如何在 centos 6.4 上的 logwatch 中显示 failed2ban 和 mod_secure 日志?

如何在 centos 6.4 上的 logwatch 中显示 failed2ban 和 mod_secure 日志?

logwatch工作正常,但我没有看到fail2banmod_secure日志出现在我的logwatch日志中。我如何启用此功能?我需要对logwatch的配置文件做什么?

下面是 logwatch.conf 文件。

########################################################
# This was written and is maintained by:
#    Kirk Bauer <[email protected]>
#
# Please send all comments, suggestions, bug reports,
#    etc, to [email protected].
#
########################################################

# NOTE:
#   All these options are the defaults if you run logwatch with no
#   command-line arguments.  You can override all of these on the
#   command-line. 

# You can put comments anywhere you want to.  They are effective for the
# rest of the line.

# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log

# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch

# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Print should be set to No to
# enable mail feature.
MailTo = root
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed.  For example, to send the report
# for hostname host1 to [email protected], use:
#Mailto_host1 = [email protected]
# Multiple recipients can be specified by separating them with a space.

# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch

# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = Yes

# if set, the results will be saved in <filename> instead of mailed
# or displayed.
#Save = /tmp/logwatch

# Use archives?  If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No
# Range = All

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low 


# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.  
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network"     # Prevents execution of zz-network service, which
                            # prints useful network configuration info.
Service = "-zz-sys"         # Prevents execution of zz-sys service, which
                            # prints useful system configuration info.
Service = "-eximstats"      # Prevents execution of eximstats service, which
                            # is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages   # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog    # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb        # PAM_pwdb messages - usually quite a bit
#Service = pam             # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option.  This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages.  This will run all the filters that 
# process that logfile.  This option is probably not too useful to
# most people.  Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...

#
# By default we assume that all Unix systems have sendmail or a sendmail-like system.
# The mailer code Prints a header with To: From: and Subject:.
# At this point you can change the mailer to any thing else that can handle that output
# stream. TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt 
mailer = "sendmail -t"

#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed.  The hostname
# can also be overridden on the commandline (with --hostname option).  This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles. 
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes

# By default the cron daemon generates daily logwatch report
# if you want to switch it off uncomment DailyReport tag. 
# The implicit value is Yes
#
# DailyReport = No

# vi: shiftwidth=3 tabstop=3 et

命令的输出 sudo logwatch --debug High | grep -T100 '将处理的日志文件:'

000-*expandrepeats = 
   001-*onlyhost = 
   002-*applystddate = 
   Logfile = /var/log/maillog
   Archive = /var/log/maillog.9.gz
   Archive = /var/log/maillog.8.gz
   Archive = /var/log/maillog.7.gz
   Archive = /var/log/maillog.6.gz
   Archive = /var/log/maillog.5.gz
   Archive = /var/log/maillog.4.gz
   Archive = /var/log/maillog.3.gz
   Archive = /var/log/maillog.29.gz
   Archive = /var/log/maillog.28.gz
   Archive = /var/log/maillog.27.gz
   Archive = /var/log/maillog.26.gz
   Archive = /var/log/maillog.25.gz
   Archive = /var/log/maillog.24.gz
   Archive = /var/log/maillog.23.gz
   Archive = /var/log/maillog.22.gz
   Archive = /var/log/maillog.21.gz
   Archive = /var/log/maillog.20.gz
   Archive = /var/log/maillog.2.gz
   Archive = /var/log/maillog.19.gz
   Archive = /var/log/maillog.18.gz
   Archive = /var/log/maillog.17.gz
   Archive = /var/log/maillog.16.gz
   Archive = /var/log/maillog.15.gz
   Archive = /var/log/maillog.14.gz
   Archive = /var/log/maillog.13.gz
   Archive = /var/log/maillog.12.gz
   Archive = /var/log/maillog.11.gz
   Archive = /var/log/maillog.10.gz
   Archive = /var/log/maillog.1.gz
   Archive = /var/log/maillog-20121230

Logfile Name: up2date

Logfile Name: cisco

Logfile Name: cron
   001-*removeservice = anacron
   000-*onlyhost = 
   Logfile = /var/log/cron
   Archive = /var/log/cron.9.gz
   Archive = /var/log/cron.8.gz
   Archive = /var/log/cron.7.gz
   Archive = /var/log/cron.6.gz
   Archive = /var/log/cron.5.gz
   Archive = /var/log/cron.4.gz
   Archive = /var/log/cron.3.gz
   Archive = /var/log/cron.29.gz
   Archive = /var/log/cron.28.gz
   Archive = /var/log/cron.27.gz
   Archive = /var/log/cron.26.gz
   Archive = /var/log/cron.25.gz
   Archive = /var/log/cron.24.gz
   Archive = /var/log/cron.23.gz
   Archive = /var/log/cron.22.gz
   Archive = /var/log/cron.21.gz
   Archive = /var/log/cron.20.gz
   Archive = /var/log/cron.2.gz
   Archive = /var/log/cron.19.gz
   Archive = /var/log/cron.18.gz
   Archive = /var/log/cron.17.gz
   Archive = /var/log/cron.16.gz
   Archive = /var/log/cron.15.gz
   Archive = /var/log/cron.14.gz
   Archive = /var/log/cron.13.gz
   Archive = /var/log/cron.12.gz
   Archive = /var/log/cron.11.gz
   Archive = /var/log/cron.10.gz
   Archive = /var/log/cron.1.gz
   Archive = /var/log/cron-20121230

Logfile Name: yum
   Logfile = /var/log/yum.log

Logfile Name: tac_acc
   000-*applystddate = 

Logfile Name: exim

Logfile Name: syslog
   001-*removeservice = talkd,telnetd,inetd,nfsd,/sbin/mingetty
   000-*expandrepeats = 
   003-*applystddate = 
   002-*onlyhost = 

