OpenSSH log format change in RHEL 7.4 results in many unmatched output lines in logwatch
Environment
- Red Hat Enterprise Linux (
RHEL) 7.4 logwatch-7.4.0-32.20130522svn140.el7openssh-server-7.4p1-12.el7_4
Issue
With RHEL 7.4 OpenSSH was updated and we experience many logwatch unmatched examples:
Disconnected from x.x.x.x port yyy : 1 time(s)
Disconnected from x.x.x.x port yyy [preauth] : 1 time(s)
Received disconnect from x.x.x.x port yyy:11: disconnected by user : 1 time(s)
error: maximum authentication attempts exceeded for invalid user test from x.x.x.x port yyy ssh2 [preauth] : 1 time(s)
Received disconnect from x.x.x.x port yyy:11: disconnected by user [preauth] : 1 time(s)
Received disconnect from x.x.x.x port yyy:11: [preauth] : 1 time(s)
Received disconnect from x.x.x.x port yyy:11: Bye Bye [preauth] : 1 time(s)
error: Received disconnect from x.x.x.x port yyy:3: com.zzz.zzException: Auth fail [preauth] : 1 time(s)
Resolution
Update to logwatch-7.4.0-35.20130522svn140.el7_5 shipped with Advisory RHBA-2018:2445 or newer.
Root Cause
Previously logwatch didn't reflect all the OpenSSH log format changes.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments