Logwatch issue

UsagiChan · #1 23rd January 2010, 06:36 PM

I occasionally see messages in my logwatch report then cannot find the actual log entry. Is there any way I can have logwatch give a clearer report?
an example:

vsftpd:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=a-specific-user
rhost=67.215.229.226 : 7 Time(s)
check pass; user unknown: 7 Time(s)

Someone obviously tried to break into my FTP server at some time during the day. However I haven't a clue where I can find the specific entry so I can send it to the company and ask them to stop this person.

How can I get Logwatch to report the exact location of the log involved and the exact time? When I tried to search /var/logs/*.* I for the IP came up empty.

thanks

madhavdiwan · #2 23rd January 2010, 07:22 PM

try not being so specific in your search string.. *.* implies only files with . in the filename.. also .. your search is not recursive

try grep -r 'IPADDRESS' /var/log/*

remember to use quotes around the Ip Address

as for logwatch .. you can configure it in /etc/logwatch/conf/logwatch.conf for localized configuration.. this overrides the defaults in /usr/share/logwatch/default.conf/logwatch.conf , changing the amount of detail in the report might tell you enough .. or you can really customize it .. be careful, you could spend months getting your report to look JUST right, this is a really powerful utility with access to any log file you point out to it.

UsagiChan · #3 24th January 2010, 05:04 AM

Thanks

Quote:

try grep -r 'IPADDRESS' /var/log/*

That works