View Issue Details

IDProjectCategoryView StatusLast Update
0017755CentOS-8logwatchpublic2020-09-25 10:50
Reporterpodol 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.2.2004 
Target VersionFixed in Version 
Summary0017755: Logwatch reports sudo commands as unmatched entries
DescriptionVerified with Logwatch version: 7.4.3-9.el8

When Logwatch generates a report and there are some "sudo" entries in /var/log/secure, it puts them as "Unmatched Entries".

RCA.
For CentOS 8.X /var/log/secure format for an example "sudo" entry looks like this:
#v+
<date> <hosntame> sudo[<number>]: <login> : <command>
#v-

Rule matching "sudo" entries in Logwatch looks like this (line 216, /usr/share/logwatch/scripts/services/secure):
#v+
      ( $ThisLine =~ /^sudo:/) or
#v-

Result: entries with "sudo[<number>]:" will be missed and thrown to unmatched entries, as matcher expects "sudo:". Without brackets, without numbers.

Example solution:
#v+
      ( $ThisLine =~ /^sudo\[[0-9]+\]:/) or
#v-
Steps To Reproduce1. Log in to CentOS 8 system with installed Logwatch.
2. Execute some sudo commands.
3. Wait for report or execute "logwatch --range today" and look after **Unmatched Entries** of "Connections (secure-log)" section.
Additional InformationThis issue is not present in CentOS 7.X despite the same rule catcher in Logwatch, because format of /var/log/secure for "sudo" entries looks like this:
#v+
<date> <hosntame> sudo: <login> : <command>
#v-
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-09-25 10:50 podol New Issue