Improving Logwatch's Filters

The other day, I received a Logwatch report with the entries seen here:

1 --------------------- Selinux Audit Begin ------------------------
2
3  **Unmatched Entries**
4  audit(1153747669.300:2): selinux=0 auid=4294967295
5  audit(1153772914.553:3): dev=eth0 prom=256 old_prom=0 auid=4294967295
6  audit(1153772937.837:4): dev=eth0 prom=0 old_prom=256 auid=4294967295
7  audit(1153772938.077:5): dev=eth0 prom=256 old_prom=0 auid=4294967295
8
9 ---------------------- Selinux Audit End -------------------------

Sections beginning with **Unmatched Entries** correspond to log messages unknown to Logwatch. Line number 4 indicates that SELinux is turned off. Line 5 is logged when a network interface enters promiscuous mode, and line 6 is logged when it leaves promiscuous mode. To improve Logwatch and add support for those new log entries, all you have to do is to copy the script that parses the relevant logs to /etc/logwatch/scripts/services and add the missing functionality. This location takes precedence over the distribution's location.

[emoret@simca-1000 ˜]$ sudo mkdir -p /etc/logwatch/scripts/services
[emoret@simca-1000 ˜]$ sudo cp /usr/share/logwatch/scripts/services/audit /etc/logwat
ch/scripts/services

With a text editor, open the newly copied file and add new variable declarations to the top of the file:

my $NumberOfSELinuxOff = 0;
my %EnteringPromisc = (  );
my %LeavingPromisc = (  );

Then insert code to match the missing log lines. Locate the place where other lines are matched and add:

    } elsif ( $ThisLine =˜ /selinux=0/) {
      $NumberOfSELinuxOff++;
    } elsif ( $ThisLine =˜ /dev=(\S+) prom=256 old_prom=0/) {
      $EnteringPromisc{$1}++;
    } elsif ( $ThisLine =˜ /dev=(\S+) prom=0 old_prom=256/) {
      $LeavingPromisc{$1}++;

Note the use of parentheses ( ), which are used in Perl to refer to a matching substring. The first instance of parenthesis can be later referred to with $1, the second parenthesis with $2, and so on. The \S+ matches multiple nonblank characters.

Now, print the result:

if ( keys %EnteringPromisc || keys %LeavingPromisc ) {
    print "\n\n *** Promiscuous mode interfaces ***\n";
    if ( keys %EnteringPromisc ) {
        foreach my $key (sort keys %EnteringPromisc) {
            print "   $key entered promiscuous mode " . $EnteringPromisc{$key} . " tim
e(s)\n";
        }
    }
    if ( keys %LeavingPromisc ) {
        foreach my $key (sort keys %LeavingPromisc) {
            print "   $key left promiscuous mode " . $LeavingPromisc{$key} . " time(s)
\n";
        }
    }
}

if ($NumberOfSELinuxOff) {(
    print "\n Number of initializations with selinux turned off: ",$NumberOfSELinuxOff
," \n";
}

Test the changes by running Logwatch interactively:

 [emoret@simca-1000 ˜]$ sudo logwatch --service audit --range all --detail high \
--print

 ################### Logwatch 7.2.1 (01/18/06) ####################
        Processing Initiated: Fri Jul 28 12:30:28 2006
        Date Range Processed: all
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: simca-1000.secteam.juniper.net
  ##################################################################

 --------------------- Selinux Audit Begin ------------------------

  *** Promiscuous mode interfaces ***
    eth0 entered promiscuous mode 2 time(s)
    eth0 left promiscuous mode 1 time(s)

  Number of initializations with selinux turned off: 1

 ---------------------- Selinux Audit End -------------------------

###################### Logwatch End #########################