configuration of logwatch: remove from "known attacks" & "probed the server"

Question

I rely on logwatch to get infos about my production servers. Unfortunately two sections provide to much information:

 Attempts to use known hacks by 656 hosts were logged 1796 time(s)
 from:
     xxx.xxx.xxx.xx: 39 Time(s)
        /\.\./\.\./\.\./ 39 Time(s)
     xx.x.x.x.x: 24 Time(s)
        ^null$ 24 Time(s)
     x.x.x.x.x: 16 Time(s)
        ^null$ 16 Time(s)

How can I remove the entries that shown me a ^null$ attack? I have hundreds of them and will not follow up on them anyway.

I also want to remove the list of 656 IPs that follow this entry:

A total of 656 sites probed the server

Can you point me to a solution?

score 1 · Answer 1 · answered Jul 13 '21 at 22:14

1

I had this same issue with my Ubuntu system. The logwatch reports were way too long and these two sections were especially bad. After looking around for a configuration change and not finding anything I decided to delve into the program itself. It is written in PERL and the relevant file is /usr/share/logwatch/scripts/services/http Search for the strings "known hacks" and "probed the server" and simply comment out those sections of the code. Worked like a charm for me.

answered Jul 13 '21 at 22:14

Thomas Bridges

11
1

1

Remember that you'll have to do this again whenever logwatch is updated. This should be considered as a workaround at best. – Michael Hampton Jul 15 '21 at 14:45

configuration of logwatch: remove from "known attacks" & "probed the server"

1 Answers1