[Logwatch] Problem stripping date/time stamp

Chris Brenton cbrenton at chrisbrenton.org
Thu Feb 18 02:19:44 MST 2010

Greets all,

I'm running into a problem stripping out date/time info and was hoping
someone could sanity check what I'm doing.

I'm looking to have Logwatch parse OSSEC logs as part of the daily
report. The Date/Time stamp OSSEC uses is as followed:

2010/02/18 00:01:31 ossec-monitord: <rest of the line stripped>

I Looked at the "apply" scripts in the shared directory, but none of
them seem configured to handle this date/time format. So I took the
applyusdate script (closest match), copied it to a file named
applylongdate, and modified the new file as followed:

$SearchDate = TimeFilter('%Y/%m/%d %H:%M:%S');

This seems to be working as I can now get Logwatch to recognize
specified date ranges, and print the appropriate log entries. The
problem I'm having is with stripping out the date/time info so I can
create some decent filters.

Where would be the appropriate place to strip the date/time info? Would
it be right within the applylongdate script?

I tried making the following modifications to applylongdate:

while (defined($ThisLine = <STDIN>)) {
   if ($ThisLine =~ m/^$SearchDate /o) {
      print $ThisLine =~ s/^....\/..\/.. ..:..:.. //;

But now the report simple prints out a lot of "1"'s. Probably something
obvious due to lack of caffeine, but I've hit a dead end.

Any and all help greatly appreciated.

Thanks in advance,

