Logwatch handler seems to not work correctly
Hello,
I have a wierd problem with Logwatch. I've installed a VSFTPd server on my server machine for a few days now, because it is needed internally in our organization by some printers that can only scan to FTP folders. The only time I got a report from Logwatch for the VSFTPD Service was today, when in fact, there is ongoing FTP activity for a few days now ! Code:
scpej-hga [/var/log] # date Logwatch is set up and vsftpd is loaded in the services sections of Logwatch. The issue is somewhat strange, and let me explain how: For a few days ago, I have constant activity in VSFTPD logs: Here is a sample of logs for Aug 10th, Aug 9th, Aug 8th: (the logfile also contains Downloads/Uploads, and so on, I only grepped "Connect" in order to shorten the Code Section in this post) - you get the ideea, I have valid logs, so no problems here. Code:
scpej-hga [/var/log] # cat /var/log/vsftpd.log |grep "Aug 10" |grep -m 1 CONNECT I am curious WHY didn't Logwatch report me the activites Yesterday, and the day before, and so on... (Logwatch is set to send me emails on a daily basis with "Range: Yesterday" and "Detail Level: Low") I want to check if Logwatch did really see those activities in vsftpd.log a few days ago. If I specify with range: Code:
scpej-hga [/var/log] # logwatch --range "-2 days" --output stdout --service vsftpd Reporting with "ALL" in Range, gives me all the logs, correctly, INCLUDING those missed by Logwatch for a few days now: Code:
scpej-hga [/var/log] # logwatch --range "All" --output stdout --service vsftpd I wonder why Logwatch doesn't report with "-X days" interval. Also, I don't think that it's a problem with "-X days", since Yesterday, it should have reported for "it's Yesterday" which was, from today's point of view, "-2 days ago". So it's not a SYNTAX problem. It's rather that Logwatch doesn't seem to detect LOG activity in those days (Aug 8 and Aug 9) in normal "Yesterday" mode and also in specifying "-X days" parameters. The only keyword that seems to be working is "All". Anyone have a guess, or should I file a bug report ?... God knows how many other logs did I miss... Thank you ! |
Quote:
Did you see any error(s)/message(s) about the date range when you typed it in?? And posting the same question on numerous forums is a bit rude: https://askubuntu.com/questions/1423...work-correctly ...especially when you don't follow up in threads here. |
1. I've read them. I didn't find anything useful. Like I said in other posts, when I stumble upon a problem, I try to resolve it first, for a few hours (reading docs, forums, manuals, testing, and so on...).
I post on forums only as a last resort. 2. Doesn't work with single quotes either. If it would have worked, another problem would have arrisen: why the normal logwatch process doesn't see anything yesterday and the day before but sees when specifying the parameter. But, it doesn't work with parameters: Code:
scpej-hga [~] # logwatch --range '-2 days' --output stdout --service vsftpd 4. I didn't realize so much info is required to debug. My mistake, sorry. I've installed vsftpd on August 4th. Starting with Aug 4, there are logs in my vsftpd.log and vsftpd.log.1 almost every day. But I only got Logwatch report TODAY (for the "yesterday" interval). 5. I post on multiple forums because there are users which are here and not there and there are users that are there and not here. I post to increase my chances of someone seeing my problem. If it bothers you, I'm sorry. I follow up threads and I am subscribed for instant notification via email. 6. I did not see any error messages, obviously. If I had seen messages, I would have debugged them first... |
Quote:
And it's not 'obvious' that you would have looked at any errors/messages first...we only know what you actually post, and we have to ask obvious details about your system before you tell us. Also, for #3 and #4, asking a clear question and providing complete details needs to happen. Do you expect everyone to guess as far as what you're using, when it started, etc??? Same as you've been told before. Again, you seem to be omitting pieces of things (logrotate among them), and somehow expect us to know what's going on. You rarely follow up in your threads here, and if you're going to cross-post to multiple forums, it's fairly rude to have others elsewhere (or here) waste their time trying to help you, when you're just going to take an answer somewhere and move on, without ever following up/posting the solution. |
Yes, logrotate is installed and it rotates my logs.
