View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017755 | CentOS-8 | logwatch | public | 2020-09-25 10:50 | 2020-09-25 10:50 |
| Reporter | podol | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 8.2.2004 | ||||
| Summary | 0017755: Logwatch reports sudo commands as unmatched entries | ||||
| Description | Verified with Logwatch version: 7.4.3-9.el8 When Logwatch generates a report and there are some "sudo" entries in /var/log/secure, it puts them as "Unmatched Entries". RCA. For CentOS 8.X /var/log/secure format for an example "sudo" entry looks like this: #v+ <date> <hosntame> sudo[<number>]: <login> : <command> #v- Rule matching "sudo" entries in Logwatch looks like this (line 216, /usr/share/logwatch/scripts/services/secure): #v+ ( $ThisLine =~ /^sudo:/) or #v- Result: entries with "sudo[<number>]:" will be missed and thrown to unmatched entries, as matcher expects "sudo:". Without brackets, without numbers. Example solution: #v+ ( $ThisLine =~ /^sudo\[[0-9]+\]:/) or #v- | ||||
| Steps To Reproduce | 1. Log in to CentOS 8 system with installed Logwatch. 2. Execute some sudo commands. 3. Wait for report or execute "logwatch --range today" and look after **Unmatched Entries** of "Connections (secure-log)" section. | ||||
| Additional Information | This issue is not present in CentOS 7.X despite the same rule catcher in Logwatch, because format of /var/log/secure for "sudo" entries looks like this: #v+ <date> <hosntame> sudo: <login> : <command> #v- | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-09-25 10:50 | podol | New Issue |
