[Logwatch] Logwatch on Windows

logwatch at mikecappella.com logwatch at mikecappella.com
Mon Aug 22 12:14:02 MST 2005

> Argh you made me rethink my assumptions and try to recall 
> where I was last Friday when they dumped this in my lap.
> Grep was my first tool.  And it works well.  But.
> Maybe I don't know how to use grep.  I want to scan the DHCP 
> logs on an aggressive schedule, the idea is to catch a print 
> server as it obtains a new address* and minimize downtime.  
> At a first guess if I make a pass every five minutes through 
> the DHCP logs will work.
> So I can grep the log but grep by itself won't tell me when 
> the last time device x obtained that IP or if that hit just 
> returned is the same one I saw last time.  This is what 
> logwatch does, yes?  "Scan this file every 5 minutes and if 
> this hit is new do action X".

Grep filters lines from an input stream that match a Regular Expression.
You write an RE that suits your needs, and you run grep as often as you want
to find lines you are looking for.  To get the first, or last, lines that
you require, or then Nth (or whatever), pipe the output of grep to either
head -1, or tail -1, or whatever filter program you want to do the job.

Logwatch does not sit and watch logs, which is what I'm perceiving you think
it does.  Rather, it is a number perl scripts which perform regular
expression matches on various logfiles.  In other words, its just like grep,
but with lots more processing and smarts.  You simply don't need to run such
a heavy-weighted when 95% of what it does is not useful to you.  Logwatch is
run periodically, say once or twice per day.  It is used to look for
anomalies and other tidbits by filtering out normal behavior.

> I confess that I stopped using logwatch when (two years ago) 
> we turned on a snazzy (expensive) scheduler/alert server - I 
> could be wrong.

Again, logwatch is not by itself an alerter, and is not the most efficient
mechanism for such a task anyway (as it rereads and processes lines in the
log files each and every run vs. an alerter which can keep a file open for
continuous reading for file appends).

> Further thought - I could grep for MAC address X  compare the 
> old with new IP and change if they don't match.  That would work.

It sounds like you really want a perl or awk script, since you want to a)
match an RE, b) perform a little text manipulation.  This should be
relatively straightforward and simple given your requirements.  It would

  match Mac address in logfile
    strip out unwanted text, leaving timestamp and/or IP address
    perform some action (like calling another script to do your updates)

Hope this helps,

More information about the Logwatch mailing list