9.37. Defining a logwatch Filter
Problem
You want logwatch to print reports for a service it does not support.
Solution
Create your own logwatch filter for that service or log file. Suppose you have a service called foobar that writes to the log file /var/log/foobar.log.
Create /etc/log.d/conf/logfiles/foobar.conf containing:
LogFile = /var/log/foobar.log Archive = foobar.log.* ...Create /etc/log.d/conf/services/foobar.conf containing:
LogFile = foobar
Create /etc/log.d/scripts/services/foobar.
This is a script (Perl, shell, etc.) that matches the desired lines in foobar.log and produces your desired output. logwatch automatically strips the datestamps from syslog-format output, so your script needn’t do this.
Discussion
logwatch is more a framework than a log parser. In fact, all parsing is done by auxiliary scripts in /etc/log.d/scripts/services, so for unsupported services, you must write your own scripts. You might think, “Hey, if I have to write these scripts myself, what’s the value of logwatch?” The answer is convenience, as well as consistency of organization. It’s helpful to have all your log groveling scripts together under one roof. Plus logwatch supplies tons of scripts; use them as examples for writing your own.
To integrate a given service into logwatch , you must define three files:
- A logfile group configuration file
Found in /etc/log.d/conf/logfiles, it defines where the service’s logs are stored.
- A service filter executable
Found in /etc/log.d/scripts/services, it must read ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
