|
Packit |
57988d |
HOWTO-Customize-LogWatch
|
|
Packit |
57988d |
================================================================================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
1. Table of Contents
|
|
Packit |
57988d |
====================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
1. Table of Contents
|
|
Packit |
57988d |
2. Introduction
|
|
Packit |
57988d |
3. Directory Structure
|
|
Packit |
57988d |
A. Configuration Structure
|
|
Packit |
57988d |
B. Executable Structure
|
|
Packit |
57988d |
4. Customizing the Configuration
|
|
Packit |
57988d |
5. Customizing the Scripts
|
|
Packit |
57988d |
6. Creating New Service Filters
|
|
Packit |
57988d |
A. Logfile Groups
|
|
Packit |
57988d |
B. Service Filter Configuration
|
|
Packit |
57988d |
C. Service Filer Executable
|
|
Packit |
57988d |
D. Shared Script Commands
|
|
Packit |
57988d |
E. Environment Information
|
|
Packit |
57988d |
7. For More Information
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
This document describes the structure of the Logwatch files in the
|
|
Packit |
57988d |
distribution, how to modify the configuration files for your
|
|
Packit |
57988d |
system, and how to create new service filters.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
2. Introduction
|
|
Packit |
57988d |
===============
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Logwatch is a system log analyzer and reporter. Usage information
|
|
Packit |
57988d |
about Logwatch can be obtained through the man page:
|
|
Packit |
57988d |
man logwatch
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The section titled "MORE INFORMATION" in the man page lists
|
|
Packit |
57988d |
additional documentation files available with the distribution.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
A summary of the command-line switches described in the man page
|
|
Packit |
57988d |
can be obtained with the '--help' option:
|
|
Packit |
57988d |
logwatch --help
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The rest of this document is intended for those that wish to
|
|
Packit |
57988d |
customize or enhance Logwatch beyond the capabilities provided
|
|
Packit |
57988d |
with the command-line switches.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
3. Directory Structure
|
|
Packit |
57988d |
======================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
This section describes the subdirectories and files shipped
|
|
Packit |
57988d |
with the Logwatch distribution, using the names and locations
|
|
Packit |
57988d |
used by default.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The directory /usr/share/logwatch contains both the configuration
|
|
Packit |
57988d |
and (perl) executable files. The contents of this directory are
|
|
Packit |
57988d |
the following subdirectories:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
default.conf: Contains the default configuration files
|
|
Packit |
57988d |
shipped with the Logwatch distribution
|
|
Packit |
57988d |
|
|
Packit |
57988d |
dist.conf: Contains the configuration files shipped
|
|
Packit |
57988d |
with your specific Operating Systems
|
|
Packit |
57988d |
distribution.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
lib: Contains perl library files.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
scripts: Contains the perl executables.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The /etc/logwatch directory contains the following subdirectories:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
conf: Contains the configuration files specific
|
|
Packit |
57988d |
to the system.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
scripts: Contains the executable scripts specific
|
|
Packit |
57988d |
to the system.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
A. Configuration Structure
|
|
Packit |
57988d |
--------------------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The contents of the three directories /usr/share/logwatch/default.conf,
|
|
Packit |
57988d |
/usr/share/logwatch/dist.conf, and /etc/logwatch/conf, all have the
|
|
Packit |
57988d |
same structure:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
services: This subdirectory contains the configuration
|
|
Packit |
57988d |
files specific to each service. Logwatch
|
|
Packit |
57988d |
determines which services are available by
|
|
Packit |
57988d |
examining the contents of this directory.
|
|
Packit |
57988d |
Each service configuration file is named by
|
|
Packit |
57988d |
its service name with the ".conf" suffix.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
logfiles: This subdirectory contains the logfile group
|
|
Packit |
57988d |
configuration files. Each logfile group
|
|
Packit |
57988d |
configuration file contains information about
|
|
Packit |
57988d |
one or more log files with the same format.
