Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've installed a VSFTPd server on my server machine for a few days now, because it is needed internally in our organization by some printers that can only scan to FTP folders.
The only time I got a report from Logwatch for the VSFTPD Service was today, when in fact, there is ongoing FTP activity for a few days now !
Code:
scpej-hga [/var/log] # date
Thu 11 Aug 2022 09:41:11 AM EEST
I've got a Report for August 10th, which is OK.
Logwatch is set up and vsftpd is loaded in the services sections of Logwatch.
The issue is somewhat strange, and let me explain how:
For a few days ago, I have constant activity in VSFTPD logs:
Here is a sample of logs for Aug 10th, Aug 9th, Aug 8th:
(the logfile also contains Downloads/Uploads, and so on, I only grepped "Connect" in order to shorten the Code Section in this post) - you get the ideea, I have valid logs, so no problems here.
Now, the problem is defined like this:
I am curious WHY didn't Logwatch report me the activites Yesterday, and the day before, and so on...
(Logwatch is set to send me emails on a daily basis with "Range: Yesterday" and "Detail Level: Low")
I want to check if Logwatch did really see those activities in vsftpd.log a few days ago.
it gives me EMPTY content ! (so Logwatch doesn't seem to parse the logs correctly)
Reporting with "ALL" in Range, gives me all the logs, correctly, INCLUDING those missed by Logwatch for a few days now:
Code:
scpej-hga [/var/log] # logwatch --range "All" --output stdout --service vsftpd
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Thu Aug 11 09:38:35 2022
Date Range Processed: all
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: scpej-hga
##################################################################
--------------------- vsftpd-messages Begin ------------------------
[HERE IS A TON OF INFORMATION, EVERYTHING IS CHECKED AND IS OK !]
---------------------- vsftpd-messages End -------------------------
###################### Logwatch End #########################
So this works perfectly !
I wonder why Logwatch doesn't report with "-X days" interval.
Also, I don't think that it's a problem with "-X days", since Yesterday, it should have reported for "it's Yesterday" which was, from today's point of view, "-2 days ago".
So it's not a SYNTAX problem.
It's rather that Logwatch doesn't seem to detect LOG activity in those days (Aug 8 and Aug 9) in normal "Yesterday" mode and also in specifying "-X days" parameters.
The only keyword that seems to be working is "All".
Anyone have a guess, or should I file a bug report ?...
God knows how many other logs did I miss...
Thank you !
Last edited by AsgAnquietas; 08-11-2022 at 01:56 AM.
Hello,
I have a wierd problem with Logwatch. I've installed a VSFTPd server on my server machine for a few days now, because it is needed internally in our organization by some printers that can only scan to FTP folders. The only time I got a report from Logwatch for the VSFTPD Service was today, when in fact, there is ongoing FTP activity for a few days now !
Code:
scpej-hga [/var/log] # date
Thu 11 Aug 2022 09:41:11 AM EEST
I've got a Report for August 10th, which is OK. Logwatch is set up and vsftpd is loaded in the services sections of Logwatch. The issue is somewhat strange, and let me explain how: For a few days ago, I have constant activity in VSFTPD logs: Here is a sample of logs for Aug 10th, Aug 9th, Aug 8th: (the logfile also contains Downloads/Uploads, and so on, I only grepped "Connect" in order to shorten the Code Section in this post) - you get the ideea, I have valid logs, so no problems here.
Now, the problem is defined like this: I am curious WHY didn't Logwatch report me the activites Yesterday, and the day before, and so on...(Logwatch is set to send me emails on a daily basis with "Range: Yesterday" and "Detail Level: Low") I want to check if Logwatch did really see those activities in vsftpd.log a few days ago. If I specify with range:
it gives me EMPTY content ! (so Logwatch doesn't seem to parse the logs correctly) Reporting with "ALL" in Range, gives me all the logs, correctly, INCLUDING those missed by Logwatch for a few days now:
Code:
scpej-hga [/var/log] # logwatch --range "All" --output stdout --service vsftpd
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Thu Aug 11 09:38:35 2022
Date Range Processed: all
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: scpej-hga
##################################################################
--------------------- vsftpd-messages Begin ------------------------
[HERE IS A TON OF INFORMATION, EVERYTHING IS CHECKED AND IS OK !]
