[Bug 1710971] [NEW] Unmatched entries in cron and secure

Christian Mertes Tue, 15 Aug 2017 13:41:28 -0700

Public bug reported:

We collect on an Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-128-generic
x86_64) monitoring server logs from our network. This network contains
Scientific Linux 7.3 desktops and servers and our authentication server
is based on FreeIPA.


When running logwatch on the monitoring server I get many unmatched
entries.

--------------------- Cron Begin ------------------------

 **Unmatched Entries**
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
......
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()
 NULL security context for user, but SELinux in permissive mode, continuing ()

---------------------- Cron End -------------------------

--------------------- Connections (secure-log) Begin
------------------------

 
 **Unmatched Entries**
    systemd-logind: New session 136179 of user icinga.: 1 Time(s)
    systemd-logind: New session 136180 of user icinga.: 1 Time(s)
......
    systemd-logind: New session 136181 of user icinga.: 1 Time(s)
    systemd-logind: New session 136183 of user icinga.: 1 Time(s)
    systemd-logind: Removed session 163125.: 1 Time(s)
    systemd-logind: Removed session 163126.: 1 Time(s)
......
    systemd-logind: Removed session 163127.: 1 Time(s)
    systemd-logind: Removed session 77001.: 1 Time(s)
    systemd-logind: Removed session 77002.: 1 Time(s)
 
 ---------------------- Connections (secure-log) End -------------------------

For cron I would recommend to group them and just report the number of
events.

For secure-log I would recommend to ignore the closing of the session
and group the opening of a session for a user and report the username
with the number of events.

I attached a patch as we currently use it in our system.

~# lsb_release -rd
Description:    Ubuntu 14.04.5 LTS
Release:        14.04

~# apt-cache policy logwatch
logwatch:
  Installed: 7.4.0+svn20130529rev144-1ubuntu1.1
  Candidate: 7.4.0+svn20130529rev144-1ubuntu1.1

** Affects: logwatch (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "Patch according to the recommendation within the bug report."
   
https://bugs.launchpad.net/bugs/1710971/+attachment/4933038/+files/logwatch-unmatched-entries.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1710971

Title:
  Unmatched entries in cron and secure

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1710971/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1710971] [NEW] Unmatched entries in cron and secure

Reply via email to