|
|
Packit |
57988d |
Several services may use the same logfile
|
|
Packit |
57988d |
group configuration file. Each of these
|
|
Packit |
57988d |
configuration files are named by the group
|
|
Packit |
57988d |
name with the ".conf" suffix. Many
|
|
Packit |
57988d |
of the group names are taken from the name
|
|
Packit |
57988d |
of a system log file (such as messages,
|
|
Packit |
57988d |
maillog, secure, etc.), but not always.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
logwatch.conf: This file contains the defaults for the
|
|
Packit |
57988d |
overall execution of Logwatch, and affect all
|
|
Packit |
57988d |
of its services. Many of its parameters can
|
|
Packit |
57988d |
be overridden by command-line switches when
|
|
Packit |
57988d |
invoking the Logwatch executable, as described
|
|
Packit |
57988d |
in the man page for Logwatch.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
ignore.conf: This file specifies regular expressions that,
|
|
Packit |
57988d |
when matched by the output of logwatch, will
|
|
Packit |
57988d |
suppress the matching line, regardless of which
|
|
Packit |
57988d |
service is being executed.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The /etc/logwatch/conf directory may also contain the file 'override.conf',
|
|
Packit |
57988d |
which is described in section 4, "Customizing the Configuration."
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
B. Executable Structure
|
|
Packit |
57988d |
-----------------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The contents of the two directories /usr/share/logwatch/scripts
|
|
Packit |
57988d |
and /etc/logwatch/scripts have the same structure:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
services: This subdirectory contains the executable
|
|
Packit |
57988d |
for each service. Unless otherwise specified
|
|
Packit |
57988d |
in the configuration service file (see above),
|
|
Packit |
57988d |
the executables are written in the perl language.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
shared: This subdirectory contains executables that may
|
|
Packit |
57988d |
be invoked by more than one configuration service
|
|
Packit |
57988d |
file.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
logfiles: This subdirectory may contain subdirectories with
|
|
Packit |
57988d |
logfile group names. The executables under each of
|
|
Packit |
57988d |
these subdirectories are automatically invoked when
|
|
Packit |
57988d |
running a service that uses the corresponding
|
|
Packit |
57988d |
logfile group name.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
4. Customizing the Configuration
|
|
Packit |
57988d |
================================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Logwatch can be, and has been, used on many variants of the Linux and
|
|
Packit |
57988d |
UNIX systems. Some distributions that include Logwatch modify the
|
|
Packit |
57988d |
default configuration to comply with the settings of said
|
|
Packit |
57988d |
distributions. Therefore, most people will not need to make any
|
|
Packit |
57988d |
modifications to Logwatch.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
However, Logwatch, starting with version 7.0, implements a mechanism
|
|
Packit |
57988d |
to allow modifying the local system easier. These modifications may
|
|
Packit |
57988d |
be needed either because the configuration of the service that writes
|
|
Packit |
57988d |
to the system log has been altered from its default, or because the
|
|
Packit |
57988d |
Logwatch user prefers what is reported or how it is reported by
|
|
Packit |
57988d |
Logwatch to be different.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
You can customize the output of logwatch by modifying variables in the
|
|
Packit |
57988d |
/etc/logwatch/conf directory.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Default values are specified in the /usr/share/logwatch/default.conf
|
|
Packit |
57988d |
directory. Your distribution may have set additional defaults in the
|
|
Packit |
57988d |
/usr/share/logwatch/dist.conf directory. All the variables available
|
|
Packit |
57988d |
are declared in the files under these directories. You can change the
|
|
Packit |
57988d |
default values to modify how or what is displayed with logwatch.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
One variable available to all services, and which by default is not
|
|
Packit |
57988d |
specified, is the 'Detail' variable (note that it is not preceded by
|
|
Packit |
57988d |
a '$' symbol). Specifying a Detail value will override the global
|
|
Packit |
57988d |
Detail level, for that service only.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
There are two mechanisms for customizing the variables:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
1. The /etc/logwatch/conf directory is first searched for files with the
|
|
Packit |
57988d |
same name and relative location as the
|
|
Packit |
57988d |
/usr/share/logwatch/default.conf directory. Variables declared in
|
|
Packit |
57988d |
these files override the defaults.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
For example, if file /etc/logwatch/conf/services/sendmail.conf has the
|
|
Packit |
57988d |
single entry:
|
|
Packit |
57988d |
$sendmail_unknownusersthreshold = 5
|
|
Packit |
57988d |
then the threshold for unknown users is set to five instead of the
|
|
Packit |
57988d |
default of one. All other parameters are not modified.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The configuration files have four different types of declarations,
|
|
Packit |
57988d |
determined by the first character in each line:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
'#': Rest of line is a comment, and is ignored.
|
|
Packit |
57988d |
'$': Rest of first field is a variable
|
|
Packit |
57988d |
'*': Denotes the name of an executable script
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Other than blank lines, the only other declarations are
|
|
Packit |
57988d |
reserved variable names, such as LogFile, Archive, etc.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
In general, setting a variable overrides any value previously set.
|
|
Packit |
57988d |
However, the following variables are cumulative:
|
|
Packit |
57988d |
- In logwatch.conf: LogFile, Service
|
|
Packit |
57988d |
- In services/service_name.conf: LogFile
|
|
Packit |
57988d |
- In logfiles/service_name.conf: LogFile, Archive
|
|
Packit |
57988d |
|
|
Packit |
57988d |
To remove all previous declarations of that variable, set the
|
|
Packit |
57988d |
variable to the empty string. Duplicate values in the cumulative
|
|
Packit |
57988d |
variables are deleted.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
If an executable script is declared in an /etc/logwatch/conf file,
|
|
Packit |
57988d |
all of the executable script declarations in the corresponding file
|
|
Packit |
57988d |
in /usr/share/logwatch/default.conf or /usr/share/logwatch/dist.conf
|
|
Packit |
57988d |
are ignored.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Because of the way variables and executable scripts are declared,
|
|
Packit |
57988d |
the files in /etc/logwatch/conf/ can be created in one of two ways:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
- you can create a file with only the modified variables (and
|
|
Packit |
57988d |
new executable script declarations, if needed), as described
|
|
Packit |
57988d |
above, or
|
|
Packit |
57988d |
|
|
Packit |
57988d |
- you can copy an entire configuration file from
|
|
Packit |
57988d |
/usr/share/logwatch/default.conf to its corresponding location in
|
|
Packit |
57988d |
/etc/logwatch/conf, and then modify those lines that require it.
|
|
Packit |
57988d |
Because duplicates are removed from cumulative variables, and
|
|
Packit |
57988d |
new executable script groups override the old ones, the output
|
|
Packit |
57988d |
should be correct.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
2. The /etc/logwatch/conf/override.conf file is then searched. The first
|
|
Packit |
57988d |
field in each line may be one of the following:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
This character indicates that the rest of the line is a
|
|
Packit |
57988d |
comment, and is ignored.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
logwatch:
|
|
Packit |
57988d |
This string indicates that the rest of the line is a global
|
|
Packit |
57988d |
configuration option, and uses the same syntax as the
|
|
Packit |
57988d |
/usr/share/logwatch/default.conf/logwatch.conf file.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
services/service_name:
|
|
Packit |
57988d |
(Where service_name is the name of a service.) This string
|
|
Packit |
57988d |
indicates that the rest of the line is a configuration
|
|
Packit |
57988d |
option for the specified service, and uses the same syntax
|
|
Packit |
57988d |
as the /usr/share/logwatch/default.conf/services files.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
logfiles/service_name:
|
|
Packit |
57988d |
(Where service_name is the name of a service.) This string
|
|
Packit |
57988d |
indicates that the rest of the line is a configuration
|
|
Packit |
57988d |
option for the specified service, and uses the same syntax
|
|
Packit |
57988d |
as the /usr/share/logwatch/default.conf/logfiles files.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
For example, if the file /etc/logwatch/conf/override.conf has the single
|
|
Packit |
57988d |
entry:
|
|
Packit |
57988d |
logwatch: Detail = High
|
|
Packit |
57988d |
then the default detail level for all services will be set to High.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
And, in file override.conf, the following declaration:
|
|
Packit |
57988d |
logfiles/messages: LogFile = syslog
|
|
Packit |
57988d |
|
|
Packit |
57988d |
will analyze the syslog file (in addition to the default messages file)
|
|
Packit |
57988d |
for certain services. But the following two declarations combined:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
logfiles/messages: LogFile =
|
|
Packit |
57988d |
logfiles/messages: LogFile = syslog
|
|
Packit |
57988d |
|
|
Packit |
57988d |
will cause the messages file to be ignored for those same services,
|
|
Packit |
57988d |
and only the syslog file will be used.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
5. Customizing the Scripts
|
|
Packit |
57988d |
==========================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Similarly to the way you can customize the configuration, as
|
|
Packit |
57988d |
specified in section 4, you can override the default executable
|
|
Packit |
57988d |
scripts.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
This is accomplished by placing an executable file with the same
|
|
Packit |
57988d |
name and relative path (with respect to /usr/share/logwatch/scripts)
|
|
Packit |
57988d |
under the /etc/logwatch/scripts directory. If such a file is
|
|
Packit |
57988d |
found in the /etc/logwatch/scripts directory, the corresponding
|
|
Packit |
57988d |
file under /usr/share/logwatch/scripts will be ignored.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
6. Creating New Service Filters
|
|
Packit |
57988d |
===============================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
New services may be created by creating new configuration and
|
|
Packit |
57988d |
executable files, described above, and placing them in the
|
|
Packit |
57988d |
/etc/logwatch directory. This section provides additional
|
|
Packit |
57988d |
details and examples for creating new service filters, but
|
|
Packit |
57988d |
it might be easier to base the new files on the existing
|
|
Packit |
57988d |
configuration and script files under the /usr/share/logwatch
|
|
Packit |
57988d |
directory.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
A. Logfile Groups
|
|
Packit |
57988d |
-----------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
There is only one required line in the logfile group config file. This
|
|
Packit |
57988d |
command is called 'LogFile'.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# This will be the logfile named 'messages' in the default logfile
|
|
Packit |
57988d |
# directory (probably /var/log).
|
|
Packit |
57988d |
LogFile = messages
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# You can also give this command with an absolute path, like this:
|
|
Packit |
57988d |
LogFile = /var/log/messages
|
|
Packit |
57988d |
|
|
Packit |
57988d |
You can have as many LogFile entries as you wish. All the files specified
|
|
Packit |
57988d |
will be merged into one input stream for any filters that use this logfile
|
|
Packit |
57988d |
group. You can also use standard wildcards when you specify the filename.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Another command that is optional is called 'Archive'. You can specify a
|
|
Packit |
57988d |
file to also include in the data stream if the '--archives' option is used.
|
|
Packit |
57988d |
If these files do not exist it is okay. For example:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# These 2 'Archive' entries will allow users of most Red Hat Linux
|
|
Packit |
57988d |
# systems to access their archives of the 'messages' logfile:
|
|
Packit |
57988d |
Archive = messages.?
