[logwatch/f15/master] Updated for pam_systemd messages and a few other fixed

[Frank Crawford]

commit 947e78b8559ebfbf7e110b42652593f990b59f91
Author: Frank Crawford <frank at crawford.emu.id.au>
Date:   Tue Apr 26 14:56:53 2011 +1000

    Updated for pam_systemd messages and a few other fixed

 logwatch-secure.patch |   29 ++++++++++++++++++++++-------
 1 files changed, 22 insertions(+), 7 deletions(-)
---
diff --git a/logwatch-secure.patch b/logwatch-secure.patch
index cebe599..e57a3e1 100644
--- a/logwatch-secure.patch
+++ b/logwatch-secure.patch
@@ -1,6 +1,14 @@
---- logwatch-svn25/scripts/services/secure.orig	2010-05-01 12:36:08.000000000 +1000
-+++ logwatch-svn25/scripts/services/secure	2011-03-13 17:40:01.000000000 +1100
-@@ -242,10 +242,12 @@
+--- logwatch-svn25.dist/scripts/services/secure	2010-05-01 12:36:08.000000000 +1000
++++ logwatch-svn25/scripts/services/secure	2011-04-26 13:38:58.000000000 +1000
+@@ -218,6 +218,7 @@
+       ( $ThisLine =~ /com.apple.SecurityServer: Entering service/) or
+       ( $ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: EXIT: /) or
+       ( $ThisLine =~ /^crond\(\w+\)\[\d+\]: session /) or
++      ( $ThisLine =~ /pam_systemd\(.+:session\): Moving/) or
+       ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: authentication failure/) or
+       ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: check pass; user unknown/) or
+       ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: session /) or
+@@ -242,10 +243,12 @@
        ( $ThisLine =~ /PAM pam_set_item: attempt to set conv\(\) to NULL/) or
        ( $ThisLine =~ /PAM pam_get_item: nowhere to place requested item/) or
        ( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or
@@ -13,7 +21,7 @@
        ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log
        ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or
        ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or
-@@ -253,7 +255,10 @@
+@@ -253,7 +256,10 @@
        ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or
        ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or
        ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or
@@ -21,11 +29,11 @@
 +      ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or
 +      ( $ThisLine =~ /(gdm-session-worker|gdm-password)\[\d+\]: gkr-pam: no password is available for user/) or
 +      ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or
-+      ( $ThisLine =~ /groupadd: group added to /) or	# Details in other messages
++      ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or	# Details in other messages
        ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/)
     ) {
        # Ignore these entries
-@@ -378,7 +383,7 @@
+@@ -378,13 +384,13 @@
        $DeletedGroups .= "   $ThisLine\n";
     } elsif ( $ThisLine =~ s/^(?:useradd|adduser)\[\d+\]: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) {
        $NewGroups .= "   $ThisLine\n";
@@ -34,7 +42,14 @@
        $AddToGroup{$Group}{$User}++;
     } elsif ( $ThisLine =~ s/^groupadd\[\d+\]: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) {
        $NewGroups .= "   $ThisLine\n";
-@@ -471,7 +476,7 @@
+    } elsif ( $ThisLine =~ s/^gpasswd\[\d+\]: set members of // ) {
+       $SetGroupMembers .= "   $ThisLine\n";
+-   } elsif ( $ThisLine =~ /^userdel\[\d+\]: delete `(.*)' from (shadow |)group `(.*)'\s*$/ ) {
++   } elsif ( $ThisLine =~ /^(?:userdel|usermod)\[\d+\]: delete [`'](.*)' from (shadow |)group [`'](.*)'\s*$/ ) {
+       push @RemoveFromGroup, "    user $1 from group $3\n";
+       # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response
+       # I don't think these are important to log at this time
+@@ -471,7 +477,7 @@
     } elsif ( ($Client,$User) = ($ThisLine =~ /vmware-authd\[\d+\]: login from ([0-9\.]+) as ([^ ]+)/) ) {
        $UserLogin{$User}++;
     } elsif ( ($User) = ($ThisLine =~ /vmware-authd\[\d+\]: pam_unix_auth\(vmware-authd:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=([^ ]*)/) ) {