Dear All,
I'm using debian 6.0.4 and recently I ran into trouble using logwatch. I
have installed logwatch using apt-get and the only change I made to the
config related to logwatch is:
--- /dev/null
+++ b/logwatch/conf/logwatch.conf
@@ -0,0 +1 @@
+Range = since -7 days
and I setup a cronjob to get weekly mails. Now I noticed that not all my
login attemps using sshd where shown in these mails so I tried to start
debugging it.
The strange thing is that when I do:
logwatch --service sshd --archives
I get only 3 logins 2 from "mderickx" and 1 from "sageslave". (see Output 1
below)
While a simple grep to the log directory there are in the last week also
2+8=10 logins (see Output 2 below). The 8 aditional logins are in the
auth.log.1 file. According to the documentation of the --archives argument
the auth.log.1 file should also get checked. I quote the documentation:
--archives
Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as
archives (i.e. /var/log/messages.? or /var/log/messages.?.gz). When used
with "--range all", this option will make Logwatch search through the
archives in addition to the regular logfiles. For other values of --range,
Logwatch will search the appropriate archived logs.
The strange thing is that if I now do:
root@md:/var/log# gzip auth.log.1
and then
logwatch --service sshd --archives
then I do get the expected amount of 10 logins for the user mderickx in the
logwatch output. So it seems that in contrast to the what the documentation
suggests the uncompressed archive /var/log/auth.log.1 is not checked!
While debugging the above (I rather don't mess with my logfiles when not
nessecary) I copied auth.log and auth.log.1 to /tmp and and modified the
files to see how logwatch would react. And the strange thing is that when I
did
logwatch --logdir /tmp
I also got a lot of logwatch output related to for example apache while
there are no apache logs in /tmp. It seems like it also goes to /var/log
for files it cannot find in /tmp wich again doesn't mach the
documentation.
--logdir directory
Look in directory for log subdirectories or log files instead
of the default directory.
It clearly sais instead and not in adition to or something like "first look
in directory and if not is found look in the default directory".
I hope I didn't scare you by the long mail, but I think it will be more
usefull then a short cryptic question in which it is harder to see what the
exact problem is.
Thanks Maarten
Output 1:
root@md:/var/log# logwatch --service sshd --archives
################### Logwatch 7.3.6 (05/19/07) ####################
Processing Initiated: Sun Apr 29 13:46:24 2012
Date Range Processed: since -7 days
( 2012-Apr-22 / 2012-Apr-29 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: md
##################################################################
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
mderickx:
82.139.86.4 (ip82-139-86-4.lijbrandt.net): 2 times
sageslave:
127.0.0.1 (localhost): 1 time
---------------------- SSHD End -------------------------
###################### Logwatch End #########################
Output 2
root@md:/var/log# grep -r sshd ./ | grep mderickx | grep Accepted
./auth.log.1:Apr 26 13:01:02 mdsage sshd[4001]: Accepted publickey for
mderickx from 82.139.86.4 port 38018 ssh2
./auth.log.1:Apr 26 13:03:09 mdsage sshd[4074]: Accepted publickey for
mderickx from 82.139.86.4 port 45710 ssh2
./auth.log.1:Apr 26 13:03:33 mdsage sshd[4089]: Accepted publickey for
mderickx from 82.139.86.4 port 33735 ssh2
./auth.log.1:Apr 26 16:34:02 mdsage sshd[6821]: Accepted publickey for
mderickx from 82.139.86.4 port 41634 ssh2
./auth.log.1:Apr 26 18:41:18 mdsage sshd[9467]: Accepted publickey for
mderickx from 82.139.86.4 port 35548 ssh2
./auth.log.1:Apr 28 14:41:20 mdsage sshd[1414]: Accepted publickey for
mderickx from 82.139.86.4 port 33067 ssh2
./auth.log.1:Apr 29 01:19:22 mdsage sshd[16827]: Accepted publickey for
mderickx from 82.139.86.4 port 45557 ssh2
./auth.log.1:Apr 29 01:37:01 mdsage sshd[17073]: Accepted publickey for
mderickx from 82.139.86.4 port 45161 ssh2
./auth.log:Apr 29 12:27:53 mdsage sshd[23051]: Accepted publickey for
mderickx from 82.139.86.4 port 43719 ssh2
./auth.log:Apr 29 12:54:08 mdsage sshd[26049]: Accepted publickey for
mderickx from 82.139.86.4 port 43200 ssh2
