[CentOS] secure file not updating

Sat Dec 13 18:10:14 UTC 2008
Mike -- EMAIL IGNORED <m_d_berger_1900 at yahoo.com>

On Sat, 13 Dec 2008 11:33:06 -0600, Barry Brimer wrote:

>>>> On my Centos 5 server, the secure file has not updated since Dec 10.
>>>> This despite the fact that I run an sshd server that I access many
>>>> times per day.  Most peculiar is the fact that a swatch monitor that
>>>> I run on the secure file catches plenty of lines.  It is as if when
>>>> swatch catches a line in the file, the line is removed from the file
>>>> and the modification date is set back.  Hard to believe.  Any ideas?
>>>
>>> What is the output of "lsattr /var/log/secure"?  Do you have SELinux
>>> enabled, and are there any corresponding lines in
>>> /var/log/audit/audit.log?
>>
>> # lsattr /var/log/secure
>> ------------- /var/log/secure
>>
>> selinux is disabled
>>
>> /var/log/audit/audit.log appears to have lines describing a login I did
>> a few minutes ago, and its modification date is correct.
>>
>> # ls -l /var/log/secure
>> -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure
>>
>> # date
>> Sat Dec 13 09:42:36 EST 2008
> 
> Any unexpected syslog configuration?  Does a touch update the timestamp?

in syslog.conf:

# added by MDB
local0.*                /var/log/httpd/cgi_log
local1.*                /var/log/net_que
local2.*                /var/log/sock_mon
kern.=debug             /var/log/ipt_log

I also have added a number of things to logrotate.

These things have been working well for years, although only
a few months on "Centos.

"touch /var/log/secure" updated the timestamp as expected.

I note that early tomorrow morning the logrotate occurs.  I
wonder what will happen.

Mike.