Logwatch too verbose, don't want 404 messages
 

I recently installed logwatch on a server, problem is that the report is filled with hundreds of lines "Requests with error response code ,404"
I've searched the docs and all over the Internet, strangely enough only found 1 person with similar problem and the solution provided does not help me.
Setting these in etc/logwatch/conf/services/http.conf doesn't change anything:
HTTP_IGNORE_ERROR_HACKS = 1 (tried 0 and 1)
HTTP_RC_DETAIL-404 = 10 (tried 0,5,10,Low,Med,High)
(Adding a wrong entry makes Logwatch spit out an error message, so the file is read.)
Detail setting för logwatch is "Low".
Any ideas how to stop Logwatch from reporting 404:s?

Firstly, why are you trying to stop it reporting 404s? That probably means you've got broken links on your site, which you should be fixing ;) you've set the RC_DETAIL-404 to 10, which I'm guessing is higher than your detail setting, so you're only getting a one-line error report. I would lower the RC_DETAIL-404 setting and fix the broken links.

However, I'm aware it might *not* be broken links and it could even be something which leaves you utterly blameless. In which case, I think adding the line
to /etc/logwatch/conf/ignore.conf should do the trick...

Thanks for your reply!
Adding "*404* to /etc/logwatch/conf/ignore.conf does not work, only output from logwatch then is I tried several variants with 404, "404 Not Found" etc but nope. Either I get all lines or a completely empty report.
Why I'm trying to stop it reporting 404s is because I'm not responsible for the websites on this server, my job is just to keep it up & running. I have notified the developers about these 404:s (they are pretty strange as the reported links actually works!) but as long as they keep coming I need to filter them out to get the report readable. I do not want to stop all messages from httpd though!
Unfortunately not - it should work that way but it doesn't, I get about 300 lines! Actually, that RC_DETAIL-404 doesn't change anything. It says in /etc/logwatch/conf/services/http.conf: probably removed completely in my version of logwatch ( 7.3.6).

Hm, sorry, I didn't realise it was a proper regex. My guess is
will work

I don't know how much you know about regular expressions - I was thinking that '*' would stand for any string (similar to globbing in the bash shell), but it seems to be used in its "proper" sense, which means repeat the previous character any number of times (including none). It was complaining because there was no character before it. And '.' matches any character, not a literal fullstop.

In a way, that worked!
(I know a little something about regex:s, not very much though. Whenever I need one it always takes me an hour or so to get it right.)
But it seems that the file "ignore.conf" only filters the report, taking out the lines containing "404" in the report only - it does not ignore lines in logfiles.
This means I now get 298 rows instead of 300...
For clarification, here's a snippet:
W/o ignore.conf:
With ignore.conf:
So I'll keep on searching, still happy for your help so far!
Hmmm maybe I'll set logwatch up to email the developers every hour, might make them more interrested in solving the actual problems.. ;)

Hm.... I don't know. My approach would be to try to lower the verbosity of the error reporting so that all of the information for the 404 error was on one line, but I can't find anything to suggest this is possible... Perhaps browsing through /usr/share/doc/logwatch might have some info :)

EDIT: You did say setting 'Detail = Med' didn't work, right?

I already have Detail=Low for logwatch, tried then various settings for RC_DETAIL-404 but as mentioned earlier it has no effect.

... and I sure have read the docs for logwatch, as well as searched like h..ll for a solution!
All I've found is suggestions to set RC_DETAIL-404 higher than l the logwatch detail-level, but as mentioned it doesn't work.

As far as I am aware, the services/http.conf setting should be

Setting a level higher than the global or service detail level will produce a summary output.

To suppress output entirely then, filter the resulting summary lines in ignore.conf using

That did it!!
So it is "HTTP_RC_DETAIL_REP-404" - not "HTTP_RC_DETAIL-404"!
A small error then in the default logwatch.conf, I never could have guessed that!
Thanks a lot!

[SOLVED] Logwatch too verbose, don't want 404 messages
 

Trying to solve this problem and ran across this post. Tried the suggested change in http.conf in the services for logwatch with no success. After looking in the /usr/share/logwatch/default.conf/services directory, found the default http.conf file used by logwatch with a line commented out that was slightly different than the answer given.

Added the following line to the /etc/logwatch/conf/services/http.conf (had to create)

$http_rc_detail_rep_404 = 20

After making this change and running logwatch, the output then looked like this:

--------------------- httpd Begin ------------------------

Requests with error response codes
404 Not Found SUMMARY - 340 URLs, total: 1044 Time(s)

---------------------- httpd End -------------------------

Just wanted to help others out when encountering this issue. Running logwatch version 7.4.0 on Ubuntu 12.04 LTS 64bit.

Regards,

Ken E.