|
|
Packit |
57988d |
# If they configure Compression to be on in /etc/logrotate.conf:
|
|
Packit |
57988d |
Archive = messages.?.gz
|
|
Packit |
57988d |
# It is best just to include both of these so that the logfile group
|
|
Packit |
57988d |
# will work for most systems.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Now, the general theory is that the LogFile Group should apply the date
|
|
Packit |
57988d |
range requested. If the logfile is in the standard syslog format, you can
|
|
Packit |
57988d |
use the shared script 'ApplyStdDate' to filter out only the appropriate log
|
|
Packit |
57988d |
entries. The way to call shared scripts (located under
|
|
Packit |
57988d |
/usr/share/logwatch/scripts/shared) is:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
*ApplyStdDate =
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Anything following the equal sign will be passed to the program as arguments
|
|
Packit |
57988d |
(the equal sign can be eliminated if no arguments are needed). You should
|
|
Packit |
57988d |
look at the current logfile group config files for examples.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Finally, if the directory /usr/share/logwatch/scripts/logfiles/<logfile_group_name>/
|
|
Packit |
57988d |
exists, any scripts in that directory will be executed. All of these
|
|
Packit |
57988d |
scripts take the contents of all the specified logfiles in through STDIN and
|
|
Packit |
57988d |
output the modified logfile trought STDOUT.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
B. Service Filter Configuration File
|
|
Packit |
57988d |
------------------------------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Once you have defined one or more logfile groups (or decided on one or
|
|
Packit |
57988d |
more existing logfile groups), you need to define your service filter.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
This file needs to be in /etc/logwatch/conf/services/ and it needs to be
|
|
Packit |
57988d |
named service_name.conf, where service_name is the name of the service.
|
|
Packit |
57988d |
You should probably copy an existing config for another service to create
|
|
Packit |
57988d |
a new one.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
There is only one required line. This is the command 'LogFile'. The
|
|
Packit |
57988d |
LogFile command allows you to specify one or more *LogFile Groups* (as
|
|
Packit |
57988d |
described above) that this filter will process. Remember, any filter can
|
|
Packit |
57988d |
process any number of LogFile Groups, and any LogFile Group may contain the
|
|
Packit |
57988d |
data from any number of logfiles (and archives).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
For a service filter that needs messages from /var/log/messages you would
|
|
Packit |
57988d |
add this line:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
LogFile = messages
|
|
Packit |
57988d |
|
|
Packit |
57988d |
NOTE: This is *not* because the name of the logfile is 'messages', but it
|
|
Packit |
57988d |
is because the name of the LogFile Group that has been defined is
|
|
Packit |
57988d |
'messages'.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
You can have commands in the form of:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
*SharedScriptName = Arguments
|
|
Packit |
57988d |
|
|
Packit |
57988d |
that will execute a script found in the /usr/share/logwatch/scripts/shared/
|
|
Packit |
57988d |
directory named 'SharedScriptName' with arguments 'Arguments'.
|
|
Packit |
57988d |
This filter will modify the input to the service's filter.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
You can also have commands in the form:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$EnvironmentVariable = Value
|
|
Packit |
57988d |
|
|
Packit |
57988d |
This command will set the 'EnvironmentVariable' environment variable to the
|
|
Packit |
57988d |
value 'Value'. This environment variable will be accessable by your filter
|
|
Packit |
57988d |
program.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
You will also usually want to specify a title for your script (new in
|
|
Packit |
57988d |
Logwatch 4.0). If specified, then a start and stop delimiter will be added
|
|
Packit |
57988d |
by Logwatch for your specific service (with your script's output between
|
|
Packit |
57988d |
those delimiters). This will *only* happen if you produce output. If you
|
|
Packit |
57988d |
produce no output, the headers will not be created. Here is how you define
|
|
Packit |
57988d |
your title:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Title = "My Service Title"
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
C. Service Filter Executable
|
|
Packit |
57988d |
----------------------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Once everything above has been done, you are ready to actually write
|
|
Packit |
57988d |
your filter. This can be done in any language as all it does is:
|
|
Packit |
57988d |
1) Read logfile entries from STDIN
|
|
Packit |
57988d |
2) Access some environment variables
|
|
Packit |
57988d |
3) Generate a report on STDOUT
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Before you try to write a filter, you should create the filter and make its
|
|
Packit |
57988d |
contents the test script given below. The filter needs to be located in
|
|
Packit |
57988d |
/etc/logwatch/scripts/services/ and named service_name (because you named the
|
|
Packit |
57988d |
config file service_name.conf).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
###################### Cut Here #########################
|
|
Packit |
57988d |
#!/bin/bash
|
|
Packit |
57988d |
# This is as nice script that will show you the lines you will
|
|
Packit |
57988d |
# be processing and reporting on. It will first display the
|
|
Packit |
57988d |
# standard environment variables and then it takes STDIN and
|
|
Packit |
57988d |
# dump it right back out to STDOUT.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# These are the standard environment variables. You can define
