On Sat, 13 Dec 2008 11:33:06 -0600, Barry Brimer wrote:
On my Centos 5 server, the secure file has not updated since Dec 10. This despite the fact that I run an sshd server that I access many times per day. Most peculiar is the fact that a swatch monitor that I run on the secure file catches plenty of lines. It is as if when swatch catches a line in the file, the line is removed from the file and the modification date is set back. Hard to believe. Any ideas?
What is the output of "lsattr /var/log/secure"? Do you have SELinux enabled, and are there any corresponding lines in /var/log/audit/audit.log?
# lsattr /var/log/secure ------------- /var/log/secure
selinux is disabled
/var/log/audit/audit.log appears to have lines describing a login I did a few minutes ago, and its modification date is correct.
# ls -l /var/log/secure -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure
# date Sat Dec 13 09:42:36 EST 2008
Any unexpected syslog configuration? Does a touch update the timestamp?
in syslog.conf:
# added by MDB local0.* /var/log/httpd/cgi_log local1.* /var/log/net_que local2.* /var/log/sock_mon kern.=debug /var/log/ipt_log
I also have added a number of things to logrotate.
These things have been working well for years, although only a few months on "Centos.
"touch /var/log/secure" updated the timestamp as expected.
I note that early tomorrow morning the logrotate occurs. I wonder what will happen.
Mike.