Ubuntu
logwatch package

Unmatched entries in cron and secure

Bug #1710971 reported by Christian Mertes
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
logwatch (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

We collect on an Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-128-generic x86_64) monitoring server logs from our network. This network contains Scientific Linux 7.3 desktops and servers and our authentication server is based on FreeIPA.

When running logwatch on the monitoring server I get many unmatched entries.

--------------------- Cron Begin ------------------------

 **Unmatched Entries**
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
......
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()

---------------------- Cron End -------------------------

--------------------- Connections (secure-log) Begin ------------------------

 **Unmatched Entries**
    systemd-logind: New session 136179 of user icinga.: 1 Time(s)
    systemd-logind: New session 136180 of user icinga.: 1 Time(s)
......
    systemd-logind: New session 136181 of user icinga.: 1 Time(s)
    systemd-logind: New session 136183 of user icinga.: 1 Time(s)
    systemd-logind: Removed session 163125.: 1 Time(s)
    systemd-logind: Removed session 163126.: 1 Time(s)
......
    systemd-logind: Removed session 163127.: 1 Time(s)
    systemd-logind: Removed session 77001.: 1 Time(s)
    systemd-logind: Removed session 77002.: 1 Time(s)

 ---------------------- Connections (secure-log) End -------------------------

For cron I would recommend to group them and just report the number of events.

For secure-log I would recommend to ignore the closing of the session and group the opening of a session for a user and report the username with the number of events.

I attached a patch as we currently use it in our system.

~# lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04

~# apt-cache policy logwatch
logwatch:
  Installed: 7.4.0+svn20130529rev144-1ubuntu1.1
  Candidate: 7.4.0+svn20130529rev144-1ubuntu1.1

Revision history for this message
Christian Mertes (mertes) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch according to the recommendation within the bug report." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Christian Mertes (mertes)
tags: removed: patch
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Christian,
while I agree with the patterns and the counters this should be suggested upstream first.
Once integrated there the next merge will pick it up automatically.
And having it there ensures that SRU backports and what comes due to upgrades will not diverge.

Upstream is at [1] and despite everybody thinking "uh sourceforge" it seems active still.

So I'd like to ask you if you could report an issue there, provide your change and mention the opened issue here.
The bug will be auto-updated once that is accepted and we can then consider backports.

[1]: https://sourceforge.net/p/logwatch/git/ci/master/tree/

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for forwarding your change upstream, it looks like they've incorporated the systemd-logind log handling, via commits dcb79597 and 44d6719b (the latter including mention of your patch), which are now included in the 7.5.0 release. So, I think we can close this bug as fixed in eoan. 14.04.6 support ended last month, so this isn't a candidate for backporting to that release, but if you need it in bionic or xenial, feel free to reopen.

Btw, I notice upstream commit 4525ed0d tweaks the rules a bit to ignore New session entries, which may break your counting, so if that's something you're relying on you may want to test out the upstream code. That change is included in upstream's 7.5.1 but not 7.5.0. Debian and Ubuntu are on 7.5.0 right now; I'm not sure when we'll be pulling in 7.5.1 but feel free to file a new bug if there's followup work needed here.

Changed in logwatch (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.