Logwatch: Ignore certain IPs for SSH & PAM checks?
Logwatch provides the *Remove
shared script which will tell Logwatch to ignore lines which contain a particular string (e.g. grep -v
), before they are processed later on.
- Copy
/usr/share/logwatch/default.conf/services/sshd.conf
to/etc/logwatch/conf/services/sshd.conf
- Add the following lines, which will tell logwatch to not process log entries for lines which contain this string:
# Ignore these hosts
*Remove = 192.168.100.1
*Remove = X.Y.123.123
# Ignore these usernames
*Remove = testuser
3. Now, no logwatch messages are generated for these hosts.
I couldn't do this with ignore.conf. I cannot come up with a regular expression which will allow Logwatch to print messages about attacks from evil domains:
Failed logins from:
11.12.100.1 (EVILSCAN.example.ru): 1 time
While hiding messages generated by friendly scanners:
Failed logins from:
192.168.100.1 (friendscan.example.org): 1 time
Background:
The Logwatch methods to do this are very poorly documented, and are not well googleable.
The shared script at /usr/share/logwatch/scripts/shared/remove
will perform an inverse grep on a string. /usr/share/doc/logwatch-*/HOWTO-Customize-LogWatch
documents how to execute these scripts:
You can have commands in the form of:
*SharedScriptName = Arguments
that will execute a script found in the /usr/share/logwatch/scripts/shared/directory named 'SharedScriptName' with arguments 'Arguments'.This filter will modify the input to the service's filter.
You could place regexp to ignore log lines into /etc/logwatch/conf/ignore.conf