PROBLEM With samba 3.0 the log format changed a bit and logwatch has not been updated to reflect this. You get lots of logs like this from logwatch: smbd/service.c:make_connection_snum(648) joakims (192.168.33.44) connect to service joakims initially as user joakims (uid=1001, gid=100) (pid 6097) : 1 Time(s) SOLUTION Edit /etc/log.d/scripts/services/samba according to the following: diff /etc/log.d/scripts/services/samba.orig /etc/log.d/scripts/services/samba 46c46 < } elsif ( ($Host, $Service, $User) = ( $ThisLine =~ /([^ ]+ \([^ ]+\)) connect to service ([^ ]+) as user ([^ ]+)/ ) ) { --- > } elsif ( ($Host, $Service, $User) = ( $ThisLine =~ /([^ ]+ \([^ ]+\))(?: signed)? connect to service ([^ ]+) initially as user ([^ ]+)/ ) ) { DETAILS Logging code from http://cvs.samba.org/cgi-bin/cvsweb/samba/source/smbd/service.c?rev=1.12 2.2.9&content-type=text/x-cvsweb-markup if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) { dbgtext( "%s (%s) ", get_remote_machine_name(), conn->client_address ); dbgtext( "%s", srv_is_signing_active() ? "signed " : ""); dbgtext( "connect to service %s ", lp_servicename(SNUM(conn)) ); dbgtext( "initially as user %s ", user ); dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() ); dbgtext( "(pid %d)\n", (int)sys_getpid() ); } The latest unstable logwatch has an ignore line for this which is not exacly what you would want: ($ThisLine =~ /smbd\/service.c:make_connection_snum\(\d+\) .+ connect to service .+ initially as user/) or /// joakim