[Logwatch] reporting on mult hosts
Mon, 03 Mar 2003 12:55:44 -0500
I'm sending log entries from my M$ servers to a centralized logging server,
and trying to get these entries included in my logwatch reports. I've tried
the '--hostname' option, but no go. I also created a new script called
'hyperion' to try to capture the entries as a service (not working either).
Finally, I tried creating a script for 'security', since that's the actual
service name on the 'hyperion' line. I know the scripts are being run
because the 'hyperion' section appeared on my logwatch report when I had
syntax errors :) , but as soon as I correct the errors, my 'hyperion'
sections do not show on the report anymore.
Here's a sample from my logfile showing both hosts (bethany & hyperion):
Mar 3 13:12:54 bethany sshd(pam_unix): session opened for user
lhomsher by (uid=0)
Mar 3 13:13:08 bethany su(pam_unix): session opened for user root
Mar 3 11:53:21 hyperion security[failure] 681 NT AUTHORITY\SYSTEM The
logon to account: EBROAD by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from
workstation: \\ED failed. The error code was: 3221225572
If I run: './logwatch --range today --hostname hyperion --print', I get
some non-host-specific stuff like samba, but also some bethany host stuff
like sshd sessions (and no entries for hyperion).
Has anyone successfully used logwatch to report on multiple hosts? It
doesn't matter to me if I get a single report, or if I must run logwatch
for each host.