Package: logcheck Version: 1.3.20 Severity: wishlist After updating system from stretch to buster the log lines relating to the failed login are no longer detected as security. Trying to start logcheck on a previous log file the result is correct, so it may be that the problem is in formatting messages. logcheck is configured to send report by local mail. I made some 'extra' test from command line on the single file (auth.log) but the result is the same as in the case scheduled by the system:
NEW MESSAGE Test: new message sample (wrong detection): Jul 10 10:23:36 xps su: pam_unix(su:auth): authentication failure; logname=user uid=1001 euid=0 tty=pts/1 ruser=user rhost= user=root Jul 10 10:23:38 xps su: FAILED SU (to root) user on pts/1 running logcheck produce only system event output, no security section: System Events =-=-=-=-=-=-= ... Jul 10 10:23:36 xps su: pam_unix(su:auth): authentication failure; logname=user uid=1001 euid=0 tty=pts/1 ruser=user rhost= user=root Jul 10 10:23:38 xps su: FAILED SU (to root) user on pts/1 ... OLD MESSAGE Test old message sample (detected as security line); Jul 5 16:34:16 xps su[25748]: pam_unix(su:auth): authentication failure; logname=user uid=1001 euid=0 tty=/dev/pts/0 ruser=user rhost= user=root Jul 5 16:34:17 xps su[25748]: pam_authenticate: Authentication failure Jul 5 16:34:17 xps su[25748]: FAILED su for root by user running logcheck produce the expected output: Security Events for su =-=-=-=-=-=-=-=-=-=-=- Jul 5 16:34:16 xps su[25748]: pam_unix(su:auth): authentication failure; logname=user uid=1001 euid=0 tty=/dev/pts/0 ruser=user rhost= user=root Jul 5 16:34:17 xps su[25748]: FAILED su for root by user that's all. thanks in advance for support Enrico -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages logcheck depends on: ii adduser 3.118 ii cron [cron-daemon] 3.0pl1-134 ii exim4-daemon-light [mail-transport-agent] 4.92-8 ii lockfile-progs 0.1.18 ii logtail 1.3.20 ii mime-construct 1.11+nmu2 ii rsyslog [system-log-daemon] 8.1901.0-1 Versions of packages logcheck recommends: ii logcheck-database 1.3.20 Versions of packages logcheck suggests: ii syslog-summary 1.14-2.1 -- Configuration Files: /etc/logcheck/logcheck.conf [Errno 13] Permesso negato: '/etc/logcheck/logcheck.conf' /etc/logcheck/logcheck.logfiles [Errno 13] Permesso negato: '/etc/logcheck/logcheck.logfiles' -- debconf-show failed
