On Sat, 13 Dec 2008 11:33:06 -0600, Barry Brimer wrote: >>>> On my Centos 5 server, the secure file has not updated since Dec 10. >>>> This despite the fact that I run an sshd server that I access many >>>> times per day. Most peculiar is the fact that a swatch monitor that >>>> I run on the secure file catches plenty of lines. It is as if when >>>> swatch catches a line in the file, the line is removed from the file >>>> and the modification date is set back. Hard to believe. Any ideas? >>> >>> What is the output of "lsattr /var/log/secure"? Do you have SELinux >>> enabled, and are there any corresponding lines in >>> /var/log/audit/audit.log? >> >> # lsattr /var/log/secure >> ------------- /var/log/secure >> >> selinux is disabled >> >> /var/log/audit/audit.log appears to have lines describing a login I did >> a few minutes ago, and its modification date is correct. >> >> # ls -l /var/log/secure >> -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure >> >> # date >> Sat Dec 13 09:42:36 EST 2008 > > Any unexpected syslog configuration? Does a touch update the timestamp? in syslog.conf: # added by MDB local0.* /var/log/httpd/cgi_log local1.* /var/log/net_que local2.* /var/log/sock_mon kern.=debug /var/log/ipt_log I also have added a number of things to logrotate. These things have been working well for years, although only a few months on "Centos. "touch /var/log/secure" updated the timestamp as expected. I note that early tomorrow morning the logrotate occurs. I wonder what will happen. Mike.