Logfile Name: dnssec
   000-*expandrepeats = 
   001-*applybinddate = 

Logfile Name: netscreen
   000-*applystddate = 

Logfile Name: autorpm

Logfile Name: dpkg
   000-*applyeurodate = 

LogFiles that will be processed:
[0] = maillog
[1] = qmail-pop3d-current
[2] = denyhosts
[3] = secure
[4] = messages
[5] = eventlog
[6] = qmail-send-current
[7] = none
[8] = samba
[9] = clam-update
[10] = extreme-networks
[11] = resolver
[12] = qmail-pop3ds-current
[13] = netopia
[14] = fail2ban
[15] = pix
[16] = xferlog
[17] = cisco
[18] = cron
[19] = netscreen
[20] = dnssec
[21] = qmail-smtpd-current
[22] = windows
[23] = vsftpd
[24] = php
[25] = emerge
[26] = http
[27] = bfd
[28] = sonicwall
[29] = iptables
[30] = pureftp
[31] = rt314
[32] = up2date
[33] = yum
[34] = tac_acc
[35] = exim
[36] = autorpm
[37] = dpkg



Made Temp Dir: /var/cache/logwatch/logwatch.tOKLrjds with tempdir
export LOGWATCH_DATE_RANGE='yesterday'
export LOGWATCH_OUTPUT_TYPE='unformatted'
export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.tOKLrjds/'
export LOGWATCH_DEBUG='10'

Preprocessing LogFile: maillog
'/var/cache/logwatch/logwatch.tOKLrjds/maillog-archive' '/var/log/maillog'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate ''>/var/cache/logwatch/logwatch.tOKLrjds/maillog

Preprocessing LogFile: secure
'/var/cache/logwatch/logwatch.tOKLrjds/secure-archive' '/var/log/secure'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate ''>/var/cache/logwatch/logwatch.tOKLrjds/secure

Preprocessing LogFile: messages
'/var/cache/logwatch/logwatch.tOKLrjds/messages-archive' '/var/log/messages'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'talkd,telnetd,inetd,nfsd,/sbin/mingetty,netscreen,netscreen'| /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate ''>/var/cache/logwatch/logwatch.tOKLrjds/messages

Preprocessing LogFile: cron
'/var/cache/logwatch/logwatch.tOKLrjds/cron-archive' '/var/log/cron'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyhost ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeservice 'anacron'| /usr/bin/perl /usr/share/logwatch/scripts/logfiles/cron/applydate>/var/cache/logwatch/logwatch.tOKLrjds/cron

Preprocessing LogFile: http
'/var/cache/logwatch/logwatch.tOKLrjds/http-archive' '/var/log/httpd/access_log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applyhttpdate ''>/var/cache/logwatch/logwatch.tOKLrjds/http

Preprocessing LogFile: yum
'/var/log/yum.log'  | /usr/bin/perl /usr/share/logwatch/scripts/logfiles/yum/applydate>/var/cache/logwatch/logwatch.tOKLrjds/yum

Processing Service: amavis
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/maillog  |  /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyservice '(amavis|dccproc)' |/usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '' |/usr/bin/perl /usr/share/logwatch/scripts/services/amavis) 2>&1 
export clamav_ignoreunmatched='0'
export clamav_ignoreunmatched='0'

Processing Service: clamav-milter
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/maillog  |  /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyservice 'clamav-milter' |/usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '' |/usr/bin/perl /usr/share/logwatch/scripts/services/clamav-milter) 2>&1 
export courier_enable='1'
export courier_ip_lookup='0'
export courier_printmailqueue='0'
export courier_tables='0'

Processing Service: courier
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/maillog  |  /usr/bin/perl /usr/share/logwatch/scripts/services/courier) 2>&1 

Processing Service: cron
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/cron  |  /usr/bin/perl /usr/share/logwatch/scripts/services/cron) 2>&1 

Processing Service: dovecot
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/maillog  |  /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyservice '(imap-login|pop3-login|dovecot)' |/usr/bin/perl /usr/share/logwatch/scripts/services/dovecot) 2>&1 
export ftpd_ignore_unmatched='0'
export detail_transfer='1'
export http_ignore_error_hacks='0'
export http_user_display='0'

Processing Service: http
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/http  |  /usr/bin/perl /usr/share/logwatch/scripts/services/http) 2>&1 

Processing Service: imapd
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/maillog  |  /usr/bin/perl /usr/share/logwatch/scripts/shared/onlyservice '(imapd|imapd-ssl|imapsd)' |/usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '' |/usr/bin/perl /usr/share/logwatch/scripts/services/imapd) 2>&1 

Processing Service: in.qpopper
 ( cat /var/cache/logwatch/logwatch.tOKLrjds/maillog  |  /usr/bin/perl /usr/share/logwatch/scripts/shared/multiservice 'in.qpopper,qpopper' |/usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '' |/usr/bin/perl /usr/share/logwatch/scripts/services/in.qpopper) 2>&1 

Processing Service: ipop3d

答案1

我7年前就发现了这个问题,我也遇到过同样的问题。 logwatch正在处理fail2ban日志,但没有报告任何内容,只有当我将其置于调试模式时,如下所示:

logwatch --debug High --service fail2ban

我所有 Centos6 机器的真正问题是logwatch的过滤器fail2ban,我发现另一篇文章指出了解决方案:

在第 81 行进行编辑/usr/share/logwatch/scripts/services/fail2ban并执行以下替换。

原来的

} elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {

已更正

} elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/NOTICE:?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {

来源:https://www.gyrocode.com/articles/centos-7-fail2ban-and-logwatch/

相关内容