Many thanks to @Syquus who put me on the right path to modifying the /usr/share/logwatch/scripts/services/http
file.
My file and solution was different but I thought I would share all the same.
I use the standard vhost_combined
LogFormat that Apache provides that looks like:
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
which outputs something like:
example.org:80 1.1.1.1 - - [08/Oct/2013:16:55:01 +0000] "GET / HTTP/1.1" 200 6094 "-" "Opera/9.80 (X11; Linux x86_64; Edition Linux Mint) Presto/2.12.388 Version/12.16"
I put this in the service configuration override at /etc/logwatch/conf/services/http.conf
:
$logformat = "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""
After finding the approximately correct places to make the changes for @Syquus's solution in /usr/share/logwatch/scripts/services/http
, I thought simply changing the index from [3] to [0] would work - it didn't. I got incorrect segments of the path and even after traversing the whole hash/array, I didn't find the hostname. Debugging was frustrating because I'm new to Perl, but my solution was to add in matching for the %v
which was being discarded and then modifying the url further down to include the domain name.
Diff for my solution (I also removed the url truncation), YMMV:
--- __http.2013-10-09 2013-10-09 13:11:48.000000000 +0000
+++ http 2013-10-09 14:36:59.000000000 +0000
@@ -132,6 +132,8 @@
# Build tables of the log format to parse it and determine whats what
#
+my $my_url = "";
+
my $detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $ignoreURLs = $ENV{'http_ignore_urls'};
my $ignoreIPs = $ENV{'http_ignore_ips'};
@@ -379,7 +381,10 @@
$logformat =~ s/%[\d,!]*/%/g;
while ($end_loop) {
- if ($logformat =~ /\G%h/gc) {
+ if ($logformat =~ /\G%v/gc) {
+ $parse_string[$parse_index] .= "(\\S*?)";
+ $parse_field[$parse_index][$parse_subindex++] = "my_host";
+ } elsif ($logformat =~ /\G%h/gc) {
$parse_string[$parse_index] .= "(\\S*?)";
$parse_field[$parse_index][$parse_subindex++] = "client_ip";
} elsif ($logformat =~ /\G%l/gc) {
@@ -437,7 +442,6 @@
#
# Process log file on stdin
#
-
while (my $line = <STDIN>) {
chomp($line);
@@ -580,11 +584,12 @@
!((defined $ignoreURLs) && ($field{url} =~ /$ignoreURLs/)) &&
!((defined $ignoreIPs) && ($field{client_ip} =~ /$ignoreIPs/)) ) {
my $fmt_url = $field{url};
- if (length($field{url}) > 60) {
- $fmt_url = substr($field{url},0,42) . " ... " .
- substr($field{url},-15,15);
- }
- $needs_exam{$field{http_rc}}{$fmt_url}++;
+ #if (length($field{url}) > 60) {
+ # $fmt_url = substr($field{url},0,42) . " ... " .
+ # substr($field{url},-15,15);
+ #}
+ $my_url = $field{my_host} . $fmt_url;
+ $needs_exam{$field{http_rc}}{$my_url}++;
}
if (defined $field{userid} && $field{userid} ne "-" &&
(eval $user_display) &&
Should I decide to serve up secured content or content on a port other than :80 I might include it in the future. It should be obvious now how.
Hope this helps!
UPDATE
Made some more changes, fixed a bug. Rather than keep editing this answer you can find my modifications here: https://bitbucket.org/ubiquitypress/logwatch