Logwatch Customization on CentOS 6


I find logwatch very useful - except there are a huge number of lines of messages that I would prefer not to have reported. For example from Dovecot and ProFTPD:

dovecot: imap(eustace@somedomain.com): Disconnected: Logged out bytes=156/2568: 1 Time(s)
dovecot: pop3(aley@somedomain.com): Disconnected: Logged out top=0/0, retr=1/29134, del=2/56, size=1378698: 1 Time(s)
XX.XXX.XXX.XXX (::ffff:XX.XXX.XXX.XXX[::ffff:XX.XXX.XXX.XXX]) - Preparing to chroot to directory '/home/somedomain.com'

Is there a way to suppress certain items like this (but I still want to watch for other messages from Dovecot and ProFTPd)?

Logwatch version is 7.3.6
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need to suppress those lines at the source, not via logwatch.

I would personally recommend replacing rsyslog with syslog-ng - it comes with a script that will easily convert your existing syslog.conf to the new format, and then it opens up a world of possibilities for how to view your logs.

To remove the messages you refer to, you'd simply create a filter on that facillity with something like:

  filter f_imappop3   { not match("Disconnected "); };

And then to your normal mail facility, add the filter

  log { source(s_sys); filter(f_imappop3);  destination(d_mail); };

If you don't want to do away with those lines entirely, you can clone the pop3/imap logs to a new file, filter them as you wish, and then let logwatch only watch that filtered clone log.  That would probably be your ideal solution.
PaliTreeAuthor Commented:
Thanks xterm - but I don't want to change to syslog-ng (I don't doubt what you say about it, but I'd prefer to be conservative about it for now).

I'll see if I can modify Dovecot's log reporting to get rid of these messages (do you know how to do that?). But also I have now discovered that logwatch has an 'ignore.conf':

ignore.conf: This file specifies regular expressions that, when matched by the output of logwatch, will suppress the matching line, regardless of which service is being executed

That sounds promising.
PaliTreeAuthor Commented:
Yep - 'ignore.conf' does the job. I have solved my own question!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PaliTreeAuthor Commented:
Solved my own question
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.