On Fri, 12 Dec 2008 22:43:46 -0600, Barry Brimer wrote:
On my Centos 5 server, the secure file has not updated since Dec 10. This despite the fact that I run an sshd server that I access many times per day. Most peculiar is the fact that a swatch monitor that I run on the secure file catches plenty of lines. It is as if when swatch catches a line in the file, the line is removed from the file and the modification date is set back. Hard to believe. Any ideas?
What is the output of "lsattr /var/log/secure"? Do you have SELinux enabled, and are there any corresponding lines in /var/log/audit/audit.log?
# lsattr /var/log/secure ------------- /var/log/secure
selinux is disabled
/var/log/audit/audit.log appears to have lines describing a login I did a few minutes ago, and its modification date is correct.
# ls -l /var/log/secure -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure
# date Sat Dec 13 09:42:36 EST 2008
I remain mystified.
Mike.