I having a problem where Logwatch is not showing any events from the
/var/log/secure log file. When I run
logwatch --print --range today --service sshd --detail 10 --debug 10
the end result shows this:
...
LogFiles that will be processed:
[0] = secure
[1] = messages
Made Temp Dir: /var/cache/logwatch/logwatch.sOga48bL with tempdir
export LOGWATCH_DATE_RANGE='today'
export LOGWATCH_GLOBAL_DETAIL='10'
export LOGWATCH_OUTPUT_TYPE='unformatted'
export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.sOga48bL/'
export LOGWATCH_DEBUG='10'
Preprocessing LogFile: secure
/var/log/secure 2>/dev/null | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
''>/var/cache/logwatch/logwatch.sOga48bL/secure
TimeFilter: Period is day
TimeFilter: SearchDate is (Nov 6 ..:..:..)
TimeFilter: Debug SearchDate is (Nov 6 )
DEBUG: Inside ApplyStdDate...
DEBUG: Looking For: (Nov 6 ..:..:..)
Preprocessing LogFile: messages
/var/log/messages 2>/dev/null | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'talkd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'telnetd'|
/usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'inetd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'nfsd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice '/sbin/mingetty'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice
'netscreen'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice
'netscreen'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''|
/usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
''>/var/cache/logwatch/logwatch.sOga48bL/messages
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
TimeFilter: Period is day
TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s )
TimeFilter: Debug SearchDate is ( 2010-Nov-06 h m s )
################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Sat Nov 6 11:38:23 2010
Date Range Processed: today
( 2010-Nov-06 )
Period is day.
Detail Level of Output: 10
Type of Output: unformatted
Logfiles for Host: valhala.xxxxxxxxxxxx.org
##################################################################
--------------------- SSHD Begin ------------------------
DEBUG: Inside OnlyService for sshd
DEBUG: Inside SSHD Filter
---------------------- SSHD End -------------------------
Looking at file /usr/share/logwatch/scripts/services/sshd there is block of
code starting at line 165:
...
if ( $Debug >= 5 ) {
print STDERR "\n\nDEBUG: Inside SSHD Filter \n\n";
$DebugCounter = 1;
}
while (defined(my $ThisLine = <STDIN>)) {
if ( $Debug >= 5 ) {
print STDERR "DEBUG($DebugCounter): $ThisLine";
$DebugCounter++;
}
...
>From above, this line never prints anything:
print STDERR "DEBUG($DebugCounter): $ThisLine";
while the previous print STDERR does print when $Debug >= 5.
Doing a rpm -V Logwatch shows one changed file
S.5....T c /etc/logwatch/conf/logwatch.conf
as I added a " Detail = High" line to it.
I do have sshd events in /var/log/secure, here's some showing testing a
failed login using a non-existing account:
2010-11-06T08:59:03.684006-04:00 valhala sshd[23633]: Invalid user bob from
192.168.1.12
2010-11-06T08:59:03.688784-04:00 valhala sshd[23636]:
input_userauth_request: invalid user bob
2010-11-06T08:59:05.996036-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:05.996313-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh
ruserrhost=bunny2.xxxxxxxxxxxx.org
2010-11-06T08:59:07.837697-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:10.644065-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:12.505509-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:14.348019-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:15.759400-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:18.315990-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:19.607300-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:24.686480-04:00 valhala sshd[23636]: Connection closed by
192.168.1.12
2010-11-06T08:59:24.687107-04:00 valhala sshd[23633]: PAM 3 more
authentication failures; logname= uid=0 euid=0 tty=ssh
ruserrhost=bunny2.xxxxxxxxxxxx.org
2010-11-06T08:59:24.687132-04:00 valhala sshd[23633]: PAM service(sshd)
ignoring max retries; 4 > 3
Does anyone have any idea why this isn't working? The only thing I see is a
date discrepancy:
TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s ), vs
2010-11-06T08:59:03.684006-04:00
Thanks in advance for any clues.
Al
--
Experience varies directly with equipment ruined.