# Logwatch and sshd verbosity

## Sedrik

Hi guys, I get the following reports from logwatch

```
Login attempted when not in AllowUsers list:

   bin : 1 Time(s)

   ftp : 1 Time(s)

   ldap : 1 Time(s)

   mail : 1 Time(s)

   man : 1 Time(s)

   mysql : 2 Time(s)

   news : 1 Time(s)

   operator : 1 Time(s)

   postmaster : 1 Time(s)

   root : 307 Time(s)

   smmsp : 1 Time(s)

   sshd : 1 Time(s)

   sync : 2 Time(s)

 SFTP subsystem requests: 3 Time(s)

 **Unmatched Entries**

 SSH: Server;Ltype: Version;Remote: 122.155.161.9-34198;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)

 SSH: Server;Ltype: Version;Remote: 220.172.191.31-52060;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)

 SSH: Server;Ltype: Version;Remote: 122.155.161.9-32985;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)

 SSH: Server;Ltype: Version;Remote: 122.155.161.9-55203;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)

...
```

Now the Unmatched Entries is a long long list and I was woundering what it means and what I can do to not show it. I have tried playing around with the detail level of logwatch but it shows even on detail=1

Thanks in advance

----------

## Quincy

I think logwatch will report every unmatched entry regardless of the detail level.

Perhaps you should have a look in the filter sets in /usr/share/logwatch/scripts/services/ or perhaps a newer version of logwatch already covers your unmatched entries.

----------

## pjturmel

These messages appear to be due to a logging patch.  Details here:

http://sourceforge.net/tracker/?func=detail&aid=3257504&group_id=312875&atid=1316824

The solution is to modify the script /usr/share/logwatch/scripts/services/sshd to include

```
($ThisLine =~ /^SSH: Server;L[Tt]ype: /)
```

in the "ignore these" section.

----------

