FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-29-2012, 12:39 PM
Maarten Derickx
 
Default Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

Dear All,
I'm using debian 6.0.4 and recently I ran into trouble using logwatch. I have installed logwatch using apt-get and the only change I made to the config related to logwatch is:


--- /dev/null+++ b/logwatch/conf/logwatch.conf@@ -0,0 +1 @@+Range = since -7 days
and I setup a cronjob to get weekly mails. Now I noticed that not all my login attemps using sshd where shown in these mails so I tried to start debugging it.


The strange thing is that when I do:
logwatch --service sshd --archives
I get only 3 logins 2 from "mderickx" and 1 from "sageslave". (see Output 1 below)


While a simple grep to the log directory there are in the last week also 2+8=10 logins (see Output 2 below). The 8 aditional logins are in the auth.log.1 file. According to the documentation of the --archives argument the auth.log.1 file should also get checked. I quote the documentation:


--archivesEach log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz). *When used *with*"--range all", this option will make Logwatch search through the archives in addition to the regular logfiles. *For other values of --range, Logwatch will*search the appropriate archived logs.



The strange thing is that if I now do:
root@md:/var/log# gzip auth.log.1
and then
logwatch --service sshd --archives


then I do get the expected amount of 10 logins for the user mderickx in the logwatch output. So it seems that in contrast to the what the documentation suggests the uncompressed archive /var/log/auth.log.1 is not checked!



While debugging the above (I rather don't mess with my logfiles when not nessecary) I copied auth.log and auth.log.1 to /tmp and and modified the files to see how logwatch would react. And the strange thing is that when I did*


logwatch --logdir /tmp *
I also got a lot of logwatch output related to for example apache while there are no apache logs in /tmp. It seems like it also goes to /var/log for files it cannot find in /tmp wich again doesn't mach the documentation.**


--logdir directory* * * * * * * Look in directory for log subdirectories or log files instead of the default directory.
It clearly sais instead and not in adition to or something like "first look in directory and if not is found look in the default directory".




I hope I didn't scare you by the long mail, but I think it will be more usefull then a short cryptic question in which it is harder to see what the exact problem is.


Thanks Maarten

Output 1:
root@md:/var/log#*logwatch --service sshd --archives
*################### Logwatch 7.3.6 (05/19/07) ####################*

* * * * Processing Initiated: Sun Apr 29 13:46:24 2012* * * * Date Range Processed: since -7 days* * * * * * * * * * * * * * * ( 2012-Apr-22 / 2012-Apr-29 )* * * * * * * * * * * * * * * Period is day.

* * * * Detail Level of Output: 0* * * * Type of Output/Format: stdout / text* * * * Logfiles for Host: md* ################################################## ################*

**--------------------- SSHD Begin ------------------------*
*Users logging in through sshd:* * mderickx:* * * *82.139.86.4 (ip82-139-86-4.lijbrandt.net): 2 times

* * sageslave:* * * *127.0.0.1 (localhost): 1 time**---------------------- SSHD End -------------------------*
**###################### Logwatch End #########################*





Output 2

root@md:/var/log# grep -r sshd ./ | grep mderickx | grep Accepted./auth.log.1:Apr 26 13:01:02 mdsage sshd[4001]: Accepted*publickey*for mderickx from 82.139.86.4 port 38018 ssh2

./auth.log.1:Apr 26 13:03:09 mdsage sshd[4074]: Accepted*publickey*for mderickx from 82.139.86.4 port 45710 ssh2./auth.log.1:Apr 26 13:03:33 mdsage sshd[4089]: Accepted publickey for mderickx from 82.139.86.4 port 33735 ssh2

./auth.log.1:Apr 26 16:34:02 mdsage sshd[6821]: Accepted publickey for mderickx from 82.139.86.4 port 41634 ssh2./auth.log.1:Apr 26 18:41:18 mdsage sshd[9467]: Accepted publickey for mderickx from 82.139.86.4 port 35548 ssh2

./auth.log.1:Apr 28 14:41:20 mdsage sshd[1414]: Accepted publickey for mderickx from 82.139.86.4 port 33067 ssh2./auth.log.1:Apr 29 01:19:22 mdsage sshd[16827]: Accepted publickey for mderickx from 82.139.86.4 port 45557 ssh2

./auth.log.1:Apr 29 01:37:01 mdsage sshd[17073]: Accepted publickey for mderickx from 82.139.86.4 port 45161 ssh2./auth.log:Apr 29 12:27:53 mdsage sshd[23051]: Accepted publickey for mderickx from 82.139.86.4 port 43719 ssh2

./auth.log:Apr 29 12:54:08 mdsage sshd[26049]: Accepted publickey for mderickx from 82.139.86.4 port 43200 ssh2
 
Old 04-29-2012, 02:59 PM
Camaleón
 
Default Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

On Sun, 29 Apr 2012 14:39:08 +0200, Maarten Derickx wrote:

(...)

