[Logwatch] Logwatch on central syslog server
mgt at stellarcore.net
Thu Jul 31 07:00:34 MST 2008
> I've successfully used logwatch on each server and have some post-processing
> on logwatch reports that tie in with my access control system, so I can
> identify users logging on without authorisation, sudo without authorisation,
> Now need to process the logs files on my central syslog server, which has
> logs in the following structure:
> Has anyone configured a central instance of logwatch to process log files in
> a similar custom structure and filename convention and can they share how
> they did it?
2 Ways to try and get what you want. 1st you can try to configure the
various logfile configurations so that logwatch knows to look at
THe files are in /usr/share/logwatch/default.conf/logfiles/ and you
would need to use various wildcards to get it search the directories and
fiddle with archives flag and maybe see of the hosts format stuff is
actually working if you want to split it by host.
The other way which is a little tighter is to use a short wrapper
written in bash or perl or whatever you like that will format up the
path to the logfile and feed it to the commandline logwatch call.
Here is a snip from a perl wrapper I have which points logdir at /tmp
because I have dumped logfiles from a mysql database into the /tmp so
that logwatch can use them and then delete them off.
#logwatch --logfile maillog --logdir /tmp --range today --print
system("$logwatch --logdir \'\"$tmpdir\"\' $options --print");
So the key here is the --logdir flag. If you can pass --logdir
"/logs/*/2008/07/28/" and the stick *.secure.authpriv.log in the logfile
conf for secure.conf it should work.
Hope that helps.
More information about the Logwatch