Including hostname in apache logwatch reports

Solution 1:

Try this (works for me): Define LogFormat in your httpd.conf as

LogFormat "%h %t [%V] \"%r\" %>s \"%{Referer}i\""

With this particular case, you'll have remote_address, date/time, [The server name according to the UseCanonicalName setting], request, satus code and Referer (that's my desired format) and then put

$LogFormat "%h %t %V \"%r\" %>s \"%{Referer}i\""

in your services/http.conf LogWatch file. That will

  1. make apache put the hostname (Canonical or not, it depends if you use %v or %V)
  2. force LogWatch to understand your Apache Access log

Here is an example of the a line in the log output with this particular set of directives:

172.3.20.11 [01/Jun/2011:21:00:52 +0200] joomla.local "GET /images/tabs_back.png HTTP/1.1" 404 "http://joomla.local/templates/beez_20/css/personal.css"

If we FOCUS ON ERROR CODES, and how are they treated in LogWatch, here are some changes you can made to /usr/share/logwatch/scripts/services/http: Add:

my $my_host = ""; my $my_url = "";

Then, about line 462, add this line to save our 4th column (HOST):

$field{my_host} = $field{$log_fields[3]};

And in line 560, after fmt_url is shorten ( if (length($field{url}) > 60) {...} ) add:

$my_host = $field{$log_fields[3]};
$my_host = substr($my_host,1);
$my_url=$my_host . $fmt_url;

Finally, change:

$needs_exam{$field{http_rc}}{$fmt_url}++;

by

$needs_exam{$field{http_rc}}{$my_url}++;

doing so, you'll have this in your Logwatch:

Requests with error response codes
404 Not Found
joomla.local/images/tabs_back.png: 3 Time(s)

I Hope it helps all you out

Solution 2:

I had the same issue and solved it by changing the LogFormat in apache.conf (http://httpd.apache.org/docs/2.2/mod/mod_log_config.html)

# LogFormat "%h %l %u %t \"%r\" %>s %O" common

# The default output has no info about the server name (%v).
# %m %U%q %H is strictly equivalent to %r.
LogFormat "%h %l %u %t \"%m %v%U%q %H\" %>s %O" common

This generates the same output as the default, adding the canonical server name as a prefix. Eg:

... "GET www.example.com/apache_pb.gif HTTP/1.0" 200 2326 ... 

The pro is that you don't need any other customization (eg. on the logwatch side). The con is that you get a few extra characters for each logged line.