Unmatched entries in cron and secure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logwatch (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
We collect on an Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-128-generic x86_64) monitoring server logs from our network. This network contains Scientific Linux 7.3 desktops and servers and our authentication server is based on FreeIPA.
When running logwatch on the monitoring server I get many unmatched entries.
-------
**Unmatched Entries**
NULL security context for user, but SELinux in permissive mode, continuing ()
NULL security context for user, but SELinux in permissive mode, continuing ()
NULL security context for user, but SELinux in permissive mode, continuing ()
......
NULL security context for user, but SELinux in permissive mode, continuing ()
NULL security context for user, but SELinux in permissive mode, continuing ()
NULL security context for user, but SELinux in permissive mode, continuing ()
-------
-------
**Unmatched Entries**
systemd-logind: New session 136179 of user icinga.: 1 Time(s)
systemd-logind: New session 136180 of user icinga.: 1 Time(s)
......
systemd-logind: New session 136181 of user icinga.: 1 Time(s)
systemd-logind: New session 136183 of user icinga.: 1 Time(s)
systemd-logind: Removed session 163125.: 1 Time(s)
systemd-logind: Removed session 163126.: 1 Time(s)
......
systemd-logind: Removed session 163127.: 1 Time(s)
systemd-logind: Removed session 77001.: 1 Time(s)
systemd-logind: Removed session 77002.: 1 Time(s)
------
For cron I would recommend to group them and just report the number of events.
For secure-log I would recommend to ignore the closing of the session and group the opening of a session for a user and report the username with the number of events.
I attached a patch as we currently use it in our system.
~# lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04
~# apt-cache policy logwatch
logwatch:
Installed: 7.4.0+svn201305
Candidate: 7.4.0+svn201305
tags: | removed: patch |
The attachment "Patch according to the recommendation within the bug report." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]