I having a problem where Logwatch is not showing any events from the /var/log/secure log file. When I run logwatch --print --range today --service sshd --detail 10 --debug 10 the end result shows this: ... LogFiles that will be processed: [0] = secure [1] = messages Made Temp Dir: /var/cache/logwatch/logwatch.sOga48bL with tempdir export LOGWATCH_DATE_RANGE='today' export LOGWATCH_GLOBAL_DETAIL='10' export LOGWATCH_OUTPUT_TYPE='unformatted' export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.sOga48bL/' export LOGWATCH_DEBUG='10' Preprocessing LogFile: secure /var/log/secure 2>/dev/null | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate ''>/var/cache/logwatch/logwatch.sOga48bL/secure TimeFilter: Period is day TimeFilter: SearchDate is (Nov 6 ..:..:..) TimeFilter: Debug SearchDate is (Nov 6 ) DEBUG: Inside ApplyStdDate... DEBUG: Looking For: (Nov 6 ..:..:..) Preprocessing LogFile: messages /var/log/messages 2>/dev/null | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'talkd'| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'telnetd'| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'inetd'| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'nfsd'| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice '/sbin/mingetty'| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'netscreen'| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'netscreen'| /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate ''>/var/cache/logwatch/logwatch.sOga48bL/messages DEBUG: Inside RemoveService... DEBUG: Inside RemoveService... DEBUG: Inside RemoveService... DEBUG: Inside RemoveService... DEBUG: Inside RemoveService... DEBUG: Inside RemoveService... DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out DEBUG: Inside RemoveService... DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out TimeFilter: Period is day TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s ) TimeFilter: Debug SearchDate is ( 2010-Nov-06 h m s ) ################### Logwatch 7.3 (03/24/06) #################### Processing Initiated: Sat Nov 6 11:38:23 2010 Date Range Processed: today ( 2010-Nov-06 ) Period is day. Detail Level of Output: 10 Type of Output: unformatted Logfiles for Host: valhala.xxxxxxxxxxxx.org ################################################################## --------------------- SSHD Begin ------------------------ DEBUG: Inside OnlyService for sshd DEBUG: Inside SSHD Filter ---------------------- SSHD End ------------------------- Looking at file /usr/share/logwatch/scripts/services/sshd there is block of code starting at line 165: ... if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside SSHD Filter \n\n"; $DebugCounter = 1; } while (defined(my $ThisLine = <STDIN>)) { if ( $Debug >= 5 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } ... >From above, this line never prints anything: print STDERR "DEBUG($DebugCounter): $ThisLine"; while the previous print STDERR does print when $Debug >= 5. Doing a rpm -V Logwatch shows one changed file S.5....T c /etc/logwatch/conf/logwatch.conf as I added a " Detail = High" line to it. I do have sshd events in /var/log/secure, here's some showing testing a failed login using a non-existing account: 2010-11-06T08:59:03.684006-04:00 valhala sshd[23633]: Invalid user bob from 192.168.1.12 2010-11-06T08:59:03.688784-04:00 valhala sshd[23636]: input_userauth_request: invalid user bob 2010-11-06T08:59:05.996036-04:00 valhala sshd[23633]: pam_unix(sshd:auth): check pass; user unknown 2010-11-06T08:59:05.996313-04:00 valhala sshd[23633]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bunny2.xxxxxxxxxxxx.org 2010-11-06T08:59:07.837697-04:00 valhala sshd[23633]: Failed password for invalid user bob from 192.168.1.12 port 57945 ssh2 2010-11-06T08:59:10.644065-04:00 valhala sshd[23633]: pam_unix(sshd:auth): check pass; user unknown 2010-11-06T08:59:12.505509-04:00 valhala sshd[23633]: Failed password for invalid user bob from 192.168.1.12 port 57945 ssh2 2010-11-06T08:59:14.348019-04:00 valhala sshd[23633]: pam_unix(sshd:auth): check pass; user unknown 2010-11-06T08:59:15.759400-04:00 valhala sshd[23633]: Failed password for invalid user bob from 192.168.1.12 port 57945 ssh2 2010-11-06T08:59:18.315990-04:00 valhala sshd[23633]: pam_unix(sshd:auth): check pass; user unknown 2010-11-06T08:59:19.607300-04:00 valhala sshd[23633]: Failed password for invalid user bob from 192.168.1.12 port 57945 ssh2 2010-11-06T08:59:24.686480-04:00 valhala sshd[23636]: Connection closed by 192.168.1.12 2010-11-06T08:59:24.687107-04:00 valhala sshd[23633]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=bunny2.xxxxxxxxxxxx.org 2010-11-06T08:59:24.687132-04:00 valhala sshd[23633]: PAM service(sshd) ignoring max retries; 4 > 3 Does anyone have any idea why this isn't working? The only thing I see is a date discrepancy: TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s ), vs 2010-11-06T08:59:03.684006-04:00 Thanks in advance for any clues. Al -- Experience varies directly with equipment ruined. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos