[Logwatch] Problem adding filter

logwatch@weownu.net logwatch@weownu.net
Fri, 10 May 2002 11:12:32 -0400


Hi, 

I am trying to add a filter for a custom kernel message (iptables related). 
The message appears in /var/log/messages in the following format: 

May  9 23:11:45 myhappymachine kernel: PORT SCAN: IN=eth1 OUT= MAC= 
SRC=1.2.3.4 DST=3.4.5.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24924 DF 
PROTO=TCP SPT=36095 DPT=436 WINDOW=5840 RES=0x00 SYN URGP=0 

I added a filter script for it in /etc/log.d/scripts/shared called 
netfilter.sh: 

#!/bin/sh 

printIP()
{
       THE_IP=`echo $* | cut -d '=' -f 5 | cut -d ' ' -f 1`
       echo -n "-> $THE_IP is "
       host $THE_IP
} 

while read BUF
do
       echo $BUF | grep "PORT SCAN"
       if [ "$?" = "0" ]
       then
               printIP $BUF
       fi
done 

The script works fine meaning that when /var/log/messages is fed on stdin it 
produces the desired output on stdout. At that point I added a line to 
/etc/log.d/conf/services/kernel.conf (beacuse the originator is the kernel) 
pointing to my script. The file now looks like this: 

LogFile = messages
*RemoveHeaders =
*netfilter.sh = 

While there are lines I'm concerned with in /var/log/messages nothing 
appears in logwatch output (there is other normal output though - logwatch 
is working). What am I doing wrong? Can someone enlighten me pls? 

Thanks,
Dusan