---------------------- vsftpd-messages End -------------------------
###################### Logwatch End #########################
So this works perfectly ! I wonder why Logwatch doesn't report with "-X days" interval. Also, I don't think that it's a problem with "-X days", since Yesterday, it should have reported for "it's Yesterday" which was, from today's point of view, "-2 days ago". So it's not a SYNTAX problem. It's rather that Logwatch doesn't seem to detect LOG activity in those days (Aug 8 and Aug 9) in normal "Yesterday" mode and also in specifying "-X days" parameters. The only keyword that seems to be working is "All". Anyone have a guess, or should I file a bug report ?... God knows how many other logs did I miss...
I'd suggest reading the docs/man pages. Instead of double-quotes, single quotes (for the CLI you typed in) should be used to specify the range. And (AGAIN), you don't tell us what version/distro of Linux you're using, or tell us when you installed things. You said "a few days now", but you say the report for yesterday is fine...indicating things are working correctly.
1. I've read them. I didn't find anything useful. Like I said in other posts, when I stumble upon a problem, I try to resolve it first, for a few hours (reading docs, forums, manuals, testing, and so on...).
I post on forums only as a last resort.
2. Doesn't work with single quotes either.
If it would have worked, another problem would have arrisen: why the normal logwatch process doesn't see anything yesterday and the day before but sees when specifying the parameter. But, it doesn't work with parameters:
3. My bad, sorry: Ubuntu Server 20.04.4 LTS , Logwatch version: 7.5.2
4. I didn't realize so much info is required to debug. My mistake, sorry.
I've installed vsftpd on August 4th.
Starting with Aug 4, there are logs in my vsftpd.log and vsftpd.log.1 almost every day.
But I only got Logwatch report TODAY (for the "yesterday" interval).
5. I post on multiple forums because there are users which are here and not there and there are users that are there and not here. I post to increase my chances of someone seeing my problem. If it bothers you, I'm sorry.
I follow up threads and I am subscribed for instant notification via email.
6. I did not see any error messages, obviously. If I had seen messages, I would have debugged them first...
1. I've read them. I didn't find anything useful. Like I said in other posts, when I stumble upon a problem, I try to resolve it first, for a few hours (reading docs, forums, manuals, testing, and so on...). I post on forums only as a last resort.
2. Doesn't work with single quotes either. If it would have worked, another problem would have arrisen: why the normal logwatch process doesn't see anything yesterday and the day before but sees when specifying the parameter. But, it doesn't work with parameters:
3. My bad, sorry: Ubuntu Server 20.04.4 LTS , Logwatch version: 7.5.2
4. I didn't realize so much info is required to debug. My mistake, sorry. I've installed vsftpd on August 4th. Starting with Aug 4, there are logs in my vsftpd.log and sftpd.log.1 almost every day. But I only got Logwatch report TODAY (for the "yesterday" interval).
5. I post on multiple forums because there are users which are here and not there and there are users that are there and not here. I post to increase my chances of someone seeing my problem. If it bothers you, I'm sorry. I follow up threads and I am subscribed for instant notification via email.
6. I did not see any error messages, obviously. If I had seen messages, I would have debugged them first...
There is a good bit about specifying things that could be found that don't match what you posted here; if you had spent 'hours' looking, it's strange you didn't find those same things, or say what you tried. The parameters for CLI are different in syntax. The research you did (see point #1), should have told you this. And it's telling that you mention sftpd.log.1...because if you're using logrotate (are you???) and the logs get moved/zeroed, then what do you think logwatch will be able to find?? And sftpd is *NOT* vsftpd is it?? Why mention sftpd?
