http logfile filter is not shown on report

Question

I'm on debian 10.4 and I've a fresh installation of logwatch. Everything works as expected except logwatch (ver. 7.5.0) that output everything except http logs report.

I ran logwatch with --debug med and on debug output I've seen:

Preprocessing LogFile: http
'/tmp/logwatch.hVSrPWg3/http-archive' '/var/log/apache2/www.anonicloud.ch_access.log.1' '/var/log/apache2/other_vhosts_access.log' '/var/log/apache2/www.anonicloud.ch_access.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applyhttpdate ''>/tmp/logwatch.hVSrPWg3/http

Preprocessing LogFile: http-error
'/var/log/apache2/error.log' '/var/log/apache2/www.anonicloud.ch_error.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate '\[%a %b %d %H:%M:%S(\.\d*)? %Y\] '| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '\[\w{3} \w{3} \d{2} \d\d:\d\d:\d\d(\.\d*)? \d{4}\] '>/tmp/logwatch.hVSrPWg3/http-error

... and ...

Processing Service: http
( cat /tmp/logwatch.hVSrPWg3/http  |  /usr/bin/perl /usr/share/logwatch/scripts/services/http) 2>&1

export LOGWATCH_LOGFILE_LIST='/var/log/apache2/error.log /var/log/apache2/www.anonicloud.ch_error.log '
export LOGWATCH_ARCHIVE_LIST=''
export LOGWATCH_LOGFILE_LIST='/var/log/messages '
export LOGWATCH_ARCHIVE_LIST='/var/log/messages.1 /var/log/messages.2.gz /var/log/messages.3.gz '

So I argue that my http logfiles are correctly parsed.

But when I inspect the output I can't find any reference like for other services:

# Why I can't find the same for http???
--------------------- fail2ban-messages Begin ------------------------
DEBUG: Inside Fail2Ban Filter
---------------------- fail2ban-messages End -------------------------

/usr/share/logwatch/default.conf/ignore.conf is empty (well everything commented out) and on my config files I haven't excluded anything.

Edit: I'm behind an nginx reverse proxy; on my apache server I enabled mod_remoteip and replaced all %h with %a on log file format.

Any clue is strongly apreciated.

cdoublev · Answer 1 · 2020-08-07T09:19:44.627

0

Try with --detail High (or Med). It looks like the http script outputs almost nothing (connection attempts using mod_proxy, detected possible exploits, users successfully logged), when --detail is not set (default to 0) or < 4. You can see it on SourceForge.

Samples:

  my $detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
  # ...
  if (($detail >4) and $total_hack_count) {
  # ...
  if (keys %ban_ip and $detail) {
  # ...
  if (keys %needs_exam and ($detail or $a5xx_resp)) {
  # ...
  # etc...

edited Aug 07 '20 at 09:19

answered Aug 05 '20 at 08:20

cdoublev

101
2

Hi cdoublev, welcome to serverfault. To have a better experience while troubleshooting, It's a good practice to link sources for your configuration recommendations or statements. – Leo Gallego Aug 07 '20 at 06:39

http logfile filter is not shown on report

1 Answers1