[Logwatch] Logwatch and IP address reporting
nawshad01 at hotmail.com
Thu Jun 21 01:45:05 MST 2007
I try to use LogDir = "var/log/HOST/PCTMP/auth" in
And use LogFile = 20070621-10.log (for example) in
But still no stats being reported by logwatch from the secure service. And
what i do not undersatnd still, is that if i run logwatch --debug 10 for
example, i can see the following:
Preprocessing LogFile: maillog
/var/log/syslog /var/log/mail.log | /usr/bin/perl
/usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl
/usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl
Logwatch seems to look for /var/log/syslog and not
/var/log/HOST/PCTMP/auth/syslog.log for example. Have i missed something??
Why does my default directory not taken into account?
To summarize, i need to just have is the number of failed or succeeded
login. Thats all im looking for. So if anyone has got a solution for me,
Thank you all, Thank MrC too<^O^>.
>> -----Original Message-----
>> From: nawshad hoossanbuksh
>> Hello MrC,
>> Thank you for your quick reply. Yes in fact ive been
> Hello Nawshad ,
> Let's keep the discussion on list; others can benefit and help out too.
> Feel free to continue CC'ing me directly if you want, but I receive the
> mail as well.
>> looking a bit through the script being used for each service,
>> and i think i will try to modify a bit, as you told me. What
>> i am looking for is for every unmatched expression, to report
>> the hostname too. That might help the administrator to locate
>> more easily where the log entries are found, i mean in what log file.
> I actually think this is a useful idea; unfortunately, the architecture of
> logwatch is such that pre-filters strip out some useful information such
> date and hostname. Many per-service scripts ultimately obtain only data
> after the service name in question.
> Every such script would need to be modified to handle this additional
> information. Currently, it works like this:
> log entry | filters | per-service script
> This is accomplished via standard pipelines. In order to solve the
> directly, the filter would need to be modified to handle the leader
> information such as date, host, pid, etc. and the config files would be
> modified so that data flows directly, as in:
> log entry | per-service script
> The reason for the filters is to abstract differences in the various
> formats on the various platforms, and to present only the requested data
> the filter (for example, only data for a given hostname).
> I personally believe a better architecture would be to provide each
> per-service script with *all* the information, and the configuration files
> would indicate which data should be reported. And the filters would be
> standard perl match filters or routines, available to each per-service
> script. In other words, instead of spoon feeding minimal information to
> each script, give them complete information along with the request on what
> to produce.
> When I re-wrote the postfix and amavis scripts, I had to do just this -
> remove the call to the filters, and parse the date/host/service data
> the script... because the scripts needed the extra information that was
> being stripped.
>> But i am also facing a major problem with logwatch:(( It
>> concerns the param logDir in the 'logwatch.conf' file. Let me
>> explain myself:
>> Using syslog-ng to concentrate all log onto a main server, i
>> wish to use logwatch to monitor these logs. Syslog-ng is
>> configured such that logs are placed in a directory
>> corresponding to the following
>> Now with logwatch, i have configured the
>> such that
>> Logdir =
>> Logdir = /var/log/HOST/PCTMP
>> and in /usr/share/logwatch/default.conf/logfiles/secure.conf,
>> i have this
>> LogFile = auth/*.log
>> My problem is that this does not seem to work:(( In the debug
>> mode, i think logwatch seem to look in the /var/log directory
>> and not in /var/log/HOST/PCTMP.
>> Any idea please?? Thank you again for your response.
> I think the problem here may be in the auto-lowercasing of variable
> Logwatch automatically lowercases ALL variable values, except for those in
> double-quotes. Failure is silent (and difficult to detect). Place your
> values in double quotes to preserve case:
> Logdir = "/var/log/HOST/PCTMP"
> I think one of the other developers will have to comment if this does not
> solve the issue.
> Logwatch mailing list
> Logwatch at logwatch.org
View this message in context: http://www.nabble.com/Logwatch-and-IP-address-reporting-tf3939778.html#a11228983
Sent from the Logwatch - General mailing list archive at Nabble.com.
More information about the Logwatch