diff -up logwatch-7.3.6/scripts/services/sudo.pom logwatch-7.3.6/scripts/services/sudo --- logwatch-7.3.6/scripts/services/sudo.pom 2006-04-13 01:17:09.000000000 +0200 +++ logwatch-7.3.6/scripts/services/sudo 2007-10-12 12:20:43.000000000 +0200 @@ -31,7 +31,11 @@ my $CmdsThresh = $ENV{'command_run_thres my ($user, $error, $tty, $dir, $euser, $cmd, $args); while (defined(my $ThisLine = <STDIN>)) { - if ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*(\w+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ; COMMAND=(\S+)( ?.*)/) { + if ($ThisLine =~ /pam_unix\(sudo:auth\): authentication failure; logname=\S* uid=[0-9]* euid=[0-9]* tty=\S* ruser=\S* rhost=\S* user=\S*/) + # this log is parsed in pam_unix section + { + # Ignore + }elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*(\w+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ; COMMAND=(\S+)( ?.*)/) { push @{$byUser{$user}{$euser}}, [$error . $cmd,$args, $dir, $tty]; $byUserSum{$user}{$euser}{$cmd} += 1; } elsif ( ($user,$euser) = $ThisLine =~ /^\s*(\w+) : no passwd entry for (\w+)\!$/) {