I having a problem where Logwatch is not showing any events from the
/var/log/secure log file. When I run

logwatch --print --range today --service sshd --detail 10 --debug 10

the end result shows this:

...
LogFiles that will be processed:
[0] = secure
[1] = messages

Made Temp Dir: /var/cache/logwatch/logwatch.sOga48bL with tempdir
export LOGWATCH_DATE_RANGE='today'
export LOGWATCH_GLOBAL_DETAIL='10'
export LOGWATCH_OUTPUT_TYPE='unformatted'
export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.sOga48bL/'
export LOGWATCH_DEBUG='10'

Preprocessing LogFile: secure
/var/log/secure 2>/dev/null | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats '| /usr/bin/perl
/usr/share/logwatch/scripts/shared/onlyhost '| /usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
'>/var/cache/logwatch/logwatch.sOga48bL/secure

TimeFilter: Period is day

TimeFilter: SearchDate is (Nov 6 ..:..:..)

TimeFilter: Debug SearchDate is (Nov 6 )
DEBUG: Inside ApplyStdDate...
DEBUG: Looking For: (Nov 6 ..:..:..)

Preprocessing LogFile: messages
/var/log/messages 2>/dev/null | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats '| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'talkd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'telnetd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'inetd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice 'nfsd'| /usr/bin/perl
/usr/share/logwatch/scripts/shared/removeservice '/sbin/mingetty'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'netscreen'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'netscreen'|
/usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost '| /usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
'>/var/cache/logwatch/logwatch.sOga48bL/messages
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService...
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out
DEBUG: Inside RemoveService: 930 Lines In, 930 Lines Out

TimeFilter: Period is day

TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s )

TimeFilter: Debug SearchDate is ( 2010-Nov-06 h m s )

################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Sat Nov 6 11:38:23 2010
Date Range Processed: today
( 2010-Nov-06 )
Period is day.
Detail Level of Output: 10
Type of Output: unformatted
Logfiles for Host: valhala.xxxxxxxxxxxx.org
################################################## ################

--------------------- SSHD Begin ------------------------

DEBUG: Inside OnlyService for sshd


DEBUG: Inside SSHD Filter


---------------------- SSHD End -------------------------


Looking at file /usr/share/logwatch/scripts/services/sshd there is block of
code starting at line 165:

...
if ( $Debug >= 5 ) {
print STDERR "

DEBUG: Inside SSHD Filter

";
$DebugCounter = 1;
}

while (defined(my $ThisLine = <STDIN>)) {
if ( $Debug >= 5 ) {
print STDERR "DEBUG($DebugCounter): $ThisLine";
$DebugCounter++;
}
...

>From above, this line never prints anything:

print STDERR "DEBUG($DebugCounter): $ThisLine";

while the previous print STDERR does print when $Debug >= 5.

Doing a rpm -V Logwatch shows one changed file

S.5....T c /etc/logwatch/conf/logwatch.conf

as I added a " Detail = High" line to it.

I do have sshd events in /var/log/secure, here's some showing testing a
failed login using a non-existing account:

2010-11-06T08:59:03.684006-04:00 valhala sshd[23633]: Invalid user bob from
192.168.1.12
2010-11-06T08:59:03.688784-04:00 valhala sshd[23636]:
input_userauth_request: invalid user bob
2010-11-06T08:59:05.996036-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:05.996313-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=bunny2.xxxxxxxxxxxx.org
2010-11-06T08:59:07.837697-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:10.644065-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:12.505509-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:14.348019-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:15.759400-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:18.315990-04:00 valhala sshd[23633]: pam_unix(sshd:auth):
check pass; user unknown
2010-11-06T08:59:19.607300-04:00 valhala sshd[23633]: Failed password for
invalid user bob from 192.168.1.12 port 57945 ssh2
2010-11-06T08:59:24.686480-04:00 valhala sshd[23636]: Connection closed by
192.168.1.12
2010-11-06T08:59:24.687107-04:00 valhala sshd[23633]: PAM 3 more
authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=bunny2.xxxxxxxxxxxx.org
2010-11-06T08:59:24.687132-04:00 valhala sshd[23633]: PAM service(sshd)
ignoring max retries; 4 > 3


Does anyone have any idea why this isn't working? The only thing I see is a
date discrepancy:

TimeFilter: SearchDate is ( 2010-Nov-06 ..h ..m ..s ), vs
2010-11-06T08:59:03.684006-04:00

Thanks in advance for any clues.

Al
--
Experience varies directly with equipment ruined.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Found it.

> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
> Of Albert McCann
> Sent: Saturday, November 06, 2010 12:18 PM
> To: 'CentOS mailing list'
> Subject: [CentOS] Logwatch not working properly
>
> I having a problem where Logwatch is not showing any events from the
> /var/log/secure log file.

The date format used by the default /etc/rsyslogd.conf may be wrong in
CentOS 5.5, and I'm guessing RedHat's rsyslog-3.22.1-3.

> 2010-11-06T08:59:03.684006-04:00 valhala sshd[23633]: Invalid user bob
from 192.168.1.12

I renamed rsyslog.conf to rsyslog.conf.back and reinstalled rsyslog just to
make sure I got a good rsyslog.conf file.

What it should display as is this (for logwatch to be able to see):

Nov 6 21:25:31 valhala sshd[579]: Accepted password for someone from
192.168.1.12 port 61275 ssh2

This provided the clue I needed:

http://howtoforge.org/forums/showthread.php?p=242790

I have Fedora 13 running in a VMWare session, and this line from F13's
rsyslog.conf, seems to do this trick:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Al
--
Ate yerz ago i cudent evin spel injuneer. Now i ar one.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
> Of Albert McCann
> Sent: Saturday, November 06, 2010 9:55 PM
> To: 'CentOS mailing list'
> Subject: Re: [CentOS] Logwatch not working properly
>
> Found it.

Now that I know what to look for, here's the RedHat Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=583621

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos