Hostnames in Logwatch reports

Where I work, we have a lot of servers to maintain, and only 2 server admins (me and my colleague). We use Nagios to keep us informed about the server status and Logwatch to analyze to server logs on a daily basis.

We have per server a lot of subdomains/vhosts and these virtual hosts all write into their own log (blog.jachim.be_acces_log, www.jachim.be_error_log, etc…).

The log entries look like this:

192.168.200.6 - - [10/Nov/2009:09:55:41 +0100] "GET /a/i/red_cube.png HTTP/1.0" 200 190
192.168.200.6 - - [10/Nov/2009:09:55:41 +0100] "GET /a/i/search/search_icon.gif HTTP/1.0" 200 428
192.168.200.6 - - [10/Nov/2009:09:55:41 +0100] "GET /index.php HTTP/1.0" 200 6541

When Logwatch merges all the httpd log files, the host information (in the log filename) is lost, resulting in Logwatch reports like this:

Requests with error response codes
    401 Unauthorized
       /: 4 Time(s)
       /a/i/blue_cube.png: 1 Time(s)
       /favicon.ico: 2 Time(s)
       /wp/login: 2 Time(s)
...

We actually want reports like this:

Requests with error response codes
    401 Unauthorized
       www.jachim.be/: 4 Time(s)
       jachim.be/a/i/blue_cube.png: 1 Time(s)
       blog.jachim.be/favicon.ico: 2 Time(s)
       blog.jachim.be/wp/login: 2 Time(s)
...

Now we have all the information we want and are able to fix the possible problems much easier.

Because this is not possible in Logwatch (see mailinglist), I’ve added it in the Apache logs.

I’ve added a new logformat named logwatch in httpd.conf:

LogFormat "%h %l %u %t \"%m %{Host}i%U%q %H\" %>s %b" logwatch

Now the new format is available and can be used in the Virtual Host:

CustomLog logs/www.jachim.be-access_log logwatch

Resources:

  • Geirge

    The line that reads:

    LogFormat “%h %l %u %t \”%m %{Host}i%U%q %H\” %>s %b” logwatch

    should read

    LogFormat “%h %l %u %t \”%m %{Host}i%U%q %H\” %>s %b” logwatch

    Annoyingly, the format isn’t being used, even though I have the CustomLog using the logwatch format and have restarted apache!

  • Geirge

    Ack. Annoying. The article has “PERCENT AMPERSAND G T SEMICOLON” showing, instead of &>s, yet when I copy it into a comment, it renders OK.

    Hopefully everybody gets the idea.

  • Hi Geirge, Thanks for the comments.

    There was a problem with the pre and code tags. It’s fixed now.

  • “Because this is not possible in Logwatch (see mailinglist),” is no longer true. Try this (works for me)
    Define LogFormat in your httpd.conf as LogFormat “%h %t [%V] \”%r\” %>s \”%{Referer}i\”” (that’s my desired format) and then put $LogFormat “%h %t [%V] \”%r\” %>s \”%{Referer}i\”” in your services/http.conf LogWatch file. That will a) make apache put the hostname (Canonical or not, it depends if you use %v or %V) and then be “understood” by LogWatch while parsing the files.

  • Alright! Wil definitely have a look at this.

  • Pingback: Including hostname in apache logwatch reports - Just just easy answers()