[Logwatch] ignore.conf entry

Bob Hutchinson hutchlists at midwales.com
Wed Mar 1 03:29:56 MST 2006


On Wednesday 01 Mar 2006 01:30, Cameron B. Prince wrote:
> Hi Markus,
>
> Here is a sample of the output. In the full output, there are hundreds of
> 200 responses. This is why I need to get the ignore going. It makes
> monitoring the logs cumbersome at best to have all this output.

A quick hack would be to copy /usr/share/logwatch/scripts/services/http 
to /etc/logwatch/scripts/services/http and comment out the section on lines 
664-672

That should sort it until ignore.conf is better developed

I also get False Positives under this category, though not as many as you 
do ;-)

>
> I didn't consider left over files from the original version as this link
> indicated an rpm -Uvh would be fine:
>
> http://www.nabble.com/forum/ViewPost.jtp?post=2599652&framed=y
>
> Thanks for you help.
>
> Cameron
>

>
>  ################### Logwatch 7.2.1 (01/18/06) ####################
>         Processing Initiated: Tue Feb 28 10:27:50 2006
>         Date Range Processed: yesterday
>                               ( 2006-Feb-27 )
>                               Period is day.
>       Detail Level of Output: 0
>               Type of Output: unformatted
>            Logfiles for Host: fqdn.com
>   ##################################################################
>
>  --------------------- httpd Begin ------------------------
>
>  A total of 83 sites probed the server
>     12.64.152.39
>     138.89.186.201
>     165.76.124.118
>     195.92.67.66
>     198.81.3.136
>     198.81.3.137
>     198.81.3.138
>     198.81.3.139
>     198.81.3.141
>     198.81.3.142
>     198.81.3.143
>     198.81.3.167
>     198.81.3.168
>     198.81.3.169
>     198.81.3.170
>     198.81.3.171
>     198.81.3.172
>     198.81.3.173
>     198.81.3.174
>     20.137.18.51
>     205.188.116.10
>     205.188.116.11
>     205.188.116.130
>     205.188.116.131
>     205.188.116.132
>     205.188.116.5
>     205.188.116.6
>     205.188.116.65
>     205.188.116.67
>     205.188.116.68
>     205.188.116.72
>     205.188.116.8
>     205.188.116.9
>     205.188.117.6
>     205.188.117.67
>     205.188.117.69
>     206.210.109.19
>     207.156.207.98
>     212.25.82.226
>     216.197.196.138
>     216.248.0.38
>     219.7.168.2
>     24.123.107.74
>     24.159.77.54
>     24.164.218.183
>     24.172.225.156
>     24.177.14.86
>     24.186.206.16
>     24.205.162.154
>     24.218.140.147
>     24.226.191.70
>     4.225.197.124
>     61.8.26.85
>     63.241.61.7
>     64.113.24.222
>     64.12.116.12
>     64.12.116.131
>     64.12.116.139
>     64.12.116.67
>     64.12.116.9
>     64.12.117.14
>     64.162.1.79
>     65.116.15.122
>     66.137.162.153
>     66.228.83.210
>     66.249.65.148
>     67.170.58.248
>     68.159.198.81
>     68.43.88.247
>     68.48.112.156
>     68.7.118.146
>     69.209.117.82
>     69.211.75.135
>     70.21.81.154
>     70.228.167.130
>     70.60.7.4
>     70.80.19.32
>     71.101.7.176
>     71.194.88.225
>     71.240.83.180
>     72.54.25.26
>     82.176.190.60
>     85.210.153.126
>
>  !!!! 458 possible successful probes
>
> /cgi-bin/gfcp/scan/MM=af4bc40c9125f34f493f6baf92997466:48:59:12.html?mv_mor
>e
> _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_ar
>g = HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=0a17338fd505b3e1400956d0a7f590f0:36:47:12.html?mv_mor
>e _ip=1&mv_nextpage=results&mv_arg=-_NULL_-&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=57165fb20970f19d127127de23218324:30:39:10.html?mv_mor
>e _ip=1&mv_nextpage=results&mv_arg=-_NULL_--_NULL_-&mv_arg= HTTP Response
> 200
>
> /cgi-bin/gfcp/scan/MM=28ae720efbd2b30a4088a3544517ea65:160:175:16.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_
>N
> ULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_arg=
> HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=6dfe763b0c4f4a84049121771f0a0766:24:35:12.html?mv_mor
>e _ip=1&mv_nextpage=wallsearch&mv_arg=%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=04e222898a1ac0ea3414476a94cc8d8d:120:131:12.html?mv_m
>o
> re_ip=1&mv_nextpage=wallsearch&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%
>2
> d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_a
>r g= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=94540b065bab3f81418b19dc324bebb5:144:155:12.html?mv_m
>o re_ip=1&mv_nextpage=results&mv_arg=-_NULL_-&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=2ac5ef93135059c9c0d072659c4c8e81:48:59:12.html?mv_mor
>e
> _ip=1&mv_nextpage=mantelsearch&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&
>m v_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=43e732940eb12f9811946f7cdd67b535:64:79:16.html?mv_mor
>e
> _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_ar
>g = HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=e61a8bd0bae6bdac192fac35c585c712:36:47:12.html?mv_mor
>e _ip=1&mv_nextpage=mantelsearch&mv_arg=-_NULL_-&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=84a32ba9332b1d6bccda4fb38730fcdf:120:131:12.html?mv_m
>o
> re_ip=1&mv_nextpage=grandfathersearch&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NU
>L
> L_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%
>2 d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=c1441a403fedf9bf45254c6e196c678a:204:215:12.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=-_NULL_--_NULL_--_NULL_--_NULL_--_NULL_-
>& mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=8d5b75578c8e4798e3d8f40269ad2c71:208:223:16.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_
>N
> ULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL
>_ %2d%2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=af4bc40c9125f34f493f6baf92997466:60:71:12.html?mv_mor
>e
> _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NU
>L L_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=baf783804a21a85d5e7c78175d15bf5c:256:271:16.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_
>N
> ULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL
>_ %2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_arg=
> HTTP Response 302
>
> /cgi-bin/gfcp/scan/MM=40cfee87f647c1b2d9e31d16eb15a377:0:15:16.html?mv_more
>_
> ip=1&mv_nextpage=gallery&mv_arg=wall-_NULL_--_NULL_--_NULL_--_NULL_-&mv_arg
>= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=94540b065bab3f81418b19dc324bebb5:288:299:12.html?mv_m
>o re_ip=1&mv_nextpage=results&mv_arg=-_NULL_-&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=2184dfe1ae9b5f737a4ff6c3be7d6078:32:47:16.html?mv_mor
>e _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=84a32ba9332b1d6bccda4fb38730fcdf:180:186:12.html?mv_m
>o
> re_ip=1&mv_nextpage=grandfathersearch&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NU
>L L_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=fcba96f58145db5a9f82d9203a0d9f8d:48:59:12.html?mv_mor
>e
> _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_ar
>g = HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=28ae720efbd2b30a4088a3544517ea65:112:127:16.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_
>N ULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=cb4930da01493773e8b37d74563106a5:72:83:12.html?mv_mor
>e
> _ip=1&mv_nextpage=antiquesearch&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d
>% 2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=04e222898a1ac0ea3414476a94cc8d8d:168:179:12.html?mv_m
>o
> re_ip=1&mv_nextpage=wallsearch&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%
>2
> d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_N
>U
> LL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_
>% 2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=e5c99e91ea1fd7fe9c515d76414894d2:12:23:12.html?mv_mor
>e _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP
