markwaldhoff
30.01.04, 21:46
Hi !
kennt sich jemand von euch mit Logwatch aus ?
Ich wollte Logwatch so konfigurieren das es mir snort alerts aus dem syslog zieht und mir dann per email sendet....
Ich habe die logwatch.conf schonmal ein wenig modifiziert... wenn ich logwatch ausführe kommt folgende Meldung:
linuxserver:/etc/log.d # ./logwatch
Duplicate specification "S|save=s" for option "s"
Duplicate specification "D|debug=s" for option "d"
Meine logwatch.conf sieht so aus:
-------------------------------------------------------------------------------------------------
# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
# This should be /var/log on just about all systems...
LogDir = /var/log
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = markwaldhoff@yahoo.de
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No
# if set, the results will be saved in <filename> instead of mailed
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
# The 'Service' option expects either the name of a filter
# (in /etc/log.d/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...
-------------------------------------------------------------------------------------------------
Wenn der Fehler beseitig ist, würde ich gernen noch wissen, wie ich speziell die Snort Logs ausfiltere....
In der snort.conf habe ich folgendes Output Plugin neben dem Output in die mysql db definiert:
output alert_syslog: LOG_AUTH LOG_ALERT
kennt sich jemand von euch mit Logwatch aus ?
Ich wollte Logwatch so konfigurieren das es mir snort alerts aus dem syslog zieht und mir dann per email sendet....
Ich habe die logwatch.conf schonmal ein wenig modifiziert... wenn ich logwatch ausführe kommt folgende Meldung:
linuxserver:/etc/log.d # ./logwatch
Duplicate specification "S|save=s" for option "s"
Duplicate specification "D|debug=s" for option "d"
Meine logwatch.conf sieht so aus:
-------------------------------------------------------------------------------------------------
# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
# This should be /var/log on just about all systems...
LogDir = /var/log
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = markwaldhoff@yahoo.de
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No
# if set, the results will be saved in <filename> instead of mailed
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
# The 'Service' option expects either the name of a filter
# (in /etc/log.d/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...
-------------------------------------------------------------------------------------------------
Wenn der Fehler beseitig ist, würde ich gernen noch wissen, wie ich speziell die Snort Logs ausfiltere....
In der snort.conf habe ich folgendes Output Plugin neben dem Output in die mysql db definiert:
output alert_syslog: LOG_AUTH LOG_ALERT