[Logwatch] Logwatch on central syslog server

Mike Tremaine mgt at stellarcore.net
Thu Jul 31 07:00:34 MST 2008


MattJoy wrote:
> I've successfully used logwatch on each server and have some post-processing
> on logwatch reports that tie in with my access control system, so I can
> identify users logging on without authorisation, sudo without authorisation,
> etc.
> 
> Now need to process the logs files on my central syslog server, which has
> logs in the following structure:
> 
> /logs/ipaddress/YYYY/MM/DD/YYYY-MM-DD.logfilename.facility.log
> e.g.
> /logs/10.100.100.1/2008/07/28/2008-07-28.secure.authpriv.log
> 
> Has anyone configured a central instance of logwatch to process log files in
> a similar custom structure and filename convention and can they share how
> they did it?
> 

2 Ways to try and get what you want. 1st you can try to configure the 
various logfile configurations so that logwatch knows to look at 
directories.

THe files are in  /usr/share/logwatch/default.conf/logfiles/ and you 
would need to use various wildcards to get it search the directories and 
fiddle with archives flag and maybe see of the hosts format stuff is 
actually working if you want to split it by host.


The other way which is a little tighter is to use a short wrapper 
written in bash or perl or whatever you like that will format up the 
path to the logfile and feed it to the commandline logwatch call.

Here is a snip from a perl wrapper I have which points logdir at /tmp 
because I have dumped logfiles from a mysql database into the /tmp so 
that logwatch can use them and then delete them off.

#logwatch --logfile maillog --logdir /tmp --range today --print
system("$logwatch --logdir \'\"$tmpdir\"\' $options --print");

So the key here is the --logdir flag. If you can pass --logdir 
"/logs/*/2008/07/28/" and the stick *.secure.authpriv.log in the logfile 
conf for secure.conf it should work.


Hope that helps.

-Mike


More information about the Logwatch mailing list