> Response 200
>
> /cgi-bin/gfcp/scan/MM=c1441a403fedf9bf45254c6e196c678a:180:191:12.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=-_NULL_--_NULL_--_NULL_--_NULL_--_NULL_-
>& mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=7e4a0b24e8c8208e19f568e8b94a495a:228:239:12.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_
>N
> ULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL
>_
> %2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d
>% 2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=40cfee87f647c1b2d9e31d16eb15a377:48:63:16.html?mv_mor
>e
> _ip=1&mv_nextpage=gallery&mv_arg=wall-_NULL_--_NULL_--_NULL_--_NULL_-&mv_ar
>g = HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=af4bc40c9125f34f493f6baf92997466:192:203:12.html?mv_m
>o
> re_ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_
>N
> ULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL
>_ %2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d%2d_NULL_%2d&mv_arg=
> HTTP Response 200
>
> /cgi-bin/gfcp/scan/MM=7e4a0b24e8c8208e19f568e8b94a495a:36:47:12.html?mv_mor
>e _ip=1&mv_nextpage=results&mv_arg=%2d_NULL_%2d%2d_NULL_%2d&mv_arg= HTTP
> Response 200
>
> > -----Original Message-----
> > From: Markus Lude [mailto:lude at informatik.uni-tuebingen.de]
> > Sent: Tuesday, February 28, 2006 6:42 PM
> > To: logwatch at logwatch.org
> > Cc: cameron at princeservices.com
> > Subject: Re: [Logwatch] ignore.conf entry
> >
> > On Tue, Feb 28, 2006 at 05:37:36PM -0600, Cameron B. Prince wrote:
> >
> > Hello,
> >
> > > Hi Bjorn,
> > >
> > > Thanks for your reply...
> > >
> > > > Indeed, something is not quite right, because you should not be
> >
> > getting
> >
> > > > info on the 200 codes.  Is this a stock logwatch, or were there any
> > > > customizations in /etc/logwatch?
> > >
> > > The installs are completely stock with Fedora Core 4 and this is on 4
> > > different servers, all share the same symptoms. The only customization
> >
> > was
> >
> > > the additions in ignore.conf after the upgrade to v7.2.1-2.
> >
> > are there any files left from an older logwatch version? Somewhere in
> > the 7.x versions the directory structure was changed.
> >
> > > > > I upgraded to logwatch-7.2.1-2 which gave me the ignore.conf file.
> >
> > I've
> >
> > > > > tried the following in this file:
> > > > >
> > > > > GET.*HTTP.*200
> > > > > HTTP\/1.1"\s200
> > > > >
> > > > > Neither of these are omitting the 200 response lines and I just
> >
> > can't
> >
> > > > seem
> > > >
> > > > > to find a solid example.
> > > >
> > > > That also puzzled me, but it looks like ignore.conf matches against
> >
> > the
> >
> > > > output of logwatch, not the log entries.  I've modified the
> > > > HOWTO-Customize-LogWatch to reflect this.
> > >
> > > Do you have any ideas as to what I can do to ignore.conf so that
> >
> > logwatch
> >
> > > will disregard the 200'?
> > >
> > > If I can do anything to help troubleshoot the problem, please let me
> >
> > know.
> >
> > Last time I remember seeing 200 http error code lines was back with
> > logwatch 6.0 under a heading like
> >   "A total of ... unidentified 'other' records logged"
> > This was dropped between 6.0.1 and 6.0.2.
> >
> > Do your 200 response line appear after such a line or in which part of
> > the http block?
> >
> > In the summary at the top of the http block, is there a line for
> > "mod_proxy connection attempts" or "mod_proxy requests"?
> > The first is from <=6.0.1, the second from >=6.0.2. If no such line
> > appears, no mod_proxy request appeared on your server.
> >
> > Regards,
> > Markus
>
> _______________________________________________
> Logwatch mailing list
> Logwatch at logwatch.org
> http://www2.list.logwatch.org:8080/lists/listinfo/logwatch

-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------


More information about the Logwatch mailing list