[Logwatch] iptables summary on Ubuntu

Dale Morin dale at MustangInternetServices.com
Sun Jan 21 11:31:16 MST 2007


On Sun, January 21, 2007 11:59 am, MrC said:
>> I am running logwatch v7.1 on Ubuntu Dapper (6.06) and I
>> would like to reduce the size of the logwatch report by
>> reducing the number of lines used for the iptables section.
>>
>> Ubuntu/Debian iptables log record:
>>
>> Jan 21 09:51:14 elrond kernel: [52899815.060000] iptables
>> inbound no rule:
>> IN=eth0 OUT= MAC=00:30:48:86:7f:7c:00:90:69:ac:43:f0:08:00
>> SRC=24.18.48.92 DST=66.192.75.30 LEN=40 TOS=0x00 PREC=0x20
>> TTL=241 ID=65259 PROTO=TCP
>> SPT=11336 DPT=80 WINDOW=64497 RES=0x00 RST URGP=0
>>
>> Redhat iptables log record:
>>
>> Jan 21 09:43:26 frodo kernel: iptables inbound no rule:
>> IN=eth0 OUT= MAC=00:30:48:81:1c:ae:00:90:69:ac:43:f0:08:00
>> SRC=74.52.64.250
>> DST=66.192.75.199 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53335
>> DF PROTO=TCP
>> SPT=1237 DPT=6680 WINDOW=65535 RES=0x00 SYN URGP=0
>>
>> The difference is the [52899815.060000] in the Ubuntu/Debian record.
>> Since it is a timestamp, it prevents logwatch from
>> summarizing the number of logged packets by IP.  This makes
>> the kernel section of the logwatch report much larger than it
>> needs to be.
>>
>
> I'm using the latest logwatch, so may not have the same iptables filter.
> If
> yours is similar, you could replace the line near the top of the while
> loop:
>
>    $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?//;
>
> with:
>
>    $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )? (\[\d+\.\d+\] )?//;

Thanks for the prompt reply.  I used your line but I removed two blanks
from it to get the results I needed.  Here's the line I wound up using:

$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\d+\.\d+\])?//;

Thanks again.


-- 
Dale Morin, Mustang Internet Services, Inc.




More information about the Logwatch mailing list