However, this is not the problem. Code:
scpej-hga [~] # cat /var/log/vsftpd.log |grep -m 3 "Aug" The file is there, the logs are in it, but it seems that Logwatch doesn't parse the file completely, except when invoking "--range 'All'" parameter. Again, my mistake: it's "vsftpd.log", not "sftpd.log" - I missed the first letter: "v". I understand what you mean by follow up now. To post if the problem is solved. Well, sadly, my other problem is not solved. That's why I didn't follow up and then I went on doing something else. |
Quote:
Quote:
And what about your other threads, where you ALSO didn't bother following up??? Others have also pointed out about cross-posting as well...not a good thing. |
I have not played with logwatch. Have you tried running logwatch from the command line using --range today or --range yesterday?
Is logwatch configured for just vsftpd or multiple services? If more then one are you getting acceptable results for the other services? Usually logwatch is configured to run from cron or maybe anacron on a daily basis. When it runs may affect the emailed output. Quote:
Range=Yesterday Detail=low The default range settings are All, Yesterday and Today unless the Perl module Date:Manip is installed. I would assume it would be automatically installed but could be one reason why "-2 days" is not working as expected. |
Quote:
Personally, I suspect logrotate is in play, and the logs are just not there to report ON, but without information from the OP there's not much we can guess at. |
1. Logwatch.conf:
Code:
######################################################## 3. Specifying Range=Yesterday and Range=Today works fine. 4. Because today is another day (Aug 12th), now, specifying "-2 days" also works. But specifying "-3 days" still doesn't work. Basically, it's NOT a problem with the Syntax or with the ranges ! No problem with "-X days" or with "yesterday" or with "today". The problem is that Logwatch doesn't pick up logs for a specific day, EVEN IF those logs are present in "vsftpd.conf" ! An example for today: My vsftpd.log starts on Aug 8th: Code:
scpej-hga [~] # head -3 /var/log/vsftpd.log Doing interogation on Logwatch, as per following: Code:
scpej-hga [~] # logwatch --range 'today' --output stdout --service vsftpd |head -10 -4 days would have been 2022-Aug-08 No report from Logwatch for those days ! Even if I have logs for those days !: Code:
scpej-hga [~] # cat /var/log/vsftpd.log |grep "Aug 8" |head -1 Code:
logwatch --range 'all' --output stdout --service vsftpd I really hope I have explained it all to the best of my abilities... |
Seems problem is specific to those days. What happens if you use detail high?
|
OK, I've edited /usr/share/logwatch/default.conf/logwatch.conf Detail to High:
Code:
scpej-hga [~] # cat /usr/share/logwatch/default.conf/logwatch.conf |grep Detail |
Try adding --detail high from the command line.
|
Code:
scpej-hga [~] # logwatch --range '-3 days' --detail high --output stdout --service vsftpd |
Quote:
Perhaps your SECOND forum-cross-post can get you help: https://ubuntuforums.org/showthread....920&p=14107667 |
I'm sorry, TB0ne, but I don't understand half of what you are saying...
"The automated report runs fine." - what automated report ? If you are reffering to the daily Logwatch, it also missed reporting vsftpd logs on Aug 8th and Aug 9th. "You get the correct results when you run it for a limited range." - I don't know what you mean. When running with "--range '-X days'" it doesn't work OK for some specific days. "Yet (somehow) there's a problem with logwatch??" - OF COURSE there is a problem with Logwatch. VSFTPD logs fine. Logwatch misses the logs for specific days... "We *STILL* understand what you're saying, so restating the problem adds nothing new...you need to think about what you're posting, though" --- what ??? I don't know what you mean. I replied to another forum member, that's why I reposted. What's wrong with that ? "EVERYTHING you're posting indicates that logwatch is running the way it should" --- it's obvious that you still don't understand the problem ! IT DOESN'T WORK OK !!! "Not processing files that logrotate is handlding, since # Archives = No" --- ok, so what ? I need to process from vsftpd.log, which is not an archive. "Detail is NOT set to high: Detail = Low" --- i've set it to High, still no results. There are CLEARLY LOGS of VSFTPD in Aug 8th and Aug 9th, which Logwatch misses them. "Have you checked /usr/share/logwatch/scripts/services/* for the appropriate vsftpd file?" --- yes, I checked the file. "Because you have, Service = All, instead of specifying the service which you said you did." --- yes, I also have other services reported by Logwatch. Here it's the vsftpd service file from Logwatch: Code:
scpej-hga [~] # cat /usr/share/logwatch/default.conf/services/vsftpd.conf |
All times are GMT -5. The time now is 02:20 PM. |