[Logwatch] iptables summary on Ubuntu

MrC lists-logwatch at cappella.us
Sun Jan 21 10:59:25 MST 2007


> I am running logwatch v7.1 on Ubuntu Dapper (6.06) and I 
> would like to reduce the size of the logwatch report by 
> reducing the number of lines used for the iptables section.
> 
> Ubuntu/Debian iptables log record:
> 
> Jan 21 09:51:14 elrond kernel: [52899815.060000] iptables 
> inbound no rule:
> IN=eth0 OUT= MAC=00:30:48:86:7f:7c:00:90:69:ac:43:f0:08:00 
> SRC=24.18.48.92 DST=66.192.75.30 LEN=40 TOS=0x00 PREC=0x20 
> TTL=241 ID=65259 PROTO=TCP
> SPT=11336 DPT=80 WINDOW=64497 RES=0x00 RST URGP=0
> 
> Redhat iptables log record:
> 
> Jan 21 09:43:26 frodo kernel: iptables inbound no rule: 
> IN=eth0 OUT= MAC=00:30:48:81:1c:ae:00:90:69:ac:43:f0:08:00 
> SRC=74.52.64.250
> DST=66.192.75.199 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53335 
> DF PROTO=TCP
> SPT=1237 DPT=6680 WINDOW=65535 RES=0x00 SYN URGP=0
> 
> The difference is the [52899815.060000] in the Ubuntu/Debian record. 
> Since it is a timestamp, it prevents logwatch from 
> summarizing the number of logged packets by IP.  This makes 
> the kernel section of the logwatch report much larger than it 
> needs to be.
> 

I'm using the latest logwatch, so may not have the same iptables filter.  If
yours is similar, you could replace the line near the top of the while loop:

   $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?//;

with:

   $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )? (\[\d+\.\d+\] )?//;

MrC



More information about the Logwatch mailing list