[Logwatch] iptables summary on Ubuntu - new iptables module code

Dale Morin dale at MustangInternetServices.com
Mon Jan 22 06:41:13 MST 2007


>> The difference is the [52899815.060000] in the Ubuntu/Debian record.
>> Since it is a timestamp, it prevents logwatch from summarizing the
>> number
>> of logged packets by IP.  This makes the kernel section of the logwatch
>> report much larger than it needs to be.
> How about doing it the other way around? Check the iptables config to drop
> the extra timestamp and you have no need to change logwatch files.
> As I have not seen the request before one can argue it is something rather
> specific to your config of your iptables setup.

I've googled and this is the standard in Ubuntu distributions, but if the
sysadmin isn't using logwatch, or not using the iptables module, it will
not be an issue.  Or, if the firewall is dropping packets without logging
them the report volume won't be an issue.

I could not find a way to remove the timestamp from the logged packet
records, but if anyone can point me in the right direction I'd be
appreciative.  Absent that, I will have to alter the logwatch module for
iptables to get this report back to a manageable size.

If you'd like to have the changes, maybe we could set a variable in the
module config and control the code that drops the timestamp.

Dale Morin, Mustang Internet Services, Inc.

More information about the Logwatch mailing list