And it's not 'obvious' that you would have looked at any errors/messages first...we only know what you actually post, and we have to ask obvious details about your system before you tell us.
Also, for #3 and #4, asking a clear question and providing complete details needs to happen. Do you expect everyone to guess as far as what you're using, when it started, etc??? Same as you've been told before. Again, you seem to be omitting pieces of things (logrotate among them), and somehow expect us to know what's going on. You rarely follow up in your threads here, and if you're going to cross-post to multiple forums, it's fairly rude to have others elsewhere (or here) waste their time trying to help you, when you're just going to take an answer somewhere and move on, without ever following up/posting the solution.
As you can see, in "vsftpd.log", the logging starts from Aug 8th... I only received logwatch reports for vsftpd from Aug 10th...
The file is there, the logs are in it, but it seems that Logwatch doesn't parse the file completely, except when invoking "--range 'All'" parameter.
Again, my mistake: it's "vsftpd.log", not "sftpd.log" - I missed the first letter: "v".
I understand what you mean by follow up now. To post if the problem is solved. Well, sadly, my other problem is not solved. That's why I didn't follow up and then I went on doing something else.
As you can see, in "vsftpd.log", the logging starts from Aug 8th... I only received logwatch reports for vsftpd from Aug 10th...The file is there, the logs are in it, but it seems that Logwatch doesn't parse the file completely, except when invoking "--range 'All'" parameter.
...and except for the fact that it ran fine for yesterday's data, right??? You seem to be missing the obvious, in that you got a report from yesterday....which seems to indicate that things ARE working, and that the CLI (which takes different parameters) isn't giving you the same results. Which would indicate that the syntax of the CLI command isn't what it needs to be, or that the logs aren't where they need to be. You (again) don't post your logwatch configs, so we don't know what's going on. Had to guess about logrotate too.
Quote:
Again, my mistake: it's "vsftpd.log", not "sftpd.log" - I missed the first letter: "v". I understand what you mean by follow up now. To post if the problem is solved. Well, sadly, my other problem is not solved. That's why I didn't follow up and then I went on doing something else.
Yes, your other problem is solved; you said it yourself, and were handed a solution at least twice. Again, you've been using spamassassin for a good while now, and doing attachment checking is exactly what it's for.
And what about your other threads, where you ALSO didn't bother following up??? Others have also pointed out about cross-posting as well...not a good thing.
I have not played with logwatch. Have you tried running logwatch from the command line using --range today or --range yesterday?
Is logwatch configured for just vsftpd or multiple services? If more then one are you getting acceptable results for the other services?
Usually logwatch is configured to run from cron or maybe anacron on a daily basis. When it runs may affect the emailed output.
Quote:
Logwatch is set to send me emails on a daily basis with "Range: Yesterday" and "Detail Level: Low"
I assume your not posting the logwatch.conf verbatim but just in case the syntax is
Range=Yesterday
Detail=low
The default range settings are All, Yesterday and Today unless the Perl module Date:Manip is installed. I would assume it would be automatically installed but could be one reason why "-2 days" is not working as expected.
I have not played with logwatch. Have you tried running logwatch from the command line using --range today or --range yesterday?
Is logwatch configured for just vsftpd or multiple services? If more then one are you getting acceptable results for the other services? Usually logwatch is configured to run from cron or maybe anacron on a daily basis. When it runs may affect the emailed output.
I assume your not posting the logwatch.conf verbatim but just in case the syntax is
Code:
Range=Yesterday
Detail=low
The default range settings are All, Yesterday and Today unless the Perl module Date:Manip is installed. I would assume it would be automatically installed but could be one reason why "-2 days" is not working as expected.
+1 for the Date:Manip reference, which is why I asked the OP previously about any errors/messages they may have seen. Asked the OP about the config as well, but according to what they posted, they got a valid report for yesterday, when it ran automatically.
