

Preprocessing LogFile: secure
/var/log/secure  2>/dev/null | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
''>/var/cache/logwatch/logwatch.sOga48bL/secure

TimeFilter: Period is day

TimeFilter: SearchDate is (Nov  6 ..:..:..)

TimeFilter: Debug SearchDate is (Nov 6 )
DEBUG: Inside ApplyStdDate...
DEBUG: Looking For: (Nov  6 ..:..:..)

Preprocessing LogFile: messages
/var/log/messages  2>/dev/null | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'talkd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'telnetd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'inetd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'nfsd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice '/sbin/mingetty'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'netscreen'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'netscreen'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
''>/var/cache/logwatch/logwatch.sOga48bL/messages
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out

TimeFilter: Period is day

TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s )

TimeFilter: Debug SearchDate is ( 2010-Nov-06 h m s )

################### Logwatch 7.3 (03/24/06) ####################
        Processing Initiated: Sat Nov  6 11:38:23 2010
        Date Range Processed: today
                              ( 2010-Nov-06 )
                              Period is day.
      Detail Level of Output: 10
              Type of Output: unformatted
           Logfiles for Host: valhala.xxxxxxxxxxxx.org
  ##################################################################

 --------------------- SSHD Begin ------------------------

 DEBUG: Inside OnlyService for sshd


 DEBUG: Inside SSHD Filter


 ---------------------- SSHD End -------------------------


Looking at file /usr/share/logwatch/scripts/services/sshd there is block of
code starting at line 165:

...
if ( $Debug >= 5 ) {
        print STDERR "\n\nDEBUG: Inside SSHD Filter \n\n";
        $DebugCounter = 1;
}

while (defined(my $ThisLine = <STDIN>)) {
   if ( $Debug >= 5 ) {
      print STDERR "DEBUG($DebugCounter): $ThisLine";
      $DebugCounter++;
   }
...

>From above, this line never prints anything:

print STDERR "DEBUG($DebugCounter): $ThisLine";

while the previous print STDERR does print when $Debug >= 5.

Doing a rpm -V Logwatch shows one changed file

S.5....T  c /etc/logwatch/conf/logwatch.conf

as I added a " Detail = High" line to it.

I do have sshd events in /var/log/secure, here's some showing testing a
failed login using a non-existing account:

2010-11-06T08:59:03.684006-04:00 valhala sshd[23633]: Invalid user bob from
192.168.1.12
2010-11-06T08:59:03.688784-04:00 valhala sshd[23636]:
input_userauth_request: invalid user bob
2010-11-06T08:59:05.996036-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:05.996313-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=bunny2.xxxxxxxxxxxx.org
2010-11-06T08:59:07.837697-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:10.644065-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:12.505509-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:14.348019-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:15.759400-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:18.315990-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:19.607300-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:24.686480-04:00 valhala sshd[23636]: Connection closed by
192.168.1.12
2010-11-06T08:59:24.687107-04:00 valhala sshd[23633]: PAM 3 more
authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=bunny2.xxxxxxxxxxxx.org
2010-11-06T08:59:24.687132-04:00 valhala sshd[23633]: PAM service(sshd)
ignoring max retries; 4 > 3


Does anyone have any idea why this isn't working? The only thing I see is a
date discrepancy:

TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s ), vs
2010-11-06T08:59:03.684006-04:00

Thanks in advance for any clues.

Al
--
Experience varies directly with equipment ruined.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux