Logwatch pam_unix unmattched entries

Ok this post will need some work to pad it out and make more sense.
I’ve been running logwatch for years and a few months back had to reconfigure some of the configuration files after splitting out syslog to multiple files to make them easier to read i.e. putting all cron stuff into cron.log bind9 into named.log etc.
After those simple changes my logwatch email went from a hundred or so lines to thousands and until now I haven’t had time to look into it.
All the unmattched entries were against the cron log and all being pam_unix stuff as cron goes off running stuff.

As I didn’t get these before I was a bit confused but looking around at the configs and services there is a pam_unix.conf in the services. So after more changing and fiddling about I was still getting over 7k lines of logwatch email and no idea why. but tonight on looking closer at the email it’s the cron service that’s marking the entries as unmattched not as I thought that pam_unix wasn’t going near the file (to be fair it probably isn’t, but that’s not why the lines are being included in the email).

I wont run through my entire process of narrowing it down, to be fair I couldn’t remember every step I’ve done tonight anyway. Bottom line was modifying the following:-

/usr/share/logwatch/scripts/services/cron

find the lines:

} elsif ($ThisLine =~ /FAILED to authorize user with PAM (User not known to the underlying authentication m$
      $PAMAUTHErr++;

underneath insert the lines:-

} elsif ($ThisLine =~ /pam_unix/) {
      $PAMUNIXAUTHErr++

then search for:-

if ($PAMAUTHErr) {
      printf "nPAM autentification error: " . $PAMAUTHErr . " time(s)n";
}

and underneath insert the lines:-

if ($PAMUNIXAUTHErr) {
      printf "nPAM_UNIX autentification error: " . $PAMUNIXAUTHErr . " time(s)n";
}

Save the file, and that’s it.
Now instead of having 7k extra lines of pam_unix stuff, I have one line summing up.

As a side problem, I’m now receiving clamav info when I wasn’t before and dont run clamav or have the logfiles mentioned. that’s something to look at tomorrow, but at least the logwatch is back down to one small scrollable window so even with the clamav annoying stuff I’m happy to be able to read the logwatch out easily again.

As the top says this needs some cleaning up on edit. hopefully get around to it in the next few days.

Leave a Reply

Your email address will not be published. Required fields are marked *