2

I have **Unmatched Entries** in my logwatch report emails. For example:

--------------------- SSHD Begin ------------------------ 

[...]

**Unmatched Entries**
drop connection #2 from [111.216.209.5]:55152 on [192.168.0.88]:22 past MaxStartups : 1 Time
drop connection #2 from [111.216.209.5]:55154 on [192.168.0.88]:22 past MaxStartups : 1 Time
drop connection #2 from [111.216.209.5]:55162 on [192.168.0.88]:22 past MaxStartups : 1 Time
[...]

What is an "unmatched entry"? The man page doesn't tell.

EDIT: To give more context, the quote is a pseudonymised excerpt from an email sent by Logwatch running on a home server running Raspberry Pi OS (Debian Bullseye-based). The home server is public-facing and has SSH enabled. The Logwatch default configuration has not been modified.

303
  • 145
  • 7
  • 1
    Thanks! I had a quick look at their [forum](https://sourceforge.net/p/logwatch/discussion/search/?q=unmatched) it might be worth looking around their forums in case you find something helpful. Also see [logwatch explanation](https://serverfault.com/q/202356). – terdon May 17 '23 at 16:33

1 Answers1

1

Logwatch is a tool that summarizes log files. Unmatched entries are log lines whose format is unknown to Logwatch and therefore cannot be parsed, interpreted or summarized by it.

Stefan Jakobs, one of the developers of Logwatch, has explained this in some forum posts. See:

303
  • 145
  • 7