[Logwatch] Problem adding filter
Fri, 10 May 2002 11:12:32 -0400
I am trying to add a filter for a custom kernel message (iptables related).
The message appears in /var/log/messages in the following format:
May 9 23:11:45 myhappymachine kernel: PORT SCAN: IN=eth1 OUT= MAC=
SRC=22.214.171.124 DST=126.96.36.199 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=24924 DF
PROTO=TCP SPT=36095 DPT=436 WINDOW=5840 RES=0x00 SYN URGP=0
I added a filter script for it in /etc/log.d/scripts/shared called
THE_IP=`echo $* | cut -d '=' -f 5 | cut -d ' ' -f 1`
echo -n "-> $THE_IP is "
while read BUF
echo $BUF | grep "PORT SCAN"
if [ "$?" = "0" ]
The script works fine meaning that when /var/log/messages is fed on stdin it
produces the desired output on stdout. At that point I added a line to
/etc/log.d/conf/services/kernel.conf (beacuse the originator is the kernel)
pointing to my script. The file now looks like this:
LogFile = messages
While there are lines I'm concerned with in /var/log/messages nothing
appears in logwatch output (there is other normal output though - logwatch
is working). What am I doing wrong? Can someone enlighten me pls?