Logwatch (default) config

michael_of · September 12, 2023, 1:12pm

Hi all,

I’m using logwatch on my OpenSuse Leap (now 15.5) VPS. Default zypper installation, unchanged.
Works fine, for years, just one nice to have issue:
I’ve set “Detail Level of Output” to 0 (as few as possible), just to get a daily report of the most important events, summarized.
Works fine for HTTPD (Apache), Postfix etc.
BUT Flooding me with:

each and every dropped package for iptables and
each and every denied illegal user etc. for sshd

Any hints to get rid of these a little too granular for level 0 details in logwatch? AFAIK I could prevent at least dropped packages to be logged by iptables, but I would like to keep them logged, just in case, only not listed logwatch.

Thanks in advance,
Michael

aggplanta · September 13, 2023, 6:57am

Constructing regex for them in ignore.conf should do it.

michael_of · September 13, 2023, 11:04am

Cool, works! Thank you for your hint!

/etc/logwatch/conf/ignore.conf prevents the lines captured by regex from being included in logwatch’s output, but also adds a line “# Ignored Lines”, many thousands in my case, to inform.

(remark: took me a while to find out that my regex

^.*From.* packe(t|ts) to.*$

will NOT be succesful when tested with “grep” on bash… whyever. Tried also, as some stackexchange threads pointed into this direction, with some backslashes, before (,),|. Nothing works for grep, no matches. But as it worked e.g. on https://regex101.com/, I tried for logwatch, and as said: works perfectly )

arvidjaar · September 13, 2023, 11:27am

You need grep -E or egrep.

aggplanta · September 13, 2023, 12:13pm

Yes. It is good. I did a regexp for ssh “invalid user”. Had to filter a bit myself. You can see it here with example text. https://www.regexpal.com/?fam=131867

Edit: It needs some refinement for the IPv4 bit (although it’s fine for our application) and probably something for IPv6.

michael_of · September 13, 2023, 1:23pm

THAT simple… you’re absolutely correct, and I should RTFM, M for man page, this time
Or remember that I’ve heard this already, long long ago…

michael_of · September 13, 2023, 1:35pm

Interesting… your logwatch output is different than mine:
You’re getting e.g.

Invalid user zjkgv from 109.74.204.123 port 34880

whereas I’m getting a single header line, followed by entries for each “invalid user”:

Illegal users from: 
  2001:470:1:332::37: 1 Time
  5.140.165.224: 2 Times
  14.53.134.163: 568 Times
  20.205.40.231: 341 Times
  24.141.63.212 (d24-141-63-212.home.cgocable.net): 1 Time 
  ...

And also without port, maybe/probably because my sshd daemon listens on std 22 only. Or maybe because of logwach’s log level set to 0.

aggplanta · September 13, 2023, 2:51pm

I’m really sorry. My bad. I sent you the wrong url, and now I’ve lost the original. I was working on another regexp on the command line to be used in a small script. I was just fiddling around with a grep -E /var/log/messages.

Like this:

grep -E “Invalid\ user\ .*\ from\ ([0-9]{1,3}.){3}[0-9]{1,3}\ port\ [0-9]{1,5}” /var/log/messages