Logwatch (default) config

Hi all,

I’m using logwatch on my OpenSuse Leap (now 15.5) VPS. Default zypper installation, unchanged.
Works fine, for years, just one nice to have issue:
I’ve set “Detail Level of Output” to 0 (as few as possible), just to get a daily report of the most important events, summarized.
Works fine for HTTPD (Apache), Postfix etc.
BUT Flooding me with:

  • each and every dropped package for iptables and
  • each and every denied illegal user etc. for sshd

Any hints to get rid of these a little too granular for level 0 details in logwatch? AFAIK I could prevent at least dropped packages to be logged by iptables, but I would like to keep them logged, just in case, only not listed logwatch.

Thanks in advance,

Constructing regex for them in ignore.conf should do it.

1 Like

Cool, works! Thank you for your hint!

/etc/logwatch/conf/ignore.conf prevents the lines captured by regex from being included in logwatch’s output, but also adds a line “# Ignored Lines”, many thousands in my case, to inform.

(remark: took me a while to find out that my regex

^.*From.* packe(t|ts) to.*$

will NOT be succesful when tested with “grep” on bash… whyever. Tried also, as some stackexchange threads pointed into this direction, with some backslashes, before (,),|. Nothing works for grep, no matches. But as it worked e.g. on https://regex101.com/, I tried for logwatch, and as said: works perfectly :smiley: )

1 Like

You need grep -E or egrep.


Yes. It is good. I did a regexp for ssh “invalid user”. Had to filter a bit myself. You can see it here with example text. https://www.regexpal.com/?fam=131867

Edit: It needs some refinement for the IPv4 bit (although it’s fine for our application) and probably something for IPv6.

THAT simple… you’re absolutely correct, and I should RTFM, M for man page, this time :smiley:
Or remember that I’ve heard this already, long long ago…

Interesting… your logwatch output is different than mine:
You’re getting e.g.

Invalid user zjkgv from port 34880

whereas I’m getting a single header line, followed by entries for each “invalid user”:

Illegal users from: 
  2001:470:1:332::37: 1 Time 2 Times 568 Times 341 Times (d24-141-63-212.home.cgocable.net): 1 Time 

And also without port, maybe/probably because my sshd daemon listens on std 22 only. Or maybe because of logwach’s log level set to 0.

I’m really sorry. My bad. I sent you the wrong url, and now I’ve lost the original. I was working on another regexp on the command line to be used in a small script. I was just fiddling around with a grep -E /var/log/messages.

Like this:

grep -E “Invalid\ user\ .*\ from\ ([0-9]{1,3}.){3}[0-9]{1,3}\ port\ [0-9]{1,5}” /var/log/messages