1

I have a CentOS 5.6 system, which runs Logwatch.

If I perform a security scan (Nessus) against this host, it produces unnecessary noise in the Logwatch output. I'd like to run these security scans regularly, from an internal IP and an external IP, without generating unnecessary noise about the security scans.

Since I know the IPs of these hosts, can I prevent this output from showing up in the Logwatch output?

 --------------------- pam_unix Begin ------------------------

 sshd:
   Authentication Failures:
      root (scan1.example.org): 1 Time(s)
      unknown (scan1.example.org): 1 Time(s)
   Invalid Users:
      Unknown Account: 1 Time(s)

--------------------- SSHD Begin ------------------------


 Failed logins from:
   192.168.100.1 (scan1.example.org): 1 time

 Illegal users from:
   X.Y.123.123 (scan2.example.org): 1 time

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user admin : 1 time(s)
 fatal: Write failed: Connection reset by peer : 1 time(s)
Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184

2 Answers2

7

Logwatch provides the *Remove shared script which will tell Logwatch to ignore lines which contain a particular string (e.g. grep -v), before they are processed later on.

  1. Copy /usr/share/logwatch/default.conf/services/sshd.conf to /etc/logwatch/conf/services/sshd.conf
  2. Add the following lines, which will tell logwatch to not process log entries for lines which contain this string:
# Ignore these hosts
*Remove = 192.168.100.1
*Remove = X.Y.123.123
# Ignore these usernames
*Remove = testuser

3. Now, no logwatch messages are generated for these hosts.

I couldn't do this with ignore.conf. I cannot come up with a regular expression which will allow Logwatch to print messages about attacks from evil domains:

Failed logins from:
   11.12.100.1 (EVILSCAN.example.ru): 1 time

While hiding messages generated by friendly scanners:

Failed logins from:
   192.168.100.1 (friendscan.example.org): 1 time

Background:

The Logwatch methods to do this are very poorly documented, and are not well googleable.

The shared script at /usr/share/logwatch/scripts/shared/remove will perform an inverse grep on a string. /usr/share/doc/logwatch-*/HOWTO-Customize-LogWatch documents how to execute these scripts:

You can have commands in the form of:

*SharedScriptName = Arguments

that will execute a script found in the /usr/share/logwatch/scripts/shared/directory named 'SharedScriptName' with arguments 'Arguments'.This filter will modify the input to the service's filter.

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
1

You could place regexp to ignore log lines into /etc/logwatch/conf/ignore.conf

AlexD
  • 8,179
  • 2
  • 28
  • 38
  • Thanks for the pointer. Can you provide an example, or links to examples? My google-fu is not showing much about ignore.conf , or about how to use ignore.conf to ignore multi-line messages. – Stefan Lasiewski Jun 10 '11 at 22:27
  • ignore.conf is just list of regexps, one regexp per line. They are loaded from file and each matched against next line from logfile before processing it further. – AlexD Jun 15 '11 at 17:55
  • Unfortunately, this didn't work for me. I want to conditionally exclude all lines from the logwatch output including "Failed logins from:" but only if the IP address matched particular patterns. If there were legitimate bad addresses, then I want to print all of the output. This cannot be done via a regex as far as I know. – Stefan Lasiewski Jun 18 '11 at 17:32