LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-11-2006, 01:00 PM   #1
davidmc57
LQ Newbie
 
Registered: Jun 2004
Location: Minneapolis, MN
Distribution: Fedora
Posts: 6

Rep: Reputation: 0
Logwatch reports with no crontab command


Hi,

I am getting a daily report via email from Logwatch from a couple of my RH 9 servers with the header:

################### LogWatch 4.3.1 (01/13/03) ####################
Processing Initiated: Mon Sep 11 04:02:01 2006
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: backserver
################################################################

But I do not have any crontab entry for logwatch. I also checked with ps -ax and I was not able to find any running tasks named log*. How is logwatch activated automatically on a daily basis without a cron job?


Also, I noticed that the mailed report does not have the date/time stamp. For instance /var/log/messages show:

"Sep 11 04:02:03 backserver syslogd 1.4.1: restart
Sep 10 04:03:06 backserver smartd[1994]: Device: /dev/hda, SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 65 to 64"

But the email from logwatch shows:

"/dev/hda :
1 Time(s): SMART Usage Attribute: 195 Hardware_ECC_Recovered changed from 65 to 64"

How can I get the time stamp on that mailed report?

I was not able to find this time option on the file "/etc/log.d/conf/logwatch.conf" or in "man logwatch".

Thanks in advance,

David
 
Old 09-11-2006, 03:23 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Maybe /etc/cron.d and maybe it's a link not a file. Just try and "slocate" it.
Anyway, I'll move this thread. Ain't a security question.
 
Old 09-11-2006, 03:51 PM   #3
davidmc57
LQ Newbie
 
Registered: Jun 2004
Location: Minneapolis, MN
Distribution: Fedora
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for the reply. I did not have anything in /etc/cron but I did in /etc/cron.daily:
lrwxrwxrwx 1 root root 28 Apr 10 2005 00-logwatch -> ../log.d/scripts/logwatch.pl

I only need now to figure out how to keep the timestamp from the original /var/log/messages logs. Any suggestions.
 
Old 09-11-2006, 04:00 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No timestamps. If you need on-alert notification you should run something that parses syslog in realtime like Swatch.
 
Old 09-11-2006, 04:38 PM   #5
davidmc57
LQ Newbie
 
Registered: Jun 2004
Location: Minneapolis, MN
Distribution: Fedora
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks unSpawn! I will look into Swatch for critical issues.

I wasn't trying to have logwatch to add new timestamps just simply not to remove the ones already present on the original log files. I suppose that logwatch is removing the begining of each line of the /var/log files with the date/time string. I had hopped that perhaps this behavior was a configurable option but does not seem to be the case.

Thanks again for your feedback.
 
Old 09-11-2006, 05:08 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
just simply not to remove the ones already present on the original log files.
No, can't do that. It's how Logwatch is able to select loglines to check.
It would probably also make it a lot harder to tally messages the way it does.

Last edited by unSpawn; 09-11-2006 at 05:11 PM. Reason: ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
whats the command that reports program success? slinky2004 Linux - Newbie 2 07-10-2006 02:07 PM
crontab <file> command Derrick Thatcher Linux - Software 2 03-08-2006 05:29 AM
Logwatch reports SSHD Killed: / Failed to bind: 0.0.0.0 port 22 rioguia Linux - Security 1 08-13-2005 01:24 PM
crontab and command subst hyllplan Debian 2 01-15-2005 01:58 PM
Crontab email reports - changing the FROM field OllieGator Linux - Software 0 12-19-2003 12:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration