[Logwatch] reporting on mult hosts

Lori Homsher lhomsher@jjsheeran.com
Mon, 03 Mar 2003 12:55:44 -0500


I'm sending log entries from my M$ servers to a centralized logging server, 
and trying to get these entries included in my logwatch reports. I've tried 
the '--hostname' option, but no go. I also created a new script called 
'hyperion' to try to capture the entries as a service (not working either). 
Finally, I tried creating a script for 'security', since that's the actual 
service name on the 'hyperion' line. I know the scripts are being run 
because the 'hyperion' section appeared on my logwatch report when I had 
syntax errors :) , but as soon as I correct the errors, my 'hyperion' 
sections do not show on the report anymore.

Here's a sample from my logfile showing both hosts (bethany & hyperion):
Mar  3 13:12:54 bethany sshd(pam_unix)[13097]: session opened for user 
lhomsher by (uid=0)
Mar  3 13:13:08 bethany su(pam_unix)[13133]: session opened for user root 
by lhomsher(uid=500)
Mar  3 11:53:21 hyperion security[failure] 681 NT AUTHORITY\SYSTEM  The 
logon to account: EBROAD  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from 
workstation: \\ED  failed. The error code was: 3221225572

If I run: './logwatch --range today --hostname hyperion --print', I get 
some non-host-specific stuff like samba, but also some bethany host stuff 
like sshd sessions (and no entries for hyperion).

Has anyone successfully used logwatch to report on multiple hosts? It 
doesn't matter to me if I get a single report, or if I must run logwatch 
for each host.