PROBLEM

With samba 3.0 the log format changed a bit and logwatch has not been
updated to reflect this. You get lots of logs like this from logwatch:

smbd/service.c:make_connection_snum(648) joakims (192.168.33.44) connect
to service joakims initially as user joakims (uid=1001, gid=100) (pid
6097) : 1 Time(s)

SOLUTION

Edit /etc/log.d/scripts/services/samba according to the following:

diff /etc/log.d/scripts/services/samba.orig
/etc/log.d/scripts/services/samba
46c46
<    } elsif ( ($Host, $Service, $User) = ( $ThisLine =~ /([^ ]+ \([^
]+\)) connect to service ([^ ]+) as user ([^ ]+)/ ) ) {
---
>    } elsif ( ($Host, $Service, $User) = ( $ThisLine =~ /([^ ]+ \([^
]+\))(?: signed)? connect to service ([^ ]+) initially as user ([^ ]+)/
) ) {


DETAILS

Logging code from
http://cvs.samba.org/cgi-bin/cvsweb/samba/source/smbd/service.c?rev=1.12
2.2.9&content-type=text/x-cvsweb-markup

        if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
               dbgtext( "%s (%s) ", get_remote_machine_name(),
conn->client_address );
               dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
               dbgtext( "connect to service %s ",
lp_servicename(SNUM(conn)) );
               dbgtext( "initially as user %s ", user );
               dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(),
(int)getegid() );
               dbgtext( "(pid %d)\n", (int)sys_getpid() );
       }

The latest unstable logwatch has an ignore line for this which is not
exacly what you would want:

      ($ThisLine =~ /smbd\/service.c:make_connection_snum\(\d+\)  .+
connect to service .+ initially as user/) or

/// joakim