More updates to logwatch :: semicomplete.com

Sat, 07 May 2005

More updates to logwatch

Logwatch is gradually getting sexier as I throw more ideas and time into it. This recent batch of updates added, primarily, the following:

Users can define their own patterns in logwatch.conf:

patterns {
	clientandip = "\[client %IP%\]";
	hostname = "(\[wd-\]+.)*(\[w-\])";
};

Defines your own patterns in addition to the default ones. These new patterns are used the same way that default patterns are, as %clientandip% and %hostname%. A sample use of this would be:

file "/var/log/auth.log" {
	type "failed hostname lookup" {
		match = "reverse mapping checking getaddrinfo for %hostname% failed";
		threshold = 2;
		interval = 60;
		reaction = "echo 'Someone (%hostname%) is trying to ssh with broken dns... maybe they are being naughty?'";
	};
};

Patterns can be pretty much any regular expression perl will support. Also, as you can see with the clientandip pattern, you can embed existing patterns in new patterns. This includes your own patterns. Recursion is limited to 10 levels by default, this may change in the future.

Comments: 0 (view comments)
Tags: grok
Permalink: /geekery/164
posted at: 04:50

0 responses to 'More updates to logwatch'

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.