[Logwatch] Logwatch and IP address reporting

MrC lists-logwatch at cappella.us
Wed Jun 20 18:13:56 MST 2007

> -----Original Message-----
> From: nawshad hoossanbuksh

> Hello MrC,
>      Thank you for your quick reply. Yes in fact ive been 

Hello Nawshad ,

Let's keep the discussion on list; others can benefit and help out too.
Feel free to continue CC'ing me directly if you want, but I receive the list
mail as well.

> looking a bit through the script being used for each service, 
> and i think i will try to modify a bit, as you told me. What 
> i am looking for is for every unmatched expression, to report 
> the hostname too. That might help the administrator to locate 
> more easily where the log entries are found, i mean in what log file.

I actually think this is a useful idea; unfortunately, the architecture of
logwatch is such that pre-filters strip out some useful information such as
date and hostname.  Many per-service scripts ultimately obtain only data
after the service name in question.

Every such script would need to be modified to handle this additional
information.  Currently, it works like this:

   log entry | filters | per-service script

This is accomplished via standard pipelines.  In order to solve the problem
directly, the filter would need to be modified to handle the leader
information such as date, host, pid, etc. and the config files would be
modified so that data flows directly, as in:

     log entry | per-service script

The reason for the filters is to abstract differences in the various logging
formats on the various platforms, and to present only the requested data to
the filter (for example, only data for a given hostname).

I personally believe a better architecture would be to provide each
per-service script with *all* the information, and the configuration files
would indicate which data should be reported.  And the filters would be
standard perl match filters or routines, available to each per-service
script.  In other words, instead of spoon feeding minimal information to
each script, give them complete information along with the request on what
to produce.

When I re-wrote the postfix and amavis scripts, I had to do just this -
remove the call to the filters, and parse the date/host/service data within
the script... because the scripts needed the extra information that was
being stripped.

>      But i am also facing a major problem with logwatch:(( It 
> concerns the param logDir in the 'logwatch.conf' file. Let me 
> explain myself:
> Using syslog-ng to concentrate all log onto a main server, i 
> wish to use logwatch to monitor these logs. Syslog-ng is 
> configured such that logs are placed in a directory 
> corresponding to the following 
> example:
> /var/log/HOST/PCTMP/auth/20070720-11.log
> /var/log/HOST/
> Now with logwatch, i have configured the 
> /usr/share/logwatch/default.conf/logwatch.conf
> such that
> Logdir =
> Logdir = /var/log/HOST/PCTMP
> and in /usr/share/logwatch/default.conf/logfiles/secure.conf, 
> i have this
> LogFile = auth/*.log
> My problem is that this does not seem to work:(( In the debug 
> mode, i think logwatch seem to look in the /var/log directory 
> and not in /var/log/HOST/PCTMP.
> Any idea please?? Thank you again for your response.

I think the problem here may be in the auto-lowercasing of variable values.
Logwatch automatically lowercases ALL variable values, except for those in
double-quotes.  Failure is silent (and difficult to detect).  Place your
values in double quotes to preserve case:

  Logdir = "/var/log/HOST/PCTMP"

I think one of the other developers will have to comment if this does not
solve the issue.


More information about the Logwatch mailing list