I have logwatch running and I check every morning it's content. I have noticed that my auth.log file is erased after an apt upgrade and reboot.
Here is the fail2ban section of the logwatch after an upgrade and reboot yesterday.
--------------------- fail2ban-messages Begin ------------------------
Informational Messages:
banTime: 600: 1 Time(s)
encoding: UTF-8: 1 Time(s)
findtime: 600: 1 Time(s)
maxLines: 1: 1 Time(s)
maxRetry: 5: 1 Time(s)
--------------------------------------------------: 1 Time(s)
Connection to database closed.: 1 Time(s)
Observer start...: 1 Time(s)
Observer stop ... try to end queue 5 seconds: 1 Time(s)
Observer stopped, 0 events remaining.: 1 Time(s)
Removed logfile: '/var/log/auth.log': 1 Time(s)
Shutdown in progress...: 1 Time(s)
Starting Fail2ban v0.11.2: 1 Time(s)
Notices:
[sshd] Flush ticket(s) with iptables-multiport: 1 Time(s)
---------------------- fail2ban-messages End -------------------------
Looking at the auth.log file after reboot, it's doesn't look to be new as it contains entries with time stamps older than the reboot.
Is this normal ? Shouldn't it leave the auth.log and rotate it instead ? This looks suspicious.
My Ubuntu version is 22.04.4 LTS server.
