Decreasing Logwatch Output

Print Friendly, PDF & Email

In the recent past, logwatch has been spitting out way, way too much info about activity on tempest. The output that the cs-sysadmin email receives is actually truncated. The main culprit is HTTP, which spits out every link that gets a 401, 403, and 404 error. On puma, we’ve turned off http messages completely, but this time we wanted to figure out a more refined way to filter messages.

I found the documentation for logwatch in /usr/share/doc. The default configuration files are found in the directory /usr/share/logwatch/default.conf/services for services such as http, sshd, pam_unix, etc. The default scripts are in /usr/share/logwatch/scripts/services. These scripts are all written in Perl.

To override the default configuration, the documentation recommends 2 ways. You can add in whatever overriding variables in the /etc/logwatch/conf directory in a file called logwatch.conf. Or you could copy the default from /usr/share/logwatch to the corresponding directory in /etc/logwatch, and modify the file in the /etc/logwatch folder.

You could set variables in the /etc/logwatch/conf directory. On puma, this is how we turned off the output for http in the logwatch.conf file, since the output was getting voluminous. However, the configuration files did not give us fine enough control over the output. I had to modify the scripts themselves.

To modify scripts, I copied the appropriate default script from /usr/share/logwatch/scripts/services over to /etc/logwatch/scripts/services, where I fiddled around with the output. For example for the http script, I changed it so that it prints out the total number of 404 errors tempest collects for the day, instead of every single URL.

Once you’ve made the change, you can just run logwatch and have it print to your terminal with the following command:

logwatch --print [--service=<servicename>]

In general, to configure logwatch to your liking, copy the original file from /usr/share/logwatch to its corresponding place in /etc/logwatch, and make your edits to the /etc/logwatch file. The output will be much more readable.

Sources: http://serverfault.com/questions/293226/linux-logwatch8-is-too-noisy-how-can-i-control-the-noise-level/293233#293233

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *