After the upgrade to CentOS 5.9, all my CentOS 5 installations report only "Unmatched Entries" in the "yum" section of their daily logwatch mails. It seems the filter script /usr/share/logwatch/scripts/services/yum got broken:

--------8<--------8<--------8<--------8<--------8<--------8<--------8< [root@dns01 ~]# /usr/sbin/logwatch --print --service yum --debug 5 [...] Processing Service: yum ( cat /var/cache/logwatch/logwatch.kKzXpf19/yum | /usr/bin/perl /usr/share/logwatch/scripts/services/yum) 2>&1

################### Logwatch 7.3 (03/24/06) #################### Processing Initiated: Fri Jan 18 09:21:20 2013 Date Range Processed: yesterday ( 2013-Jan-17 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: dns01.pxnet.com ##################################################################

--------------------- yum Begin ------------------------

DEBUG: Inside YUM Filter

DEBUG(1): Updated: glibc-common.i386 2.5-107 DEBUG(2): Updated: kernel-headers.i386 2.6.18-348.el5 DEBUG(3): Updated: crontabs.noarch 1.10-11.el5 [...] DEBUG(89): Updated: yum-updatesd.noarch 1:0.9-5.el5

**Unmatched Entries** 2.5-107 2.6.18-348.el5 1.10-11.el5 [...] 1:0.9-5.el5

---------------------- yum End -------------------------

###################### Logwatch End #########################

[root@dns01 ~]#

8-------->8-------->8-------->8-------->8-------->8-------->8--------

Looking at the script I find the line

22 $ThisLine =~ s/^[^ ]* [^ ]* //;

which looks like its intention was to strip the timestamp from the logfile entry, but the DEBUG output shows it has already been stripped at this point.

And a minor nit: who came up with the silly idea of enforcing mode 600 for /var/log/yum.log in /etc/logrotate.d/yum? I don't think it increases security if the intern who checks the logs has to work with full root privileges all the time.