Logwatch Customization on CentOS 6


I find logwatch very useful - except there are a huge number of lines of messages that I would prefer not to have reported. For example from Dovecot and ProFTPD:

dovecot: imap(eustace@somedomain.com): Disconnected: Logged out bytes=156/2568: 1 Time(s)
dovecot: pop3(aley@somedomain.com): Disconnected: Logged out top=0/0, retr=1/29134, del=2/56, size=1378698: 1 Time(s)
XX.XXX.XXX.XXX (::ffff:XX.XXX.XXX.XXX[::ffff:XX.XXX.XXX.XXX]) - Preparing to chroot to directory '/home/somedomain.com'

Is there a way to suppress certain items like this (but I still want to watch for other messages from Dovecot and ProFTPd)?

Logwatch version is 7.3.6
Who is Participating?
PaliTreeAuthor Commented:
Yep - 'ignore.conf' does the job. I have solved my own question!
You need to suppress those lines at the source, not via logwatch.

I would personally recommend replacing rsyslog with syslog-ng - it comes with a script that will easily convert your existing syslog.conf to the new format, and then it opens up a world of possibilities for how to view your logs.

To remove the messages you refer to, you'd simply create a filter on that facillity with something like:

  filter f_imappop3   { not match("Disconnected "); };

And then to your normal mail facility, add the filter

  log { source(s_sys); filter(f_imappop3);  destination(d_mail); };

If you don't want to do away with those lines entirely, you can clone the pop3/imap logs to a new file, filter them as you wish, and then let logwatch only watch that filtered clone log.  That would probably be your ideal solution.
PaliTreeAuthor Commented:
Thanks xterm - but I don't want to change to syslog-ng (I don't doubt what you say about it, but I'd prefer to be conservative about it for now).

I'll see if I can modify Dovecot's log reporting to get rid of these messages (do you know how to do that?). But also I have now discovered that logwatch has an 'ignore.conf':

ignore.conf: This file specifies regular expressions that, when matched by the output of logwatch, will suppress the matching line, regardless of which service is being executed

That sounds promising.
PaliTreeAuthor Commented:
Solved my own question
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.