[Logwatch] Logwatch and IP address reporting

nawshad nawshad01 at hotmail.com
Thu Jun 21 01:45:05 MST 2007


Hello all,

    I try to use LogDir = "var/log/HOST/PCTMP/auth" in
/usr/share/logwatch/default.conf/logwatch.conf
    And use     LogFile = 20070621-10.log  (for example) in
/usr/share/logwatch/default.conf/logfiles/secure.conf

But still no stats being reported by logwatch from the secure service. And
what i do not undersatnd still, is that if i run logwatch --debug 10 for
example, i can see the following:

####################
.
.
.
Preprocessing LogFile: maillog
/var/log/syslog /var/log/mail.log  | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/applystddate
''>/tmp/logwatch.S7IORE8J/maillog
.
.

#######################

Logwatch seems to look for /var/log/syslog and not
/var/log/HOST/PCTMP/auth/syslog.log for example. Have i missed something??
Why does my default directory not taken into account?

To summarize, i need to just have is the number of failed or succeeded
login. Thats all im looking for. So if anyone has got a solution for me,
plz!!!

Thank you all, Thank MrC too<^O^>. 





MrC-2 wrote:
> 
> 
> 
>> -----Original Message-----
>> From: nawshad hoossanbuksh
> 
>> Hello MrC,
>> 
>>      Thank you for your quick reply. Yes in fact ive been 
> 
> Hello Nawshad ,
> 
> Let's keep the discussion on list; others can benefit and help out too.
> Feel free to continue CC'ing me directly if you want, but I receive the
> list
> mail as well.
> 
> 
>> looking a bit through the script being used for each service, 
>> and i think i will try to modify a bit, as you told me. What 
>> i am looking for is for every unmatched expression, to report 
>> the hostname too. That might help the administrator to locate 
>> more easily where the log entries are found, i mean in what log file.
> 
> I actually think this is a useful idea; unfortunately, the architecture of
> logwatch is such that pre-filters strip out some useful information such
> as
> date and hostname.  Many per-service scripts ultimately obtain only data
> after the service name in question.
> 
> Every such script would need to be modified to handle this additional
> information.  Currently, it works like this:
> 
>    log entry | filters | per-service script
> 
> This is accomplished via standard pipelines.  In order to solve the
> problem
> directly, the filter would need to be modified to handle the leader
> information such as date, host, pid, etc. and the config files would be
> modified so that data flows directly, as in:
> 
>      log entry | per-service script
> 
> The reason for the filters is to abstract differences in the various
> logging
> formats on the various platforms, and to present only the requested data
> to
> the filter (for example, only data for a given hostname).
> 
> I personally believe a better architecture would be to provide each
> per-service script with *all* the information, and the configuration files
> would indicate which data should be reported.  And the filters would be
> standard perl match filters or routines, available to each per-service
> script.  In other words, instead of spoon feeding minimal information to
> each script, give them complete information along with the request on what
> to produce.
> 
> When I re-wrote the postfix and amavis scripts, I had to do just this -
> remove the call to the filters, and parse the date/host/service data
> within
> the script... because the scripts needed the extra information that was
> being stripped.
> 
> 
>> 
>>      But i am also facing a major problem with logwatch:(( It 
>> concerns the param logDir in the 'logwatch.conf' file. Let me 
>> explain myself:
>> 
>> Using syslog-ng to concentrate all log onto a main server, i 
>> wish to use logwatch to monitor these logs. Syslog-ng is 
>> configured such that logs are placed in a directory 
>> corresponding to the following 
>> /var/log/HOST/$HOST/$FACILITY/$YEAR$MONTH$DAY-$HOUR.log
>> 
>> example:
>> /var/log/HOST/PCTMP/auth/20070720-11.log
>> /var/log/HOST/192.0.0.1/authpriv/20070719-10.log
>> 
>> Now with logwatch, i have configured the 
>> /usr/share/logwatch/default.conf/logwatch.conf
>> such that
>> Logdir =
>> Logdir = /var/log/HOST/PCTMP
>> 
>> and in /usr/share/logwatch/default.conf/logfiles/secure.conf, 
>> i have this
>> 
>> LogFile = auth/*.log
>> 
>> My problem is that this does not seem to work:(( In the debug 
>> mode, i think logwatch seem to look in the /var/log directory 
>> and not in /var/log/HOST/PCTMP.
>> 
>> Any idea please?? Thank you again for your response.
> 
> I think the problem here may be in the auto-lowercasing of variable
> values.
> Logwatch automatically lowercases ALL variable values, except for those in
> double-quotes.  Failure is silent (and difficult to detect).  Place your
> values in double quotes to preserve case:
> 
>   Logdir = "/var/log/HOST/PCTMP"
> 
> I think one of the other developers will have to comment if this does not
> solve the issue.
> 
> MrC
> 
> 
> 
> _______________________________________________
> Logwatch mailing list
> Logwatch at logwatch.org
> http://www2.list.logwatch.org:81/mailman/listinfo/logwatch
> 
> 

-- 
View this message in context: http://www.nabble.com/Logwatch-and-IP-address-reporting-tf3939778.html#a11228983
Sent from the Logwatch - General mailing list archive at Nabble.com.



More information about the Logwatch mailing list