Grouping vsftpd failures using logwatch

Question

I'm trying to compact the syslog entries from vsftpd with logwatch, to get from:

 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 ... many many times

to

vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator : 125 time(s)

How can I do that?

score 1 · Answer 1 · answered Jun 26 '09 at 18:46

What version and distribution of Linux/Unix are you using and what version is logwatch? I am running Redhat 4 - logwatch 5.2.2, and in my vsftp script (/etc/log.d/scripts/services/vsftp) there is the following:

if (keys %FailedLogins) {
   print "\nFailed FTP Logins:\n";
   foreach $ThisOne (keys %FailedLogins) {
      print $ThisOne . $FailedLogins{$ThisOne} . " Time(s)\n";
   }
}

Earlier in the script it sums the failures for each user.

score 1 · Answer 2 · answered Jul 11 '09 at 02:55

1

Upgrade logwatch. Newer logwatch scripts automatically do that.

answered Jul 11 '09 at 02:55

Saurabh Barjatiya

4,703
2
30
34

Thanks for the answer. I'm running logwatch-7.3-6.el5 . Which version should I upgrade to? – Robert Munteanu Jul 11 '09 at 11:45
I am also having same logwatch version. (Logwatch 7.3.6 (released 05/19/07)). But my scripts do have for each code to sum up all errors as listed in one of the answers. Try downloading latest logwatch from net in source code format. Do not use standard yum update. That should work fine. I use fedora and mine is standard package that came with fedora 11. – Saurabh Barjatiya Jul 11 '09 at 13:17

score 0 · Answer 3 · answered Jun 11 '09 at 11:39

0

uniq will do this for you: I don't think you can control the format, but you could easily fix that with awk.

# echo -e "two\ntwo\none\ntwo\ntwo" | uniq -c
      2 two
      1 one
      2 two

I'm assuming you don't care about timestamps, which you don't have on your examples.

answered Jun 11 '09 at 11:39

David Pashley

23,497
2
46
73

Thanks for the answer. How would this fit in logwatch? – Robert Munteanu Jun 11 '09 at 11:49

Grouping vsftpd failures using logwatch

3 Answers3