[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug in logwatch? (not all archives are checked and --logdir is partially ignored).



Dear All,

I'm using debian 6.0.4 and recently I ran into trouble using logwatch. I have installed logwatch using apt-get and the only change I made to the config related to logwatch is:

--- /dev/null
+++ b/logwatch/conf/logwatch.conf
@@ -0,0 +1 @@
+Range = since -7 days

and I setup a cronjob to get weekly mails. Now I noticed that not all my login attemps using sshd where shown in these mails so I tried to start debugging it.

The strange thing is that when I do:

logwatch --service sshd --archives

I get only 3 logins 2 from "mderickx" and 1 from "sageslave". (see Output 1 below)

While a simple grep to the log directory there are in the last week also 2+8=10 logins (see Output 2 below). The 8 aditional logins are in the auth.log.1 file. According to the documentation of the --archives argument the auth.log.1 file should also get checked. I quote the documentation:

--archives
Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz).  When used  with "--range all", this option will make Logwatch search through the archives in addition to the regular logfiles.  For other values of --range, Logwatch will search the appropriate archived logs.


The strange thing is that if I now do:

root@md:/var/log# gzip auth.log.1

and then

logwatch --service sshd --archives

then I do get the expected amount of 10 logins for the user mderickx in the logwatch output. So it seems that in contrast to the what the documentation suggests the uncompressed archive /var/log/auth.log.1 is not checked!


While debugging the above (I rather don't mess with my logfiles when not nessecary) I copied auth.log and auth.log.1 to /tmp and and modified the files to see how logwatch would react. And the strange thing is that when I did 

logwatch --logdir /tmp  

I also got a lot of logwatch output related to for example apache while there are no apache logs in /tmp. It seems like it also goes to /var/log for files it cannot find in /tmp wich again doesn't mach the documentation.  

--logdir directory
              Look in directory for log subdirectories or log files instead of the default directory.

It clearly sais instead and not in adition to or something like "first look in directory and if not is found look in the default directory".



I hope I didn't scare you by the long mail, but I think it will be more usefull then a short cryptic question in which it is harder to see what the exact problem is.

Thanks Maarten


Output 1:

root@md:/var/log# logwatch --service sshd --archives

 ################### Logwatch 7.3.6 (05/19/07) #################### 
        Processing Initiated: Sun Apr 29 13:46:24 2012
        Date Range Processed: since -7 days
                              ( 2012-Apr-22 / 2012-Apr-29 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: stdout / text
        Logfiles for Host: md
  ################################################################## 
 
 --------------------- SSHD Begin ------------------------ 

 Users logging in through sshd:
    mderickx:
       82.139.86.4 (ip82-139-86-4.lijbrandt.net): 2 times
    sageslave:
       127.0.0.1 (localhost): 1 time
 
 ---------------------- SSHD End ------------------------- 

 
 ###################### Logwatch End ######################### 




Output 2


root@md:/var/log# grep -r sshd ./ | grep mderickx | grep Accepted
./auth.log.1:Apr 26 13:01:02 mdsage sshd[4001]: Accepted publickey for mderickx from 82.139.86.4 port 38018 ssh2
./auth.log.1:Apr 26 13:03:09 mdsage sshd[4074]: Accepted publickey for mderickx from 82.139.86.4 port 45710 ssh2
./auth.log.1:Apr 26 13:03:33 mdsage sshd[4089]: Accepted publickey for mderickx from 82.139.86.4 port 33735 ssh2
./auth.log.1:Apr 26 16:34:02 mdsage sshd[6821]: Accepted publickey for mderickx from 82.139.86.4 port 41634 ssh2
./auth.log.1:Apr 26 18:41:18 mdsage sshd[9467]: Accepted publickey for mderickx from 82.139.86.4 port 35548 ssh2
./auth.log.1:Apr 28 14:41:20 mdsage sshd[1414]: Accepted publickey for mderickx from 82.139.86.4 port 33067 ssh2
./auth.log.1:Apr 29 01:19:22 mdsage sshd[16827]: Accepted publickey for mderickx from 82.139.86.4 port 45557 ssh2
./auth.log.1:Apr 29 01:37:01 mdsage sshd[17073]: Accepted publickey for mderickx from 82.139.86.4 port 45161 ssh2
./auth.log:Apr 29 12:27:53 mdsage sshd[23051]: Accepted publickey for mderickx from 82.139.86.4 port 43719 ssh2
./auth.log:Apr 29 12:54:08 mdsage sshd[26049]: Accepted publickey for mderickx from 82.139.86.4 port 43200 ssh2












Reply to: