Menu

#21 Http section not being populated in email

v7.5.6
open
nobody
None
5
2023-10-01
2022-04-29
No

I’ve recently customized my httpd logs to include more information from mod_security. I’ve both updated my stock http.conf file (/usr/share/logwatch/default.conf/services/http.conf) and created a /etc/httpd/conf/httpd.conf file to include an updated directive of :

$LogFormat = "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R %{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e %{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e %{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e";

Nonetheless, I don’t seem to be getting any output from logwatch for the http service:

[root@serverA services]# logwatch --detail high --range today --service http --output stdout | wc -l
0

--debug shows that the /etc/ file is being read.

I suppose I can create a watered down version of the access log just for logwatch, but with the amount of traffic the server gets It would be a little duplicitous. I’d much prefer it to read the same file.

Thanks.

Discussion

  • Andrew Villano

    Andrew Villano - 2022-04-29

    I'd like to add: I'm using RHEL 8.5 , running Logwatch 7.4.3

     
  • Bjorn

    Bjorn - 2022-05-04

    Can you send me a sampling of the log statements you expect to be parsed by Logwatch? You can obscure any sensitive information, provided it retains its syntactic validity.

     
  • Bjorn

    Bjorn - 2023-10-01

    Ticket moved from /p/logwatch/bugs/108/

     
  • Bjorn

    Bjorn - 2023-10-01

    Moved to Feature Request. Although we don't have a sample of the desired log statements, I do believe that it is due to the logformat parser (see variables $logformat, $parse_string and $parse_field, among others) not handling all possible format string types (prefixed by '%'). That is further complicated by the ability to specify variables (referred to as VARNAME in the mod_log_config documentation), whose contents can be any arbitrary format, and thus necessitating a very complex parser.

     

Log in to post a comment.