Personally, I suspect logrotate is in play, and the logs are just not there to report ON, but without information from the OP there's not much we can guess at.
########################################################
# This was written and is maintained by:
# Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
# etc, to kirk@kaybee.org.
#
########################################################
# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log
# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch
#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
Output = stdout
#To make Html the default formatting Format = html
Format = text
#To make Base64 [aka uuencode] Encode = base64
Encode = none
# Input Encoding
# Logwatch assumes that the input is in UTF-8 encoding. Defining CharEncoding
# will use iconv to convert text to the UTF-8 encoding. Set CharEncoding
# to an empty string to use the default current locale. If set to a valid
# encoding, the input characters are converted to UTF-8, discarding any
# illegal characters. Valid encodings are as used by the iconv program,
# and `iconv -l` lists valid character set encodings.
# Setting CharEncoding to UTF-8 simply discards illegal UTF-8 characters.
#CharEncoding = ""
# Default person to mail reports to. Can be a local account or a
# complete email address. Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root
# WHen using option --multiemail, it is possible to specify a different
# email recipient per host processed. For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space.
# Default person to mail reports from. Can be a local account or a
# complete email address.
MailFrom = Logwatch
# if set, the results will be saved in <filename> instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with Range = All
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.
Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyzes all LogFiles
# anyways...
#
# By default we assume that all Unix systems have sendmail or a sendmail-like MTA.
# The mailer code prints a header with To: From: and Subject:.
# At this point you can change the mailer to anything that can handle this output
# stream.
# TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "/usr/sbin/sendmail -t"
#
# With this option set to a comma separated list of hostnames, only log entries
# for these particular hosts will be processed. This can allow a log host to
# process only its own logs, or Logwatch can be run once per a set of hosts
# included in the logfiles.
# Example: HostLimit = hosta,hostb,myhost
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = myhost
#
# By default /var/adm is searched after LogDir.
#AppendVarAdmToLogDirs = 1
#
# By default /var/log is to be searched after LogDir and /var/adm/ .
#AppendVarLogToLogDirs = 1
#
# By default the current working directory is searched last after LogDir, /var/adm/, and /var/log/ .
#AppendCWDToLogDirs = 1
# vi: shiftwidth=3 tabstop=3 et
2. There are no error messages
3. Specifying Range=Yesterday and Range=Today works fine.
4. Because today is another day (Aug 12th), now, specifying "-2 days" also works. But specifying "-3 days" still doesn't work.
Basically, it's NOT a problem with the Syntax or with the ranges ! No problem with "-X days" or with "yesterday" or with "today".
The problem is that Logwatch doesn't pick up logs for a specific day, EVEN IF those logs are present in "vsftpd.conf" !
An example for today:
My vsftpd.log starts on Aug 8th:
Code:
scpej-hga [~] # head -3 /var/log/vsftpd.log
Mon Aug 8 05:51:05 2022 [pid 1527613] CONNECT: Client "192.168.1.182"
Mon Aug 8 05:51:05 2022 [pid 1527612] [scanhe] OK LOGIN: Client "192.168.1.182"
Mon Aug 8 05:51:05 2022 [pid 1527614] [scanhe] FAIL DOWNLOAD: Client "192.168.1.182", "/20220808043919693.pdf", 0.00Kbyte/sec
scpej-hga [~] #
So, normally, logwatch should pick up Aug 8, right ?
Doing interogation on Logwatch, as per following:
Code:
scpej-hga [~] # logwatch --range 'today' --output stdout --service vsftpd |head -10
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Fri Aug 12 10:29:45 2022
Date Range Processed: today
( 2022-Aug-12 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: scpej-hga
##################################################################
scpej-hga [~] # logwatch --range 'yesterday' --output stdout --service vsftpd |head -10
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Fri Aug 12 10:29:54 2022
Date Range Processed: yesterday
( 2022-Aug-11 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: scpej-hga
##################################################################
scpej-hga [~] # logwatch --range '-1 days' --output stdout --service vsftpd |head -10
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Fri Aug 12 10:30:00 2022
Date Range Processed: -1 days
( 2022-Aug-11 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: scpej-hga
##################################################################
scpej-hga [~] # logwatch --range '-2 days' --output stdout --service vsftpd |head -10
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Fri Aug 12 10:30:07 2022
Date Range Processed: -2 days
( 2022-Aug-10 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: scpej-hga
##################################################################
scpej-hga [~] # logwatch --range '-3 days' --output stdout --service vsftpd |head -10
scpej-hga [~] # logwatch --range '-4 days' --output stdout --service vsftpd |head -10
scpej-hga [~] #
-3 days would have been 2022-Aug-09
-4 days would have been 2022-Aug-08
No report from Logwatch for those days !
Even if I have logs for those days !:
You have logrotate running, which manipulates the log files you're trying to read.
You get the correct results when you run it for a limited range.
Yet (somehow) there's a problem with logwatch??
We *STILL* understand what you're saying, so restating the problem adds nothing new...you need to think about what you're posting, though. You're even saying that, going forward, your range is expanding. EVERYTHING you're posting indicates that logwatch is running the way it should. Especially given the things from your (finally-provided) logwatch.conf (bold for emphasis):
Not processing files that logrotate is handlding, since # Archives = No
Detail is NOT set to high: Detail = Low
Have you checked /usr/share/logwatch/scripts/services/* for the appropriate vsftpd file? Because you have, Service = All, instead of specifying the service which you said you did.
I'm sorry, TB0ne, but I don't understand half of what you are saying...
"The automated report runs fine." - what automated report ? If you are reffering to the daily Logwatch, it also missed reporting vsftpd logs on Aug 8th and Aug 9th.
"You get the correct results when you run it for a limited range." - I don't know what you mean. When running with "--range '-X days'" it doesn't work OK for some specific days.
"Yet (somehow) there's a problem with logwatch??" - OF COURSE there is a problem with Logwatch. VSFTPD logs fine. Logwatch misses the logs for specific days...
"We *STILL* understand what you're saying, so restating the problem adds nothing new...you need to think about what you're posting, though" --- what ??? I don't know what you mean. I replied to another forum member, that's why I reposted. What's wrong with that ?
"EVERYTHING you're posting indicates that logwatch is running the way it should" --- it's obvious that you still don't understand the problem ! IT DOESN'T WORK OK !!!
"Not processing files that logrotate is handlding, since # Archives = No" --- ok, so what ? I need to process from vsftpd.log, which is not an archive.
"Detail is NOT set to high: Detail = Low" --- i've set it to High, still no results.
There are CLEARLY LOGS of VSFTPD in Aug 8th and Aug 9th, which Logwatch misses them.
"Have you checked /usr/share/logwatch/scripts/services/* for the appropriate vsftpd file?" --- yes, I checked the file.
"Because you have, Service = All, instead of specifying the service which you said you did." --- yes, I also have other services reported by Logwatch.
Here it's the vsftpd service file from Logwatch:
Code:
scpej-hga [~] # cat /usr/share/logwatch/default.conf/services/vsftpd.conf
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
Title = vsftpd-messages
# Which logfile group...
LogFile = vsftpd
# *OnlyService = vsftpd
*RemoveHeaders =
# Set this to 1 if you want to ignore unmatched FTP messages...
$vsftpd_ignore_unmatched = 0
# Set this to 1 if you want to ignore requests for robots.txt
$vsftpd_ignore_robots = 0
# NOTE: Be sure to add these to your FTP server's vsftpd.conf file:
# (NOT this logwatch configuration file)
# xferlog_enable=YES
# xferlog_std_format=YES
# dual_log_enable=YES
# vi: shiftwidth=3 tabstop=3 et
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Logwatch handler seems to not work correctly
