[syslog-ng] syslog-ng and logwatch

[Mike Tremaine]

On Mon, 2005-11-14 at 12:42 -0400, kevin_herald wrote:
> Hello,
> 
> Anyone use syslog-ng with logwatch-7.1? I was wondering how to set it up 
> to scan the proper log files. Right now I have multiple servers writing 
> to the main syslog-ng server. It creates directories such as:
> 
> /var/log/HOSTS/<ip of clients>/2005/11/14/<logfile-name>
> 
> logwatch.pl looks like it scans for /var/log or whatever you want, but 
> I'm not sure how to scan the multiple directories of the syslog-ng 
> server client logs.

This probably belongs on logwatch -at- logwatch.org but here goes.

You have 2 choices one you can create a wrapper to the log watch call
and set --logdir to whatever value you want [this is helpful for only
parsing 1 days logs instead of the normal of parsing everything it can
find and filtering.]

An example of this would be

#!/bin/bash
year=$(date -d -1day +%Y)
month=$(date -d -1day +%m)
day=$(date -d -1day +%d)
/usr/sbin/logwatch --logdir "/var/log/HOSTS/192.168.0.1/$year/$month/$day" --print

exit

The other way to is to edit the logfile groups so that LogFile is
defined to point at the logs you want parsed. [Wildcards are ok here]

Example:

/usr/share/logwatch/default.conf/logfiles/messages.conf 

Has

LogFile = messages

That messages anything that normally looks for /var/log/messages uses
this. You can change that to 

LogFile = /var/log/HOSTS/*/*/*/*/messages

And better yet just add that line to the file [which you'll have to
create]

/etc/logwatch/conf/logfiles/messages.conf

[Using /etc/logwatch/conf/logfiles will allow you to preserve
configuration changes across updates.]

To have it look at every single day from you syslog-ng template. Note
this probably a bad idea if you keep months and months of logs use a
wrapper!


Hope that helps. Some of these is in the manpage and the HOWTO that
comes with logwatch [man logwatch]

-Mike