|
|
Packit |
57988d |
# more in your service config file (see above).
|
|
Packit |
57988d |
echo "Date Range: $LOGWATCH_DATE_RANGE"
|
|
Packit |
57988d |
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
|
|
Packit |
57988d |
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
|
|
Packit |
57988d |
echo "Debug Level: $LOGWATCH_DEBUG"
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# Now take STDIN and dump it to STDOUT
|
|
Packit |
57988d |
cat
|
|
Packit |
57988d |
###################### Cut Here #########################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
If you temporarily replace a script such as 'pam' with the above, you will
|
|
Packit |
57988d |
notice that much has been cut out of /var/log/messages before it gets to
|
|
Packit |
57988d |
this filter.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The value of the environment variable LOGWATCH_DETAIL_LEVEL can be any
|
|
Packit |
57988d |
integer. In reality, it is usually 0 (for low), 5 (for medium), and 10
|
|
Packit |
57988d |
(for high).
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Your script should only produce output as appropriate. If there are no
|
|
Packit |
57988d |
relevant log entries, no output should be produced. Likewise, if you are
|
|
Packit |
57988d |
reporting two things, such as "Good Logins" and "Bad Logins", you should
|
|
Packit |
57988d |
only produce even the headers when appropriate. For example:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Bad Logins:
|
|
Packit |
57988d |
amber (2 time(s))
|
|
Packit |
57988d |
kirk (3 time(s))
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Good Logins:
|
|
Packit |
57988d |
amber (5 time(s))
|
|
Packit |
57988d |
kirk (10 time(s))
|
|
Packit |
57988d |
|
|
Packit |
57988d |
But, if no failed logins occur, you should only output:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Good Logins:
|
|
Packit |
57988d |
amber (5 time(s))
|
|
Packit |
57988d |
kirk (10 time(s))
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Note that there is no "Bad Logins:" header as there were no bad logins. You
|
|
Packit |
57988d |
should also use the detail environment variable when deciding what to
|
|
Packit |
57988d |
output. Bad logins might always be displayed, but good logins might only be
|
|
Packit |
57988d |
displayed at higher detail levels. Here is a guide on how you should
|
|
Packit |
57988d |
use the detail setting:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
0 (Low): Display only errors and security-related issues
|
|
Packit |
57988d |
5 (Med): Display anything that a typical administator would be interested in
|
|
Packit |
57988d |
10 (High): Display anything that a paranoid administrator would want to see
|
|
Packit |
57988d |
|
|
Packit |
57988d |
In some cases, you can use a security setting higher than 10. This would be
|
|
Packit |
57988d |
reserved for information so trivial that it would not even interest the US
|
|
Packit |
57988d |
Government.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
D. Shared Script Commands
|
|
Packit |
57988d |
-------------------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The way to call commands is:
|
|
Packit |
57988d |
|
|
Packit |
57988d |
*SharedScriptCommand [= Arguments]
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Logwatch will search for the command in /usr/share/logwatch/scripts/shared/ and
|
|
Packit |
57988d |
/etc/logwatch/scripts/shared/. The command name is case insensitiv and can be
|
|
Packit |
57988d |
used in logfile and service group configuratin files. Everything after the
|
|
Packit |
57988d |
equal sign will be passed as arguments to the command.
