logwatch/SOURCES/logwatch-sshd-2.patch

Resolves: #1317620

--- logwatch-7.4.3/scripts/services/sshd	2017-08-29 09:16:47.087028191 +0200
+++ logwatch-7.4.3-new/scripts/services/sshd	2017-08-29 09:19:37.372081596 +0200
@@ -297,7 +297,9 @@ while (defined(my $ThisLine = <STDIN>))
        ($ThisLine =~ /Starting session: (forced-command|subsystem|shell|command)/ ) or
        ($ThisLine =~ /Found matching \w+ key:/ ) or
        ($ThisLine =~ /User child is on pid \d/ ) or
-       ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/)
+       ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or
+       ($ThisLine =~ /Exiting on signal .*$/) or
+       ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/)
    ) {
       # Ignore these
    } elsif ( my ($Method,$User,$Host,$Port,$Key) = ($ThisLine =~ /^Accepted (\S+) for ((?:invalid user )?\S+) from ([\d\.:a-f]+) port (\d+) ssh[12](?:: (\w+))?/) ) {
@@ -387,7 +389,9 @@ while (defined(my $ThisLine = <STDIN>))
       $RefusedConnections{$1}++;
    } elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {
       $RefusedAuthentication{$Reason}++;
-   } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*) port [^ ]*: (.*)$/)) {
+   # Old format: Received disconnect from 192.168.122.1: 11: disconnected by user
+   # New format: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
+   } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*)(?: port \d+)?: ?(.*)$/)) {
       # Reason 11 (SSH_DISCONNECT_BY_APPLICATION) is expected, and logged at severity level INFO
       if ($Reason != 11) {$DisconnectReceived{$Reason}{$Host}++;}
    } elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
import logwatch-7.4.3-11.el8 3 years ago			`Resolves: #1317620`

			`--- logwatch-7.4.3/scripts/services/sshd 2017-08-29 09:16:47.087028191 +0200`
			`+++ logwatch-7.4.3-new/scripts/services/sshd 2017-08-29 09:19:37.372081596 +0200`
			`@@ -297,7 +297,9 @@ while (defined(my $ThisLine = <STDIN>))`
			`($ThisLine =~ /Starting session: (forced-command\|subsystem\|shell\|command)/ ) or`
			`($ThisLine =~ /Found matching \w+ key:/ ) or`
			`($ThisLine =~ /User child is on pid \d/ ) or`
			`- ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/)`
			`+ ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or`
			`+ ($ThisLine =~ /Exiting on signal .*$/) or`
			`+ ($ThisLine =~ /Disconnected from (?:[^ ]) port .$/)`
			`) {`
			`# Ignore these`
			`} elsif ( my ($Method,$User,$Host,$Port,$Key) = ($ThisLine =~ /^Accepted (\S+) for ((?:invalid user )?\S+) from ([\d\.:a-f]+) port (\d+) ssh[12](?:: (\w+))?/) ) {`
			`@@ -387,7 +389,9 @@ while (defined(my $ThisLine = <STDIN>))`
			`$RefusedConnections{$1}++;`
			`} elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {`
			`$RefusedAuthentication{$Reason}++;`
			`- } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]) port [^ ]: (.*)$/)) {`
			`+ # Old format: Received disconnect from 192.168.122.1: 11: disconnected by user`
			`+ # New format: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user`
			`+ } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ])(?: port \d+)?: ?(.)$/)) {`
			`# Reason 11 (SSH_DISCONNECT_BY_APPLICATION) is expected, and logged at severity level INFO`
			`if ($Reason != 11) {$DisconnectReceived{$Reason}{$Host}++;}`
			`} elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {`