[Logwatch] reporting on mult hosts
Tue, 4 Mar 2003 09:08:01 +1100
I use it for multiple hosts (currently Unix only, but hoping to include
Cisco someday). You'll need to modify the configuration files. I'd suggest
checking out http://www.sourceforge.net/projects/logconf, as it will do the
configuration for you (or at least make it a lot easier). As for the logs
from Windows hosts, unless they're recognised services, it probably won't
report on them at all -- you may need to make scripts for the services you
want to recognise. However, Kirk has designed the program so that adding
extra services should be easy.
I get a single report, so that I can't tell which host a message is
coming from. I hope someday to rectify the two deficiencies I've mentioned
in this e-mail, but I may not get around to it.
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
----- Original Message -----
From: "Lori Homsher" <email@example.com>
Sent: Tuesday, March 04, 2003 4:55 AM
Subject: [Logwatch] reporting on mult hosts
> I'm sending log entries from my M$ servers to a centralized logging
> and trying to get these entries included in my logwatch reports. I've
> the '--hostname' option, but no go. I also created a new script called
> 'hyperion' to try to capture the entries as a service (not working
> Finally, I tried creating a script for 'security', since that's the actual
> service name on the 'hyperion' line. I know the scripts are being run
> because the 'hyperion' section appeared on my logwatch report when I had
> syntax errors :) , but as soon as I correct the errors, my 'hyperion'
> sections do not show on the report anymore.
> Here's a sample from my logfile showing both hosts (bethany & hyperion):
> Mar 3 13:12:54 bethany sshd(pam_unix): session opened for user
> lhomsher by (uid=0)
> Mar 3 13:13:08 bethany su(pam_unix): session opened for user root
> by lhomsher(uid=500)
> Mar 3 11:53:21 hyperion security[failure] 681 NT AUTHORITY\SYSTEM The
> logon to account: EBROAD by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from
> workstation: \\ED failed. The error code was: 3221225572
> If I run: './logwatch --range today --hostname hyperion --print', I get
> some non-host-specific stuff like samba, but also some bethany host stuff
> like sshd sessions (and no entries for hyperion).
> Has anyone successfully used logwatch to report on multiple hosts? It
> doesn't matter to me if I get a single report, or if I must run logwatch
> for each host.
> Logwatch mailing list