[Logwatch] Logwatch and IP address reporting
lists-logwatch at cappella.us
Tue Jun 19 10:03:56 MST 2007
> Hello MrC,
> Thank you for your quick reply. My log entries in
> /var/log/auth.log comes from different services, namely 'auth
> and authpriv facilities' in syslog-ng.
> The unmatched entries correspond to the service 'secure' in
> logwatch. But i do not think it is particular to that
> service, cause logwatch seem to show partial log entries
> whenever unmatched patterns are observed in logfiles, no
> matter what service is being used.
Each report section in logwatch has its own script that runs. They are
by default. The one you refer to below is names "secure".
> Report from logwatch
> --------------------- Connections (secure-log) Begin
> **Unmatched Entries**
> -- MARK -- : 1 Time(s)
> CRON: (blablabla) modified entries: 1 Time(s)
> CRON: (blablabla) modified entries on purpose
> (uid=0): 1 Time(s)
> ---------------------- Connections (secure-log) End
> Log entries in auth.log
> Jun 19 10:10:01 PCTM CRON: (blablabla) modified entries
> on purpose
> Jun 19 10:10:01 PCTMP CRON: (blablabla) modified entries
> These 2 lines are added on purpose for testing. I would like
> to know if it
> is possible to report the line i.e 'PCTMP CRON:
> (blablabla) modified
> entries' instead of just 'CRON: (blablabla) modified entries: 1
> Time(s)', i.e i would also need to see the source IP or name
> (here PCTMP).
> This is quite important for log monitoring whenever a
> centralized log system
> is used, as in my situation. Thank you very much in advance.
You will have to modify the script to provide what you need. Just after the
main processing while loop, there is a line:
$ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;
which strips the date and hostname. You will have to save the original
line, and use it instead to store unmatched lines.
But the more important question is - what is it that really want: more
detail in the unmatched lines, or for the unmatched lines to go away in
general and be integrated into the report?
> >Subject: RE: [Logwatch] Logwatch and IP address reporting
> >Date: Mon, 18 Jun 2007 15:07:33 -0700
> > > Hello all
> > >
> > > I would like to know if it is possible to report the whole
> > > log entry being matched while the monitoring processes. Using
> > > syslog to deport logs from remote machines, i would like to
> > > see the address IP of the source of the log entries in my
> > > centralized log file on the server.
> > >
> > > >From logwatch report:
> > > **Unmatched Entries**
> > > (root-5110): dC)marrage (version 2.16.1), pid 5110
> > > utilisateur B+B rootB B; : 1 Time(s)
> > >
> > > >From my log file (auth.log)
> > > Jun 18 10:48:19 194.3.***.*** (root-5110): dimarrage (version
> > > 2.16.1), pid 5110 utilisateur + root
> > >
> >I can't tell what service this is from. Can you clarify?
> >In general, most of the services are written such that they
> expect syslog's
> >dates, service names, etc. to be stripped from the input. For such
> >the filter and its configuration file need to be updated to
> not strip this
> >information, and report / use it in a meaningful way.
More information about the Logwatch