→ About the problem of analyzing from the archive

> The strange thing is that when I do:
>
> logwatch --service sshd --archives
>
> I get only 3 logins 2 from "mderickx" and 1 from "sageslave". (see
> Output 1 below)

(...)

> The strange thing is that if I now do:
>
> root@md:/var/log# gzip auth.log.1
>
> and then
>
> logwatch --service sshd --archives
>
> then I do get the expected amount of 10 logins for the user mderickx in
> the logwatch output. So it seems that in contrast to the what the
> documentation suggests the uncompressed archive /var/log/auth.log.1 is
> not checked!

Look at one of the config files that manages sshd (secure.conf), I think
there can be a rule pattern definition error there.

Logwatch seems to be configured to read either from "/var/log/
auth.log" (as the actual file) or "/var/log/auth.log.*.gz" files (for the
archives) but does not handle non "*.gz" files with a different
filename :-?

→ About the problem of setting a different directory for the logs

(...)

I leave this for others to debug :-P

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jnjl13$5ol$13@dough.gmane.org">http://lists.debian.org/jnjl13$5ol$13@dough.gmane.org
 
Old 04-29-2012, 06:56 PM
Maarten Derickx
 
Default Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

> Look at one of the config files that manages sshd (secure.conf), I think
> there can be a rule pattern definition error there.
>
> Greetings,
>
> --
> Camalen

Thanks. There where no config files in /etc/ (only a directory structure). But indeed there was a mistake in the file in /usr/share/logwatch/default.conf/logfiles/secure.conf


There was a rule wich said:

Archive = authlog.*

But this line should read:

Archive = auth.log.*A closer inspection of the logfiles I cared about revealed that there where also related errors. I made a patch with all the changes and posted it at http://pastebin.com/6vALKDYN . What is the procedure for getting these fixes in debian?



Thanks,
Maarten
 
Old 04-29-2012, 07:52 PM
Bob Proulx
 
Default Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

Maarten Derickx wrote:
> A closer inspection of the logfiles I cared about revealed that there
> where also related errors. I made a patch with all the changes and
> posted it at http://pastebin.com/6vALKDYN . What is the procedure for
> getting these fixes in debian?

Report it as a bug. Using 'reportbug' is typical but it can also be
done by simple email.

Here is the documentation page for how to submit a bug to Debian:

http://www.debian.org/Bugs/Reporting

Bob
 
Old 04-29-2012, 10:12 PM
Maarten Derickx
 
Default Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

2012/4/29 Maarten Derickx <m.derickx.student@gmail.com>



A closer inspection of the logfiles I cared about revealed that there where also related errors. I made a patch with all the changes and posted it at http://pastebin.com/6vALKDYN . What is the procedure for getting these fixes in debian?




Thanks,
Maarten


I filed the bugs and they have numbers: #670877 and*#670880 respectively.
 
Old 04-30-2012, 03:12 PM
Camalen
 
Default Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

On Mon, 30 Apr 2012 00:12:43 +0200, Maarten Derickx wrote:

> 2012/4/29 Maarten Derickx <m.derickx.student@gmail.com>
>
>
>> A closer inspection of the logfiles I cared about revealed that there
>> where also related errors. I made a patch with all the changes and
>> posted it at http://pastebin.com/6vALKDYN . What is the procedure for
>> getting these fixes in debian?
>>
>>
>>
> I filed the bugs and they have numbers: #670877 and #670880
> respectively.

I was going to suggest exactly that... Well done! :-)

Greetings,

--
Camalen


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: jnma4k$kbo$5@dough.gmane.org">http://lists.debian.org/jnma4k$kbo$5@dough.gmane.org
 

Thread Tools




All times are GMT. The time now is 01:17 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org