# Logwatch problem, again !

## Anquietas

Hello again,

I've posted a Logwatch problem and a bug, it is still not resolved for a couple of months now... what must I do for my bug to be considered around here ?

The problem is in my Logwatch... I receive a Log Mail everyday informing me of what is happening on the Server.

```
sshd:

    Sessions Opened:

       tig3r_3d: 4 Time(s)

       anq: 1 Time(s)

 

 su:

    Sessions Opened:

       root -> root: 1 Time(s)               // This Line is Wrong ! it should say the real user who sued to root.

```

The correct line should be:

```
...

su:

   Sessions Opened:

   anq(1000) -> root: 1 Time(s)

```

How can I determine who sued to root if logwatch only shows that root sued to root which is a non-sense expression.

In other distribution this is not happening....

I really hope this time somebody will correct this bug.

Here is the bug report: https://bugs.gentoo.org/show_bug.cgi?id=269384

----------

## magic919

Looks ok for me.  Further down the mail I get :

```

 --------------------- Connections (secure-log) Begin ------------------------ 

 

 Users performing Su Changes:

     normal_user:

          root 1 time(s)

 

 ---------------------- Connections (secure-log) End ------------------------- 

```

----------

## Anquietas

lol, it doesn't show me the mail like that, my mail format is a little different than your's... I see that your mail has a different style than mine does.

What logger do you use ? syslog-ng with logwatch ?.. or ?..

----------

## magic919

I use syslog-ng.

----------

## Anquietas

me too, but the mail doesn't show like this....

anyway, any more ideas on how to fix this ?

----------

## magic919

I'm using version 7.3.6.  That might help.

----------

## Anquietas

that didn't help...

I use the latest Logwatch and syslog-ng from Portage....

I signaled this problem over 8 months ago, and it is still unresolved...

What must I do to get my problem resolved ????

----------

## magic919

 *Anquietas wrote:*   

> 
> 
> What must I do to get my problem resolved ????

 

You probably need to take some responsibility for solving it.  As you can see from my install, not everyone has this problem.  Note also, that this thread is not full of others with the same problem.

Have a look at how Logwatch works.  Kirk has written some documentation.  Check the filters and see how they work.  Make sure you have suitable log fles for the filter concerned to give output.  If they don't exist it will just skip them.  Have a look at detail level too.

----------

## Anquietas

no, it's the last version of Logwatch and Syslog-ng ... I, being a "server fleet admiral", I administer a whole cluster full of intelinked Gentoo Servers.

Each and everyone of them with the latest Syslog-ng and Logwatch from the newest portage.

Believe me when I say that on each of them the mail format is the same and there is a bug in interpreting which user had su-ed or sudoed to root.

I will enter the source code and inspect it manually... and post the problem fix here.

Hopefully, I spare somebody's time to search for the problem. Once the problem is presented, I SINCERLY HOPE SO, someone will update the Package to eliminate this bug once and for all from the newest portage packages.

Stay tuned for the fix, I will present it here in maximum a couple of days.

----------

## magic919

Fixed yet?

----------

## Anquietas

I've upgraded syslog..I'll wait for tomorrow morning's mail log

----------

## cach0rr0

hrmmm

```

--------------------- pam_unix Begin ------------------------

 sshd:

    Sessions Opened:

       meat: 9 Time(s)

 

 su:

    Sessions Opened:

       root -> root: 2 Time(s)

 

 sudo:

    Sessions Opened:

       root -> root: 2 Time(s)

 

 

 ---------------------- pam_unix End -------------------------

```

Every time I would have done

```

sudo su -

```

as user 'meat'

----------

## Anquietas

yeap, the same old problem... still alive !

the logs say "root > root" sued, in fact it was my simple user su-ing to root ... it should have said something like "admin -> root"...

I've posted topics, I've posted bugs.... nobody solved anything...  :Sad: 

----------

## cach0rr0

at least you know you aren't alone

I spent a whopping 5 minutes trying to sift through the logwatch script, but when I realized it was 1100 lines long, not counting the other modules and everything else it included, I gave up (as well, it's not that important to me). 

If you get anywhere and need someone to provide devs with environmental information, drop me a line - i don't have time to spend investigating myself, but I can certainly provide data to whomever may be investigating.

EDIT: my info

```

gentoob0x ~ # equery list |grep logwatch

sys-apps/logwatch-7.3.6

```

```

gentoob0x ~ # equery list |grep syslog-ng

app-admin/syslog-ng-2.1.3

```

```

gentoob0x meat # emerge --info

Portage 2.1.6.13 (hardened/linux/amd64/2008.0, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64)

=================================================================

System uname: Linux-2.6.28-hardened-r9-x86_64-AMD_Phenom-tm-_9950_Quad-Core_Processor-with-gentoo-1.12.11.1

Timestamp of tree: Sun, 02 Aug 2009 01:45:01 +0000

distcc 3.1 x86_64-pc-linux-gnu [disabled]

app-shells/bash:     3.2_p39

dev-lang/python:     2.4.6, 2.5.4-r2, 2.6.2-r1

dev-python/pycrypto: 2.0.1-r8

sys-apps/baselayout: 1.12.11.1

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.13, 2.63-r1

sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2

sys-devel/binutils:  2.18-r3

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   1.5.26

virtual/os-headers:  2.6.27-r2

ACCEPT_KEYWORDS="amd64"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe -fforce-addr"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"

CXXFLAGS="-O2 -pipe -fforce-addr"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://gentoo.osuosl.org/ "

LDFLAGS="-Wl,-O1"

MAKEOPTS="-j8"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"

USE="acl amd64 apache2 bcmath berkdb bzip2 cli cracklib crypt ctype cups curl dri dynamicplugin exif ftp gd gpm hardened iconv imap isdnlog json justify kerberos ldap maildir mmx mudflap multilib mysql nagios-ssh ncurses nls nptl nptlonly pam pcre pdo perl php pic pppd python readline reflection samba sasl session sieve simplexml smbkrb5passwd sni soap sockets spl sse sse2 ssl sysfs tcpd tokenizer unicode urandom wddx xml xorg zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

```

----------

## Anquietas

So,... more than a year has past.... and nobody did anything to solve this ????????

----------

