LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   How can I get logwatch to ignore unmatched entries? (https://www.linuxquestions.org/questions/linux-software-2/how-can-i-get-logwatch-to-ignore-unmatched-entries-753710/)

abefroman 09-08-2009 09:28 PM
How can I get logwatch to ignore unmatched entries?
 
How can I get logwatch to ignore unmatched entries?

Example:
Code:
--------------------- Connections (secure-log) Begin ------------------------
 **Unmatched Entries**
 Cp-Wrap[10673]: Pushing "733 CHECKDOMAINIPFORSSL ko*****.com " to '/usr/local/cpanel/bin/ssladmin' for UID: 733
 Cp-Wrap[10673]: CP-Wrapper terminated without error
 Cp-Wrap[10748]: Pushing "733 LISTDBSWITHSPACE " to '/usr/local/cpanel/bin/mysqladmin' for UID: 733
 Cp-Wrap[10748]: CP-Wrapper terminated without error
I have about 5,000 of those lines, that start with: Cp-Wrap.

I tried negating that service in the config file and got the error:
Code:
# /usr/share/logwatch/scripts/logwatch.pl
Nonexistent service to disable: cp-wrap
Any ideas?

TIA

unSpawn 09-09-2009 04:32 AM
Only by looking at threads like this you will realise that by making Logwatch actually display logged errors you can take action. In short: keeping errors from being displayed defeats the purpose of logging and using Logwatch.

What you should do is create a service configuration. Using the "up2date" service (since it's a small config) as example, you see it comprises of:
- a service declaration in /usr/share/logwatch/default.conf/logfiles/up2date.conf,
- a logfile declaration in /usr/share/logwatch/default.conf/services/up2date.conf,
- log preprocessing scripts log in /usr/share/logwatch/scripts/logfiles/ and
- the actual service processing script /usr/share/logwatch/scripts/services/up2date.

In the scripts/services/up2date script, at around like 27 it starts the "ignore" section in which you can add all lines that are of the informational level or purpose:
Code:
    22  while (defined($ThisLine = <STDIN>)) {
    23    if ( $Debug >= 5 ) {
    24        print STDERR "DEBUG($DebugCounter): $ThisLine";
    25        $DebugCounter++;
    26    }
    27    if ( ( $ThisLine =~ /^updating login info$/ ) or
and further down, at around 60, actions that should be tallied, and at around 78 lines that fit no classification that you should be informed about anyway. The point is that by creating a "cpanel service" configuration you can give back to Logwatch by extending and improving it. If you want help creating the service config attach a file with a sufficient amount of usable log lines.

Your other option is adding regexes to /etc/logwatch/conf/ignore.conf, one item per line (gets matched through "$logline =~ m/$ignore/;"), like:
Code:
Cp-Wrap
which would greedy-match all lines including that text, or more specifically:
Code:
Pushing "733
terminated without error
* I'm not sure the "733 needs to be escaped as \"733. Run it to find out and post back if it works or not.


All times are GMT -5. The time now is 08:36 PM.