Hi,
sine starting to use RHEL5 (been using primarily RHEL3 for
several years) I have noticed that my logwatch reports seem to be
missing some info on service connections. After further investigation, I
find that messages that were previously logged at the authpriv level by
xinetd (which goes to /var/log/secure) are now logging at another level
and ending up in /var/log/messages. The logwatch script 'secure' is
expecting to find them in /var/log/secure, so it never reports them.
The messages are of this format:
Jul 19 14:02:34 cpafiszk xinetd[1287]: START: login pid=22644
from=xxx.xxx.xxx.xxx
Jul 19 14:05:13 cpafiszk xinetd[1287]: START: daytime-stream pid=0
from=xxx.xxx.xxx.xxx
Jul 19 14:05:13 cpafiszk xinetd[1287]: START: shell pid=22685
from=xxx.xxx.xxx.xxx
Jul 19 14:45:28 cpafiszk xinetd[1287]: START: login pid=23096
from=xxx.xxx.xxx.xxx
The related line from /usr/share/logwatch/scripts/services/secure is:
} elsif ( (undef, $Service, $IP) = ($ThisLine =~
/^(xinetd|xinetd-ipv6)\[\d+\]: START: ([^ ]+) pid=\d+ from=([^\n]+)$/) )
{
# grep authpriv /etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.!info
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
I have not changed anything in syslog.conf related to authpriv, and I
confirmed with the following command that authpriv is going to
/var/log/secure:
logger -p authpriv.info test of authpriv
Any ideas or is this a bug?
Thanks,
Kevin
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
