[SOLVED] Centos 6 logwatch not reporting httpd

herkalurk · 11-16-2019, 03:53 PM

I'm not seeing HTTPD reports in my logwatch from my server. I've been googling around trying to find something, but I can't seem to pin down why it's not showing up.

My logs are in the default location and are readable by all users, so it shouldn't be a permissions issue

Code:

/var/log/httpd

I've tried to run a specific logwatch on the dir to see if it's just not picking it up and nothing happens

Code:

logwatch --detail High --mailto admin@domain.com --service http --range today --logdir /var/log/httpd

Even just calling a generic logwatch on the logdir does nothing and delivers an every day logwatch report

Code:

logwatch --detail High --mailto admin@domain.com  --range today --logdir /var/log/httpd

I've tried others forum posts and so far they haven't helped.

https://www.linuxquestions.org/quest...he-4175601261/

If anyone has some helpful ideas that would be great.

scasey · 11-16-2019, 04:00 PM

What's in /usr/share/logwatch/default.conf/logwatch.conf ?
Specifically, what is the directive Service set to?

What's in /usr/share/logwatch/scripts/services/* ?

herkalurk · 11-16-2019, 11:02 PM

Quote:

Originally Posted by scasey

What's in /usr/share/logwatch/default.conf/logwatch.conf ?
Specifically, what is the directive Service set to?

What's in /usr/share/logwatch/scripts/services/* ?

The services directive is set to all, as is default. The http script is in the logwatch scripts directory

Code:

[root@vps2 ~]# ls /usr/share/logwatch/scripts/services/
afpd       cisco          dhcpd           evtsystem         http        kernel       oidentd   pluto             qmail         rt314                shaperd    sudo      xntpd
amavis     clam-update    dnssec          exim              identd      mailscanner  openvpn   pop3              qmail-pop3d   samba                slon       syslogd   yum
arpwatch   clamav         dovecot         eximstats         imapd       modprobe     pam       portsentry        qmail-pop3ds  saslauthd            smartd     tac_acc   zz-disk_space
audit      clamav-milter  dpkg            extreme-networks  in.qpopper  mountd       pam_pwdb  postfix           qmail-send    scsi                 sonicwall  up2date   zz-fortune
automount  courier        emerge          fail2ban          init        named        pam_unix  pound             qmail-smtpd   secure               sshd       vpopmail  zz-network
autorpm    cron           evtapplication  ftpd-messages     ipop3d      netopia      php       proftpd-messages  raid          sendmail             sshd2      vsftpd    zz-runtime
bfd        denyhosts      evtsecurity     ftpd-xferlog      iptables    netscreen    pix       pureftpd          resolver      sendmail-largeboxes  stunnel    windows   zz-sys

PECONET009 · 11-17-2019, 06:07 AM

Quote:

Centos 6 logwatch not reporting httpd.

How To Install and Use Logwatch Log Analyzer and Reporter on a VPS
More info here:
https://www.digitalocean.com/communi...orter-on-a-vps

herkalurk · 11-17-2019, 12:28 PM

Quote:

Originally Posted by PECONET009

How To Install and Use Logwatch Log Analyzer and Reporter on a VPS
More info here:
https://www.digitalocean.com/communi...orter-on-a-vps

I've done all of those things. By default logwatch includes all services which means httpd. The logwatch on my centos 7 server has no issues with the httpd summary but centos 6 version does for some reason. I have no special configuration on any of them. Something isn't working on centos 6.

scasey · 11-17-2019, 03:01 PM

Sorry for the "is it plugged in" questions, but
1) Is httpd running?
2) Has there been any activity today (for the period for which logwatch is being run)

Here's what the start of that section looks like on my server:

Code:

--------------------- httpd Begin ------------------------ 

 1643.04 MB transferred in 13696 responses  (1xx 0, 2xx 7299, 3xx 1539, 4xx 4858, 5xx 0) 
     4645 Images (86.24 MB),
      291 Documents (651.31 MB),
       40 Windows executable files (770.37 MB),
     8127 Content pages (72.04 MB),
       35 Redirects (0.01 MB),
      558 Other (63.07 MB)

followed by requests sorted by Error code (4xx and 5xx). 2xx and 3xx requests are not reported in detail.

I assume that if there's no activity, there won't be a section in the report. I don't know that for sure, My server always has activity.

herkalurk · 11-17-2019, 04:37 PM

Quote:

Originally Posted by scasey

Sorry for the "is it plugged in" questions, but
1) Is httpd running?
2) Has there been any activity today (for the period for which logwatch is being run)

1: Yes
2: Yes, the website on that virtual server has over 10,000 users, the log file for one of the SSL sites is 48 MB so for today, and the rotate log of last week is 611 MB

I get daily logwatch reports via email, it goes from cron straight to pam, nothing in between unless the rare kernel issue crops up. I'm wanting to get the report to see the logwatch interpretation of what's happening. I stopped ingesting those logs into splunk because I was hitting the 500 MB per day free license limit.

