On Mon, 2005-11-14 at 12:42 -0400, kevin_herald wrote:
Hello,
Anyone use syslog-ng with logwatch-7.1? I was wondering how to set it up to scan the proper log files. Right now I have multiple servers writing to the main syslog-ng server. It creates directories such as:
/var/log/HOSTS/<ip of clients>/2005/11/14/<logfile-name>
logwatch.pl looks like it scans for /var/log or whatever you want, but I'm not sure how to scan the multiple directories of the syslog-ng server client logs.
This probably belongs on logwatch -at- logwatch.org but here goes. You have 2 choices one you can create a wrapper to the log watch call and set --logdir to whatever value you want [this is helpful for only parsing 1 days logs instead of the normal of parsing everything it can find and filtering.] An example of this would be #!/bin/bash year=$(date -d -1day +%Y) month=$(date -d -1day +%m) day=$(date -d -1day +%d) /usr/sbin/logwatch --logdir "/var/log/HOSTS/192.168.0.1/$year/$month/$day" --print exit The other way to is to edit the logfile groups so that LogFile is defined to point at the logs you want parsed. [Wildcards are ok here] Example: /usr/share/logwatch/default.conf/logfiles/messages.conf Has LogFile = messages That messages anything that normally looks for /var/log/messages uses this. You can change that to LogFile = /var/log/HOSTS/*/*/*/*/messages And better yet just add that line to the file [which you'll have to create] /etc/logwatch/conf/logfiles/messages.conf [Using /etc/logwatch/conf/logfiles will allow you to preserve configuration changes across updates.] To have it look at every single day from you syslog-ng template. Note this probably a bad idea if you keep months and months of logs use a wrapper! Hope that helps. Some of these is in the manpage and the HOWTO that comes with logwatch [man logwatch] -Mike