[SOLVED] Logwatch too verbose, don't want 404 messages
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I recently installed logwatch on a server, problem is that the report is filled with hundreds of lines "Requests with error response code ,404"
I've searched the docs and all over the Internet, strangely enough only found 1 person with similar problem and the solution provided does not help me.
Setting these in etc/logwatch/conf/services/http.conf doesn't change anything:
HTTP_IGNORE_ERROR_HACKS = 1 (tried 0 and 1)
HTTP_RC_DETAIL-404 = 10 (tried 0,5,10,Low,Med,High)
(Adding a wrong entry makes Logwatch spit out an error message, so the file is read.)
Detail setting för logwatch is "Low".
Any ideas how to stop Logwatch from reporting 404:s?
Firstly, why are you trying to stop it reporting 404s? That probably means you've got broken links on your site, which you should be fixing you've set the RC_DETAIL-404 to 10, which I'm guessing is higher than your detail setting, so you're only getting a one-line error report. I would lower the RC_DETAIL-404 setting and fix the broken links.
However, I'm aware it might *not* be broken links and it could even be something which leaves you utterly blameless. In which case, I think adding the line
Code:
*404*
to /etc/logwatch/conf/ignore.conf should do the trick...
Thanks for your reply!
Adding "*404* to /etc/logwatch/conf/ignore.conf does not work, only output from logwatch then is
Code:
"Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE 404*/ at /usr/sbin/logwatch line 1199, <TESTFILE> line 2."
I tried several variants with 404, "404 Not Found" etc but nope. Either I get all lines or a completely empty report.
Why I'm trying to stop it reporting 404s is because I'm not responsible for the websites on this server, my job is just to keep it up & running. I have notified the developers about these 404:s (they are pretty strange as the reported links actually works!) but as long as they keep coming I need to filter them out to get the report readable. I do not want to stop all messages from httpd though!
Quote:
you've set the RC_DETAIL-404 to 10, which I'm guessing is higher than your detail setting, so you're only getting a one-line error report.
Unfortunately not - it should work that way but it doesn't, I get about 300 lines! Actually, that RC_DETAIL-404 doesn't change anything. It says in /etc/logwatch/conf/services/http.conf:
Code:
"The following is supported for backwards compatibility, but deprecated"
probably removed completely in my version of logwatch ( 7.3.6).
Hm, sorry, I didn't realise it was a proper regex. My guess is
Code:
.*404.*
will work
I don't know how much you know about regular expressions - I was thinking that '*' would stand for any string (similar to globbing in the bash shell), but it seems to be used in its "proper" sense, which means repeat the previous character any number of times (including none). It was complaining because there was no character before it. And '.' matches any character, not a literal fullstop.
In a way, that worked!
(I know a little something about regex:s, not very much though. Whenever I need one it always takes me an hour or so to get it right.)
But it seems that the file "ignore.conf" only filters the report, taking out the lines containing "404" in the report only - it does not ignore lines in logfiles.
This means I now get 298 rows instead of 300...
For clarification, here's a snippet:
W/o ignore.conf:
Code:
Requests with error response codes
404 Not Found
//dagdok.org/en/un-structure/main-bodies/e ... forum.html: 2 Time(s)
//index.php?id=1643: 1 Time(s)
//index.php?id=1644: 1 Time(s)
/_vti_inf.html: 3 Time(s)
/admin/file_manager.php/login.php?action=d ... %65%2E%70%68%70: 1 Time(s)
/aktuellt/aktuellt/aktuellt/aktuellt/page.html: 1 Time(s)
So I'll keep on searching, still happy for your help so far!
Hmmm maybe I'll set logwatch up to email the developers every hour, might make them more interrested in solving the actual problems..
Hm.... I don't know. My approach would be to try to lower the verbosity of the error reporting so that all of the information for the 404 error was on one line, but I can't find anything to suggest this is possible... Perhaps browsing through /usr/share/doc/logwatch might have some info
EDIT: You did say setting 'Detail = Med' didn't work, right?
I already have Detail=Low for logwatch, tried then various settings for RC_DETAIL-404 but as mentioned earlier it has no effect.
... and I sure have read the docs for logwatch, as well as searched like h..ll for a solution!
All I've found is suggestions to set RC_DETAIL-404 higher than l the logwatch detail-level, but as mentioned it doesn't work.
As far as I am aware, the services/http.conf setting should be
Code:
$HTTP_RC_DETAIL_REP-404 = <level>
That did it!!
So it is "HTTP_RC_DETAIL_REP-404" - not "HTTP_RC_DETAIL-404"!
A small error then in the default logwatch.conf, I never could have guessed that!
Thanks a lot!
[SOLVED] Logwatch too verbose, don't want 404 messages
Trying to solve this problem and ran across this post. Tried the suggested change in http.conf in the services for logwatch with no success. After looking in the /usr/share/logwatch/default.conf/services directory, found the default http.conf file used by logwatch with a line commented out that was slightly different than the answer given.
Added the following line to the /etc/logwatch/conf/services/http.conf (had to create)
$http_rc_detail_rep_404 = 20
After making this change and running logwatch, the output then looked like this:
--------------------- httpd Begin ------------------------
Requests with error response codes
404 Not Found SUMMARY - 340 URLs, total: 1044 Time(s)
---------------------- httpd End -------------------------
Just wanted to help others out when encountering this issue. Running logwatch version 7.4.0 on Ubuntu 12.04 LTS 64bit.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.