This is the problem; it should be picking them up, the logs are in a sub directory of /var/log which is the default defined logdir. I can specifically request a logwatch run of that logdir and nothing from httpd shows up. I tried the basic google troubleshooting, and this is where I'm at.

scasey · 11-17-2019, 04:59 PM

OK. I'm down to grasping at straws. What is the actual subdirectory containing the http logs? From my (default) setup:

Code:

# more /usr/share/logwatch/default.conf/logfiles/http.conf
########################################################
#   Define log file group for httpd
########################################################

# What actual file?  Defaults to LogPath if not absolute path....
LogFile = httpd/*access_log
LogFile = apache/*access.log.1
LogFile = apache/*access.log
LogFile = apache2/*access.log.1
LogFile = apache2/*access.log
LogFile = apache2/*access_log
LogFile = apache-ssl/*access.log.1
LogFile = apache-ssl/*access.log

LogPath is, I presume, /var/log ^^This is where and what logwatch is looking for *access_log files.
Are your log files named *access_log?

Oh. You said /var/log/httpd in your OP. Sorry. Try that command with

Code:

--logdir /var/log/

since logwatch is prepending that to its LogFile (I'm guessing).
So the command you're using would be looking for log files in /var/log/httpd/httpd/*access_log, etc.

herkalurk · 11-17-2019, 05:24 PM

The file name was the issue, cause my logfiles didn't have the *access_log as is listed in the configuration. I modified my httpd configurations to include the file name as listed and ran a specific logwatch run of just the http service

Code:

logwatch --detail High --mailto admin@domain.com --service http --range today --logdir /var/log/httpd

 --------------------- httpd Begin ------------------------ 

 60.71 MB transferred in 1018 responses  (1xx 0, 2xx 786, 3xx 17, 4xx 215, 5xx 0) 
      32 Images (0.08 MB),
      10 Content pages (0.14 MB),
      17 Redirects (0.00 MB),
     959 Other (60.49 MB)

scasey · 11-17-2019, 05:34 PM

Quote:

Originally Posted by herkalurk

The file name was the issue, cause my logfiles didn't have the *access_log as is listed in the configuration. I modified my httpd configurations to include the file name as listed and ran a specific logwatch run of just the http service

Code:

logwatch --detail High --mailto admin@domain.com --service http --range today --logdir /var/log/httpd

 --------------------- httpd Begin ------------------------ 

 60.71 MB transferred in 1018 responses  (1xx 0, 2xx 786, 3xx 17, 4xx 215, 5xx 0) 
      32 Images (0.08 MB),
      10 Content pages (0.14 MB),
      17 Redirects (0.00 MB),
     959 Other (60.49 MB)

There ya go!
Not using “default” settings/values can present some interesting challenges.

Hopefully our dialog will help someone in the future.

Not at my desktop at the moment, but want to point out that modifying the /user/share has the risk of your changes getting overwritten by an update. There is a dir under /etc/ where those changes would be preserved. See the FILES section of man logwatch

PS You can mark the thread SOLVED using the Thread Tools at the top of the page, if you wish.

herkalurk · 11-17-2019, 06:15 PM

Quote:

Originally Posted by scasey

Not at my desktop at the moment, but want to point out that modifying the /user/share has the risk of your changes getting overwritten by an update. There is a dir under /etc/ where those changes would be preserved.

When I say I modified my httpd configuration I'm talking about the individual site configurations in /etc/httpd/conf.d

It's always a terrible idea to modify default package configuration files, you should always edit the local configurations.

scasey · 11-17-2019, 06:22 PM

Quote:

Originally Posted by herkalurk

When I say I modified my httpd configuration I'm talking about the individual site configurations in /etc/httpd/conf.d

It's always a terrible idea to modify default package configuration files, you should always edit the local configurations.

Oh! I thought you tweaked the settings for logwatch to match your httpd settings...
Yes, going back to default/typical in your httpd settings works too. (And is the wiser choice IMO)

herkalurk · 11-17-2019, 06:33 PM

It's more about having the log name accepted by logwatch, but I still wanted separation the log files if I want to look for something specific.

Code:

<VirtualHost *:443>
        ServerName newz.domain.com
        ServerAdmin newz@domain.com
        DocumentRoot /home/user/nnplus/www
        SSLEngine On
        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
        SSLCertificateFile /etc/letsencrypt/live/newz.domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/newz.domain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/newz.domain.com/fullchain.pem
        <Directory /home/user/nnplus/www>
                Options FollowSymLinks
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog logs/ssl.newz.domain.com-error.log
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        CustomLog logs/ssl.newz.domain.com.access_log combined
</VirtualHost>

scasey · 11-18-2019, 02:02 PM

Agreed. Every domain should have its own log files. Note that logwatch won't make a distinction, however. It will group the details from all logs in /var/log/httpd together.