>>> On my Centos 5 server, the secure file has not updated since Dec 10. >>> This despite the fact that I run an sshd server that I access many >>> times per day. Most peculiar is the fact that a swatch monitor that I >>> run on the secure file catches plenty of lines. It is as if when >>> swatch catches a line in the file, the line is removed from the file >>> and the modification date is set back. Hard to believe. Any ideas? >> >> What is the output of "lsattr /var/log/secure"? Do you have SELinux >> enabled, and are there any corresponding lines in >> /var/log/audit/audit.log? > > # lsattr /var/log/secure > ------------- /var/log/secure > > selinux is disabled > > /var/log/audit/audit.log appears to have lines describing a login > I did a few minutes ago, and its modification date is correct. > > # ls -l /var/log/secure > -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure > > # date > Sat Dec 13 09:42:36 EST 2008 Any unexpected syslog configuration? Does a touch update the timestamp?