[Logwatch] Date parsing question

Marty Hoff martang@clearcommerce.com
Fri, 24 Jan 2003 10:05:28 -0600 (CST)


Curioser and curioser.  I have a RedHat machine with Logwatch 2.6 on it
(that I've been meaning to upgrade) and I copied my conf files over to it
and a sample VPN log file for it to parse.  Version 2.6 does not have the
problem that I am seeing on the Solaris box with 4.3.1 installed.  So,
then Logwatch 2.6 to 4.3.1 (via RPM) and now the RedHat box has the same
trouble as the Solaris box.  So it is not something OS specific or even
Perl specific, but something Logwatch version specific.

Marty

On Fri, 24 Jan 2003, Marty Hoff wrote:

> On Fri, 24 Jan 2003, Kirk Bauer wrote:
>
> > On Fri, 24 Jan 2003, Marty Hoff wrote:
> >
> > > I'm trying to set up a new filter for my VPN logs.  I currently have done
> > > as the README suggests - I just have the filter doing a cat.  However,
> > > when I define the *ApplyStdDate in the config, I lose almost all of the
> > > lines that are recorded in my log.  I think it comes down to the
> > > following lines in the ApplyStdDate function:
> > >
> > > while (defined($ThisLine = <STDIN>)) {
> > >    if ($ThisLine =~ m/^$SearchDate ..:..:.. [^ ]* [^ ]*\[[0123456789]*\]: /o) {
> > >       print $ThisLine;
> > >    } elsif ($ThisLine =~ m/^$SearchDate ..:..:.. [^ ]* [^ ]*: /o) {
> > >       print $ThisLine;
> > >    } elsif ($ThisLine =~ m/(Mon|Tue|Wed|Thu|Fri|Sat|Sun) $SearchDate ..:..:.. \d{4}/o) {
> > >       print $ThisLine;
> > >    }
> > > }
> > >
> > >
> > > I'm not very good at reading perl code.  Can someone help me figure out
> > > why this would not catch the following type of line from my log:
> > >
> > > Jan 21 10:14:17 int_vpn.internal.clearcommerce.com fTCP ERR: Unknown next_proto, 69 from 66.14.149.35
> >
> > The default date range is "Yesterday", which would eliminate all lines
> > with a timestamp other than yesterday's date.
> >
> > Have you tried doing '--range all' on the logwatch command-line?
>
> Yes.  It doesn't catch any of these type of messages regardless of date
> unless I turn off the ApplyStdDate in the conf file.  It only catches the
> following type of messages.  There are several other message types that
> it doesn't catch either.
>
> Jan 23 22:26:04 int_vpn.internal.clearcommerce.com Uptime:   0 days 13 hrs
>
> You should be able to duplicate this effect pretty easily.  If you'd like
> I can send the conf files that I've defined for the service.  Just in
> case it is important, this is on Solaris 2.6 using perl 5.005_03.
>
> Marty
>
> --------------------------------------------
> Marty Hoff                   martang@clearcommerce.com
> UNIX Administrator           ClearCommerce Corp.
>
> Always remember you're unique, just like everyone else.
>

--------------------------------------------
Marty Hoff                   martang@clearcommerce.com
UNIX Administrator           ClearCommerce Corp.

Always remember you're unique, just like everyone else.