[Logwatch] Logwatch and IP address reporting

MrC lists-logwatch at cappella.us
Tue Jun 19 10:03:56 MST 2007


 
> Hello MrC,
> 
>    Thank you for your quick reply. My log entries in 
> /var/log/auth.log comes from different services, namely 'auth 
> and authpriv facilities' in syslog-ng. 
> The unmatched entries correspond to the service 'secure' in 
> logwatch. But i do not think it is particular to that 
> service, cause logwatch seem to show partial log entries 
> whenever unmatched patterns are observed in logfiles, no 
> matter what service is being used.
> 

Each report section in logwatch has its own script that runs.  They are
located in

   /usr/share/logwatch/scripts/services

by default.  The one you refer to below is names "secure".


> Report from logwatch
> 
> --------------------- Connections (secure-log) Begin
> ------------------------
> 
>   **Unmatched Entries**
>     -- MARK -- : 1 Time(s)
>     CRON[7132]: (blablabla) modified entries: 1 Time(s)
>     CRON[7132]: (blablabla) modified entries on purpose 
> (uid=0): 1 Time(s)
> 
> ---------------------- Connections (secure-log) End
> -------------------------
> 
> Log entries in auth.log
> 
> Jun 19 10:10:01 PCTM CRON[7132]: (blablabla) modified entries 
> on purpose
> (uid=0)
> Jun 19 10:10:01 PCTMP CRON[7132]: (blablabla) modified entries
> 
> 
> These 2 lines are added on purpose for testing. I would like 
> to know if it 
> is possible to report the  line i.e 'PCTMP CRON[7132]: 
> (blablabla) modified 
> entries' instead of just 'CRON[7132]: (blablabla) modified entries: 1 
> Time(s)', i.e i would also need to see the source IP or name 
> (here PCTMP). 
> This is quite important for log monitoring whenever a 
> centralized log system 
> is used, as in my situation. Thank you very much in advance.
> 
> 

You will have to modify the script to provide what you need.  Just after the
main processing while loop, there is a line:

   $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;

which strips the date and hostname.  You will have to save the original
line, and use it instead to store unmatched lines.

But the more important question is - what is it that really want: more
detail in the unmatched lines, or for the unmatched lines to go away in
general and be integrated into the report?

MrC

> 
> 
> 
\
> >Subject: RE: [Logwatch] Logwatch and IP address reporting
> >Date: Mon, 18 Jun 2007 15:07:33 -0700
> >
> >
> > > Hello all
> > >
> > >    I would like to know if it is possible to report the whole
> > > log entry being matched while the monitoring processes. Using
> > > syslog to deport logs from remote machines, i would like to
> > > see the address IP of the source of the log entries in my
> > > centralized log file on the server.
> > >
> > > >From logwatch report:
> > > **Unmatched Entries**
> > >     (root-5110): dC)marrage (version 2.16.1), pid 5110
> > > utilisateur B+B rootB B; : 1 Time(s)
> > >
> > > >From my log file (auth.log)
> > > Jun 18 10:48:19 194.3.***.*** (root-5110): dimarrage (version
> > > 2.16.1), pid 5110 utilisateur + root
> > >
> >
> >I can't tell what service this is from.  Can you clarify?
> >
> >In general, most of the services are written such that they 
> expect syslog's
> >dates, service names, etc. to be stripped from the input.  For such 
> >filters,
> >the filter and its configuration file need to be updated to 
> not strip this
> >information, and report / use it in a meaningful way.
> >
> >MrC



More information about the Logwatch mailing list