|
|
Packit |
57988d |
The following shared scripts are shipped with logwatch (they don't accept any
|
|
Packit |
57988d |
arguments unless otherwise mentioned):
|
|
Packit |
57988d |
|
|
Packit |
57988d |
- ApplyBindDate
|
|
Packit |
57988d |
Filter messages with a time format of '%d-%b-%Y %H:%M:%S'
|
|
Packit |
57988d |
- ApplyEuroDate
|
|
Packit |
57988d |
Filter messages with a time format of '%Y-%m-%d %H:%M:%S'
|
|
Packit |
57988d |
- ApplyHttpDate
|
|
Packit |
57988d |
Filter messages with a time format of '%d/%b/%Y:%H:%M:%S'
|
|
Packit |
57988d |
- ApplyStdDate
|
|
Packit |
57988d |
Without argument filter messages with a time format of
|
|
Packit |
57988d |
'%b %e %H:%M:%S' or '%Y-%m-%dT%H:%M:%S\.[0-9]+[+-][0-9]{2}:[0-9]{2}
|
|
Packit |
57988d |
which is the ISO8601 logformat
|
|
Packit |
57988d |
It accepts one argument which is the filter string, e.g.:
|
|
Packit |
57988d |
*applystddate = "%m-%d-%Y %H:%M:%S"
|
|
Packit |
57988d |
- ApplyTaiDate
|
|
Packit |
57988d |
Filter messages which start with a hex string which represents
|
|
Packit |
57988d |
the seconds since 01.01.1970.'
|
|
Packit |
57988d |
- ApplyUSDate
|
|
Packit |
57988d |
Filter messages with a time format of '%m/%d/%y:%H:%M:%S'
|
|
Packit |
57988d |
- ApplyVsftpdDate
|
|
Packit |
57988d |
Filter messages with a time format of '... %b %e %H:%M:%S 20%y'
|
|
Packit |
57988d |
- EventLogOnlyService
|
|
Packit |
57988d |
Filter messages which match: '... .. ..:..:.. .* MSWinEventLog\t\d+\t$ServiceName\t'
|
|
Packit |
57988d |
It accepts one argument which is the $ServiceName
|
|
Packit |
57988d |
- EventLogRemoveService
|
|
Packit |
57988d |
Will remove the unwanted service from a logfile in a WinEventLog
|
|
Packit |
57988d |
format. Drops messages which match the pattern in
|
|
Packit |
57988d |
EventLogOnlyService. Accepts one argument which is $ServiceName
|
|
Packit |
57988d |
- ExpandRepeats
|
|
Packit |
57988d |
This used to expand "Last message repeated n Times" messages
|
|
Packit |
57988d |
in standard sslog files. But it now ignores these lines, as
|
|
Packit |
57988d |
otherwise the temporary logfiles will be too huge.
|
|
Packit |
57988d |
- HostHash
|
|
Packit |
57988d |
Print all hostnames which occured in a logfile. This matches only
|
|
Packit |
57988d |
at default syslog format: '^... .. ..:..:.. ([\w\-\_]+)'
|
|
Packit |
57988d |
- HostList
|
|
Packit |
57988d |
Write a list of all hostnames which occured in a logfile to
|
|
Packit |
57988d |
$LOGWATCH_TEMP_DIR/hostfile. This matches only at default
|
|
Packit |
57988d |
syslog format: '^... .. ..:..:.. (\S*)'
|
|
Packit |
57988d |
- MultiService
|
|
Packit |
57988d |
This will pick out only the wanted service from a logfile in
|
|
Packit |
57988d |
the standard syslog message format. Case insensitive.
|
|
Packit |
57988d |
Accepts a comma separated list of service names as argument.
