[Logwatch-Devel] Re: New material for logwatch.

[Kirk Bauer]

On Wed, 28 Sep 2005, Frank Hamersley wrote:

> I have recently started to get into "logwatch" to monitor some hosts I
> maintain remotely and have begun to develop some of my own scripts that
> might eventually be worthy of incorporation in the base package.
>
> The thrust of my efforts can be broadly characterised as ...
>
> a) new scripts - primarily oriented to raising alerts whenever a monitored
> feature shows an adverse situation.  For instance my ntp script looks at the
> "ntpq -p" output to detect any jitter entries of 4000.00.  Should any occur
> then results of that command are dumped to draw attention from the sysadmin.
> This provides for a 2 pronged alert mechanism - the first from the log
> events and the second from the status script to ensure any "stuff" that
> requires attention does not get glossed over by stressed admins.

Although not strictly log watching, I believe these are valuable
additions.  We already have the 'diskspace' script that is like this.
Basically any erroneous condition would ideally be reported by Logwatch,
at least to me.

> b) amending the kernel script - to adjust the reporting of "commonly known
> vector" probes by port number.  I haven't started this yet, but find '000s
> or lines reporting Slammers tcp/1433 and udp/1434 just clutter up the
> logwatch and increase the risk a sysadmin will be come inured to report
> entries in this section.  Similarly I don't like to drop these reports out
> of hand (with an iptables rule) because then we lose sight of the boguns
> activity levels.

Sounds like a good idea to me.

> c) bug fixes in general - only 1 very minor issue found to date.

We love bug fixes :)

> Let me know what you think about (a) and if you are receptive I will take
> the time to forward in the patches once I have proved them.

It all sounds good to me at least.

-- 
Kirk Bauer <kirk at kaybee.org>
http://linux.kaybee.org | www.autorpm.org | www.logwatch.org