View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017755||CentOS-8||logwatch||public||2020-09-25 10:50||2020-09-25 10:50|
|Summary||0017755: Logwatch reports sudo commands as unmatched entries|
|Description||Verified with Logwatch version: 7.4.3-9.el8|
When Logwatch generates a report and there are some "sudo" entries in /var/log/secure, it puts them as "Unmatched Entries".
For CentOS 8.X /var/log/secure format for an example "sudo" entry looks like this:
<date> <hosntame> sudo[<number>]: <login> : <command>
Rule matching "sudo" entries in Logwatch looks like this (line 216, /usr/share/logwatch/scripts/services/secure):
( $ThisLine =~ /^sudo:/) or
Result: entries with "sudo[<number>]:" will be missed and thrown to unmatched entries, as matcher expects "sudo:". Without brackets, without numbers.
( $ThisLine =~ /^sudo\[[0-9]+\]:/) or
|Steps To Reproduce||1. Log in to CentOS 8 system with installed Logwatch.|
2. Execute some sudo commands.
3. Wait for report or execute "logwatch --range today" and look after **Unmatched Entries** of "Connections (secure-log)" section.
|Additional Information||This issue is not present in CentOS 7.X despite the same rule catcher in Logwatch, because format of /var/log/secure for "sudo" entries looks like this:|
<date> <hosntame> sudo: <login> : <command>
|Tags||No tags attached.|