[Logwatch] iptables summary on Ubuntu

Dale Morin dale at MustangInternetServices.com
Sun Jan 21 09:13:12 MST 2007


I am running logwatch v7.1 on Ubuntu Dapper (6.06) and I would like to
reduce the size of the logwatch report by reducing the number of lines
used for the iptables section.

Ubuntu/Debian iptables log record:

Jan 21 09:51:14 elrond kernel: [52899815.060000] iptables inbound no rule:
IN=eth0 OUT= MAC=00:30:48:86:7f:7c:00:90:69:ac:43:f0:08:00 SRC=
DST= LEN=40 TOS=0x00 PREC=0x20 TTL=241 ID=65259 PROTO=TCP
SPT=11336 DPT=80 WINDOW=64497 RES=0x00 RST URGP=0

Redhat iptables log record:

Jan 21 09:43:26 frodo kernel: iptables inbound no rule: IN=eth0 OUT=
MAC=00:30:48:81:1c:ae:00:90:69:ac:43:f0:08:00 SRC=
DST= LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53335 DF PROTO=TCP
SPT=1237 DPT=6680 WINDOW=65535 RES=0x00 SYN URGP=0

The difference is the [52899815.060000] in the Ubuntu/Debian record. 
Since it is a timestamp, it prevents logwatch from summarizing the number
of logged packets by IP.  This makes the kernel section of the logwatch
report much larger than it needs to be.

I've tried to alter the file /usr/share/logwatch/scripts/services/iptables
to remove the [52899815.060000] from the $chain_info variable but I don't
know regular expressions well enough to make it work.

The least intrusive way to change this would seem to be something like
this, executed when $chain is not null.  I realize I am displaying my lack
of knowledge here but I'm hoping someone will be able to help.

$chain_info = ( $chain =~ /^.*?\s+(.*?)/ );

Thanks in advance.

Dale Morin, Mustang Internet Services, Inc.

More information about the Logwatch mailing list