I have this issue with logwatch that seems to be growing. I''ve googled this, and other people have posted questions about it here and there, but I don''t see any solutions posted. I''m seeing logwatch reporting this issue, or something like it, in a lot of web programming tools I and my friends use. Here''s an example, from a Drupal Chat module installed under CentOS 4.2 (in this case): -------- --------------------- httpd Begin ------------------------ A total of 11934 unidentified ''other'' records logged with response code(s) GET /chatbox/text?nickname=jtrant&limit=30&lastrefresh=1142823531 HTTP/1.1 with response code(s) 2 200 responses GET /chatbox/nicklist&forcerefresh=9317 HTTP/1.1 with response code(s) 2 200 responses -------- etc. (it continues for all 12000 entries). I''ve also seen it with htdig, the open source web indexing software, mambo and joomla! (CMS''s like Drupal), and some wiki software. I don''t know what it is about perl & php-based web forms that generate that funny double 200 (success) http response code, but it seems to be getting very common. One way to fix it may be to edit logwatch''s http script. But part of me wonders if that''s the wrong approach--maybe it''s Drupal''s fault for sending back a funny http response--and part of me knows that would be a lot of effort. Has anyone fixed this already? How? Thanks, Matt
On 3/22/06, Matt Morgan <minxmertzmomo@gmail.com> wrote:> I have this issue with logwatch that seems to be growing. I''ve googled > this, and other people have posted questions about it here and there, > but I don''t see any solutions posted. >Hi Matt, I believe you can just add a "remove =" line to /etc/log.d/conf/services/httpd.conf and add a "*Remove =" line for the thing you want filtered out before Logwatch does it''s processing. If memory serves me correctly, you need *double, double quotes* if you are adding more than a one-word thing to search for. For example: *Remove = "two words" Regards, HKC
On 3/22/06, hkclark@gmail.com <hkclark@gmail.com> wrote:> On 3/22/06, Matt Morgan <minxmertzmomo@gmail.com> wrote: > > I have this issue with logwatch that seems to be growing. I''ve googled > > this, and other people have posted questions about it here and there, > > but I don''t see any solutions posted. > > > > Hi Matt, > > I believe you can just add a "remove =" line to > /etc/log.d/conf/services/httpd.conf and add a "*Remove =" line for the > thing you want filtered out before Logwatch does it''s processing. If > memory serves me correctly, you need *double, double quotes* if you > are adding more than a one-word thing to search for. For example: > > *Remove = "two words"Thanks. Do you have any documentation on that? I can''t find any, either in the man page or on logwatch.org. I''ll try it and see what happens anyway, and report back.
On 3/22/06, Matt Morgan <minxmertzmomo@gmail.com> wrote:> > > > *Remove = "two words" > > Thanks. Do you have any documentation on that? I can''t find any, > either in the man page or on logwatch.org. I''ll try it and see what > happens anyway, and report back.Yeah, looks like Kirk has something off on the site. You should be able to get to it via the web interface to the CVS repository: http://www2.cvs.autorpm.org:8080/index.cgi/logwatch/HOWTO-Customize-LogWatch?rev=1.8&hideattic=0&content-type=text/vnd.viewcvs-markup http://www2.cvs.autorpm.org:8080/index.cgi/logwatch/Attic/HOWTO-Customize-Configuration?rev=1.4&hideattic=0&content-type=text/vnd.viewcvs-markup Or try this if those links don''t work: http://www2.cvs.autorpm.org:8080/index.cgi/logwatch/?hideattic=0#dirlist (Just click in the "Rev" column to view the doc vs the log entries). Let me know if you get stuck and I can look through my notes. Thanks, HKC
On 3/22/06, hkclark@gmail.com <hkclark@gmail.com> wrote:> On 3/22/06, Matt Morgan <minxmertzmomo@gmail.com> wrote: > > > > > > *Remove = "two words" > > > > Thanks. Do you have any documentation on that? I can''t find any, > > either in the man page or on logwatch.org. I''ll try it and see what > > happens anyway, and report back. > > Yeah, looks like Kirk has something off on the site. You should be > able to get to it via the web interface to the CVS repository: > > http://www2.cvs.autorpm.org:8080/index.cgi/logwatch/HOWTO-Customize-LogWatch?rev=1.8&hideattic=0&content-type=text/vnd.viewcvs-markup > > http://www2.cvs.autorpm.org:8080/index.cgi/logwatch/Attic/HOWTO-Customize-Configuration?rev=1.4&hideattic=0&content-type=text/vnd.viewcvs-markup > > Or try this if those links don''t work: > http://www2.cvs.autorpm.org:8080/index.cgi/logwatch/?hideattic=0#dirlist > (Just click in the "Rev" column to view the doc vs the log entries). > > Let me know if you get stuck and I can look through my notes.Thanks!! I think you may be right. The asterisk at the beginning of the line means "runs the shared script named like the word after the asterisk, and the shared script "remove" just does a /bin/egrep -vi "$@" that is, selects everything but what I typed in, case-insensitively. Will report back tomorrow after logwatch has another chance to run.
On 3/22/06, Matt Morgan <minxmertzmomo@gmail.com> wrote:> > that is, selects everything but what I typed in, case-insensitively. > Will report back tomorrow after logwatch has another chance to run. >Sounds good. Or do a "logwatch --print" to run it right now (without sending an email, or just "logwatch" to send an email). Use something like sudo to run as root. See "logwatch --help" for other options to change date range, reporting level, etc. HKC