[Logwatch] iptables summary on Ubuntu
dale at MustangInternetServices.com
Sun Jan 21 11:31:16 MST 2007
On Sun, January 21, 2007 11:59 am, MrC said:
>> I am running logwatch v7.1 on Ubuntu Dapper (6.06) and I
>> would like to reduce the size of the logwatch report by
>> reducing the number of lines used for the iptables section.
>> Ubuntu/Debian iptables log record:
>> Jan 21 09:51:14 elrond kernel: [52899815.060000] iptables
>> inbound no rule:
>> IN=eth0 OUT= MAC=00:30:48:86:7f:7c:00:90:69:ac:43:f0:08:00
>> SRC=22.214.171.124 DST=126.96.36.199 LEN=40 TOS=0x00 PREC=0x20
>> TTL=241 ID=65259 PROTO=TCP
>> SPT=11336 DPT=80 WINDOW=64497 RES=0x00 RST URGP=0
>> Redhat iptables log record:
>> Jan 21 09:43:26 frodo kernel: iptables inbound no rule:
>> IN=eth0 OUT= MAC=00:30:48:81:1c:ae:00:90:69:ac:43:f0:08:00
>> DST=188.8.131.52 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53335
>> DF PROTO=TCP
>> SPT=1237 DPT=6680 WINDOW=65535 RES=0x00 SYN URGP=0
>> The difference is the [52899815.060000] in the Ubuntu/Debian record.
>> Since it is a timestamp, it prevents logwatch from
>> summarizing the number of logged packets by IP. This makes
>> the kernel section of the logwatch report much larger than it
>> needs to be.
> I'm using the latest logwatch, so may not have the same iptables filter.
> yours is similar, you could replace the line near the top of the while
> $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?//;
> $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )? (\[\d+\.\d+\] )?//;
Thanks for the prompt reply. I used your line but I removed two blanks
from it to get the results I needed. Here's the line I wound up using:
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\d+\.\d+\])?//;
Dale Morin, Mustang Internet Services, Inc.
More information about the Logwatch