I find myself in an interesting dilemma.
I run logwatch the mail and web servers I manage. It used to give me some useful info, but these days, it has problems.
It's catching every single 404 from the web server logs. On a site with ~40,000 pages, ~150,000 unique URL's, that's heavily crawled by robots on a daily basis, that makes for a pretty large report.
Add to that the fact that it's also reporting every bounced spam, and it appears to be reporting all of the NNTP log entries as well, and any useful information is obliterated in a report that's well over a megabyte of text.
So I tried to follow the instructions and turn off HTTPD reporting. Apparently, I got the syntax wrong, so now instead of the 1.4 meg report, all I get is an error message.
Which is really just as useful. So why fix it?
I know it's theoretically possible to configure and customize logwatch, but when I tried to find documentation on it, all I found were incredibly detailed and obtuse instructions for building your own custom log filters from the ground up. Not helpful.
I'm posting this for your amusement at the dilemma, and in the vague hope that someone, somewhere, has written an intelligible guide to configuring logwatch on a very superficial level. Then again, maybe someone knows of a better tool.
On 1/8/07, Jonathan Hutchins hutchins@tarcanfel.org wrote:
It's catching every single 404 from the web server logs. On a site with ~40,000 pages, ~150,000 unique URL's, that's heavily crawled by robots on a daily basis, that makes for a pretty large report.
Add to that the fact that it's also reporting every bounced spam, and it appears to be reporting all of the NNTP log entries as well, and any useful information is obliterated in a report that's well over a megabyte of text.
So I tried to follow the instructions and turn off HTTPD reporting. Apparently, I got the syntax wrong, so now instead of the 1.4 meg report, all I get is an error message.
Actually, I've had this very same problem, but I'm using Logsentry, not logwatch...I think they do pretty much the same thing though. The configuration of Logsentry is pretty easy too:
There are 2 particular files you're interested in:
/etc/logcheck/logcheck.ignore /etc/logcheck/logcheck.violations.ignore
They use a simple regexp to filter out messages you want to ignore. From what I've been able to gather the following works:
<service-name>.*<text-to-match>
So, to get rid of your 404's try sticking the following line in both of the above files:
apache.*404
Just start going through your most recent logcheck email, and when you see a message you don't want it to report, just add a simple regexp (like above) to your ignore files.
Hope that helps, I got tired of getting 2Mb to 10Mb emails filled with log message I didn't want to see as well, and indeed makes the report useless.
-Lucas