[Logwatch] reporting on mult hosts

Systems Administrator sysadmin@sunet.com.au
Tue, 4 Mar 2003 09:08:01 +1100


    I use it for multiple hosts (currently Unix only, but hoping to include
Cisco someday).  You'll need to modify the configuration files.  I'd suggest
checking out http://www.sourceforge.net/projects/logconf, as it will do the
configuration for you (or at least make it a lot easier).  As for the logs
from Windows hosts, unless they're recognised services, it probably won't
report on them at all -- you may need to make scripts for the services you
want to recognise.  However, Kirk has designed the program so that adding
extra services should be easy.

    I get a single report, so that I can't tell which host a message is
coming from.  I hope someday to rectify the two deficiencies I've mentioned
in this e-mail,  but I may not get around to it.

    Thanks,

Tim Nelson
Systems Administrator
Sunet Internet
Tel:  +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin@sunet.com.au
----- Original Message -----
From: "Lori Homsher" <lhomsher@jjsheeran.com>
To: <logwatch@logwatch.org>
Sent: Tuesday, March 04, 2003 4:55 AM
Subject: [Logwatch] reporting on mult hosts


> Greetings...
>
> I'm sending log entries from my M$ servers to a centralized logging
server,
> and trying to get these entries included in my logwatch reports. I've
tried
> the '--hostname' option, but no go. I also created a new script called
> 'hyperion' to try to capture the entries as a service (not working
either).
> Finally, I tried creating a script for 'security', since that's the actual
> service name on the 'hyperion' line. I know the scripts are being run
> because the 'hyperion' section appeared on my logwatch report when I had
> syntax errors :) , but as soon as I correct the errors, my 'hyperion'
> sections do not show on the report anymore.
>
> Here's a sample from my logfile showing both hosts (bethany & hyperion):
> Mar  3 13:12:54 bethany sshd(pam_unix)[13097]: session opened for user
> lhomsher by (uid=0)
> Mar  3 13:13:08 bethany su(pam_unix)[13133]: session opened for user root
> by lhomsher(uid=500)
> Mar  3 11:53:21 hyperion security[failure] 681 NT AUTHORITY\SYSTEM  The
> logon to account: EBROAD  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from
> workstation: \\ED  failed. The error code was: 3221225572
>
> If I run: './logwatch --range today --hostname hyperion --print', I get
> some non-host-specific stuff like samba, but also some bethany host stuff
> like sshd sessions (and no entries for hyperion).
>
> Has anyone successfully used logwatch to report on multiple hosts? It
> doesn't matter to me if I get a single report, or if I must run logwatch
> for each host.
>
> Thanks,
> Lori
>
>
> _______________________________________________
> Logwatch mailing list
> Logwatch@logwatch.org
> http://list.logwatch.org/lists/listinfo/logwatch
>