|
|
Packit |
57988d |
- OnlyContains
|
|
Packit |
57988d |
Just does a case insensitive egrep. Arguments are passed
|
|
Packit |
57988d |
directly to egrep.
|
|
Packit |
57988d |
- OnlyHost
|
|
Packit |
57988d |
This will pick out only lines from $hostname from a logfile in the
|
|
Packit |
57988d |
standard syslog format. Case insensitive.
|
|
Packit |
57988d |
Set logwatch option LOGWATCH_ONLY_HOSTNAME or pass a comma
|
|
Packit |
57988d |
separated list of hostnames as argument to make this work.
|
|
Packit |
57988d |
- OnlyService
|
|
Packit |
57988d |
This will pick out only the wanted service from a logfile in the
|
|
Packit |
57988d |
standard syslog format. Case insensitive. First argument is the
|
|
Packit |
57988d |
service name.
|
|
Packit |
57988d |
- Remove
|
|
Packit |
57988d |
Just a case insensitive, inverse egrep
|
|
Packit |
57988d |
- RemoveHeaders
|
|
Packit |
57988d |
Remove the beginning of each line of a standard syslog-style,
|
|
Packit |
57988d |
Solaris ID tag style or date-prefix-style logfile.
|
|
Packit |
57988d |
The pattern to remove is configurable and can be passed
|
|
Packit |
57988d |
as the first argument, e.g.:
|
|
Packit |
57988d |
* RemoveHeaders = "\d{4}-\d\d-\d\d \d\d:\d\:\d\d "
|
|
Packit |
57988d |
- RemoveService
|
|
Packit |
57988d |
Remove the unwanted service form a logfile in the standard
|
|
Packit |
57988d |
syslog-style message format. Case insensitive.
|
|
Packit |
57988d |
It accepts one argument which is a comma separated list of
|
|
Packit |
57988d |
service names, e.g.:
|
|
Packit |
57988d |
* RemoveService = "myservice,myotherservice"
|
|
Packit |
57988d |
|
|
Packit |
57988d |
E. Environment Information
|
|
Packit |
57988d |
--------------------------
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The following Informations can be accessed from environment variables inside
|
|
Packit |
57988d |
service scripts, e.g.
|
|
Packit |
57988d |
print "service logfile list: $ENV{'LOGWATCH_LOGFILE_LIST'}"
|
|
Packit |
57988d |
|
|
Packit |
57988d |
- LOGWATCH_LOGFILE_LIST
|
|
Packit |
57988d |
space separated list of logfiles which are configured for that
|
|
Packit |
57988d |
service.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
- LOGWATCH_ARCHIVE_LIST
|
|
Packit |
57988d |
space separated list of archive files which are configured for
|
|
Packit |
57988d |
that service.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
- TODO list other env variables.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
7. For More Information
|
|
Packit |
57988d |
=======================
|
|
Packit |
57988d |
|
|
Packit |
57988d |
The introduction of this document listed additional sources of information.
|
|
Packit |
57988d |
In addition, the website http://www.logwatch.org contains:
|
|
Packit |
57988d |
- the current (and some archived) distributions of Logwatch
|
|
Packit |
57988d |
- access to mailing lists where comments, suggestions, bug reports,
|
|
Packit |
57988d |
etc., are welcome.
|
|
Packit |
57988d |
- access to the svn repository, for the very latest code.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
If you do create new services or enhancements that you feel would be useful
|
|
Packit |
57988d |
to other people, please send them to the mailing list 'logwatch-devel at
|
|
Packit |
57988d |
lists.sourceforge.net'.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
If you send patches, please make sure that you have the latest version
|
|
Packit |
57988d |
of the file from svn, and send the patch file in unified format
|
|
Packit |
57988d |
(using 'svn diff' or 'diff -u') as an attachment.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
Enhancement suggestions are more likely to be implemented if patch files
|
|
Packit |
57988d |
implementing the change are sent.
|