Logwatch now showing
Hi,
I notice suddenly my logwatch is not showing me anything with regards to httpd whereas there are so many activities going on and it also not showing the ssh login log either. Anything wrong because I am using the same command throughout and earlier I use to have thing. Here is my command just say for last 10 days. logwatch --detail High --service All --range -10 --archives --numeric > ~/logwatch.test |
I explained before to you how you can use logwatch in --debug mode and grep for things to find out what gets processed.
|
Dear Unspawn,
Ok the debug is helpful and I notice it look into my httpd and ssh logs. So for the benefit of the rest my earlier mistake was not putting days is should be logwatch --detail High --service All --range '-10 days' --archives --numeric > ~/logwatch.test. It got some more discovery made and puzzles me it shows that it is picking the ssh during debug but when I generate the log there is no ssh entries shown. I can see in my debug mode All Services: is showing me this [74] = sshd and [75] = sshd2. Another interesting here below is my last 30 days logs for httpd Quote:
Quote:
Can you see the difference why isn't that the last 30 days have a full coverage and should be covering what is shown in the last 21 days ? |
Quote:
Quote:
BTW please review your Apache configuration because if you're still running mod_proxy I'm gonna smack you. |
1 Attachment(s)
Dear Unspawn,
I have email you my file (logwatch240813_debug) with the debug capability because its not allowed to be uploaded here due to file size. Back to report coverage. Ok with regards to the report if say I need for the last 30 days I guess I must put the between which I got it after doing some reading where if I just put -21 days will just the last 21st day and -30 days will be just the 30th day. Can you see why my sshd or fail2ban is not being reported too in the logwatch? I have also attached the httpd.conf file where I have double check all those with proxy I have commented it out. Any chance for other loop hole? |
Quote:
|
Dear Unspawn,
Sorry for the mistake it shall not happen again. |
OK. I'll get on it when I find the time.
|
Dear Unspawn,
Many apology for my mistake and extremely sorry for that hope is forgiven. Sorry. |
Start by defining (in /etc/logwatch/conf/logwatch.conf) only the services you actually run?
And it seems you correctly disabled all mod_proxy* DSO's. |
Dear Unspawn,
I dont get you by what you saying here defining. But I know my mistake because when I run with range as 'between -30 days and today' it is showing correctly. So I guess is nothing is wrong with the logwatch all is ok fine. But how about proxy what else can I do to stop further proxy attacks. |
Quote:
Quote:
|
Dear Unspawn,
What is the best command to verify the services we are running against what is captured by logwatch? I will go through my http error log and get back to you if anything on proxy. |
Quote:
Doing it this way probably is NOT SAFE OR ALL-ENCOMPASSING: Code:
find /usr/share/logwatch/scripts/services -type f -printf "%f\n"|xargs -iX whereis 'X'\ |
Dear Unspawn,
Further to your advice I went through all the http error and access log which have been zipped. Below is what I find in the error log. Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 04:09 AM. |