[Logwatch] A statement; and some questions

John Sage jsage@finchhaven.com
Tue, 1 Apr 2003 08:34:53 -0800


I'm sorry, but this is turning out to be the most cryptic,
impenetrable program I've ever tried to learn/configure.

(This said after having been in UNIX since the mid '80's; and more
recently having regularily configured Apache, Bind, MySQL, sendmail,
procmail, snort, ipchains, iptables, etc etc etc blah blah blah...)

Having alienated everyone, here's some background, and some questions.

LogWatch 4.3.2 (02/18/03) downloaded and installed from the tarball;
Linux kernel 2.4.18-5 (KRUD Linux 7.3)

As I understand it:
/etc/log.d/conf/logwatch.conf is the master configuration file;

configuration files for specific services go in
~/services/[service_name].conf;

log file configuration is set at
~/logfiles/[service_name].conf;

and the specific service executable is
at ~/services/[service_name]

all where ~ = /etc/log.d/


What is the order of command precedence, ie:

1) Does the command line always overrule both a [service_name].conf
and the master logwatch.conf, as in snort, for example?

2) Does the [service_name].conf overrule the master logwatch.conf?

3) What (if any) specific commands that function in logwatch.conf are
*not* valid within [service_name].conf -- does [service_name].conf
override commands for that specific service in all cases, or not?


At the moment what I'm trying to do is to look at /var/log/messages,
and later other log files, for output from snort ver. 1.9.1

I have, in the following files:

In /etc/log.d/logwatch.conf:

# my $Version = '4.3.2';
# my $VDate = '02/18/03';
# Installed: Mon Mar 31 08:56:09 PST 2003
LogDir = /var/log
TmpDir = /tmp
MailTo = foo@bar.com
Print = No
UseMkTemp = Yes
#Save = /tmp/logwatch
# Archives = Yes
# Range = All
Range = yesterday
Detail = Med
Service = All
#LogFile = messages
mailer = /bin/mail
#HostLimit = Yes
# EOF /etc/log.d/conf/logwatch.conf
# Installed: Mon Mar 31 08:56:09 PST 2003


In /etc/log.d/services/snort.conf:

# $Id: snort.conf, v 0.1 Tue Mar 25 05:48:17 PST 2003 jsage Exp $
LogFile = snort
MailTo = foo@bar.com
#Print = No
#Save = /tmp/snort_logwatch
#Detail = 10
#Debug = 10
Range = Today
$named_ip_lookup = No
*OnlyService = snort
*RemoveHeaders = 
# EOF /etc/log.d/conf/services/snort.conf
# Tue Mar 25 05:50:06 PST 2003


In /etc/log.d/logfiles/snort.conf:

# Now: /etc/log.d/conf/logfiles/snort.conf
# Sun Mar 30 10:09:57 PST 2003
LogFile = /var/log/messages
Archive = /dev/null
*ApplyStdDate =
# EOF /etc/log.d/conf/logfiles/snort.conf
# Sun Mar 30 10:09:57 PST 2003


And the ~services/snort executable is merely a shell script:

echo "Date Range: $LOGWATCH_DATE_RANGE"
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
echo "Debug Level: $LOGWATCH_DEBUG"
grep snort /var/log/messages


Given a command line of:

logwatch --service snort

I get this for foo@bar.com:

 ################### LogWatch 4.3.2 (02/18/03) ####################
       Processing Initiated: Tue Apr  1 08:19:36 2003
       Date Range Processed: yesterday
     Detail Level of Output: 5
          Logfiles for Host: greatwall
 ################################################################
Date Range: yesterday
Detail Level: 5
Temp Dir: /tmp/logwatch.XXEPJtYQ/
Debug Level: 0
Mar 30 04:28:19 greatwall snort: [1:0:0] UDP inbound to 137 netBIOS ns
{UDP} 217.227.250.135:33242 -> 12.82.128.96:137
Mar 30 04:31:03 greatwall snort: [1:0:0] UDP inbound to 137 netBIOS ns
{UDP} 62.118.138.140:4369 -> 12.82.128.96:137

<snip>

Apr  1 07:51:37 greatwall snort: [1:0:0] UDP inbound to 137 netBIOS ns
{UDP} 203.206.100.184:1026 -> 12.82.128.175:137
Apr  1 07:52:55 greatwall snort: [1:0:0] UDP inbound to 137 netBIOS ns
{UDP} 61.1.170.72:1028 -> 12.82.128.175:137

 ###################### LogWatch End #########################


Note that:

1) the date_range in neither logwatch.conf nor snort.conf appears to
be working: I'm getting *everything* in /var/log/messages since it
last rotated on Mar 30 at 4:02am...



- John
-- 
"What's the frequency, Kenneth?"

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705