Logwatch: Ignore certain IPs for SSH & PAM checks?

Logwatch provides the *Remove shared script which will tell Logwatch to ignore lines which contain a particular string (e.g. grep -v), before they are processed later on.

  1. Copy /usr/share/logwatch/default.conf/services/sshd.conf to /etc/logwatch/conf/services/sshd.conf
  2. Add the following lines, which will tell logwatch to not process log entries for lines which contain this string:
# Ignore these hosts
*Remove = 192.168.100.1
*Remove = X.Y.123.123
# Ignore these usernames
*Remove = testuser

3. Now, no logwatch messages are generated for these hosts.

I couldn't do this with ignore.conf. I cannot come up with a regular expression which will allow Logwatch to print messages about attacks from evil domains:

Failed logins from:
   11.12.100.1 (EVILSCAN.example.ru): 1 time

While hiding messages generated by friendly scanners:

Failed logins from:
   192.168.100.1 (friendscan.example.org): 1 time

Background:

The Logwatch methods to do this are very poorly documented, and are not well googleable.

The shared script at /usr/share/logwatch/scripts/shared/remove will perform an inverse grep on a string. /usr/share/doc/logwatch-*/HOWTO-Customize-LogWatch documents how to execute these scripts:

You can have commands in the form of:

*SharedScriptName = Arguments

that will execute a script found in the /usr/share/logwatch/scripts/shared/directory named 'SharedScriptName' with arguments 'Arguments'.This filter will modify the input to the service's filter.


You could place regexp to ignore log lines into /etc/logwatch/conf/ignore.conf