Here are some lines from logwatch:
pam_unix
sshd: Authentication Failures:
root (211.167.103.115): 5 Time(s)
unknown (219.239.110.139): 1 Time(s) Invalid Users:
Unknown Account: 1 Time(s)
su: Sessions Opened:
root -> nobody: 3 Time(s)
Now, taken alone I would assume that the su entries are just some timed escalation of privileges (or descalation, as the case may be), but in conjunction with the standard attempts at root password cracking, they're more unsettling. Should I be concerned about security holes due to either of these sets of notice/logwatch entries?
You should not be concerned about "authentication failures" for root - there are myriads of malware and scriptkiddies tools trying root passwords on every host they can reach. As long as you do not allow direct root logins and / or have a sufficiently complex non-dictionary root password, this is nothing to worry about.
The root -> nobody sessions are indeed dropped priveleges - something that starts as root and changes the security context to the unpriveleged "nobody" user - which is good security practice.