I have a CentOS 5.6 system, which runs Logwatch.
If I perform a security scan (Nessus) against this host, it produces unnecessary noise in the Logwatch output. I'd like to run these security scans regularly, from an internal IP and an external IP, without generating unnecessary noise about the security scans.
Since I know the IPs of these hosts, can I prevent this output from showing up in the Logwatch output?
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (scan1.example.org): 1 Time(s)
unknown (scan1.example.org): 1 Time(s)
Invalid Users:
Unknown Account: 1 Time(s)
--------------------- SSHD Begin ------------------------
Failed logins from:
192.168.100.1 (scan1.example.org): 1 time
Illegal users from:
X.Y.123.123 (scan2.example.org): 1 time
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user admin : 1 time(s)
fatal: Write failed: Connection reset by peer : 1 time(s)
Best Answer
Logwatch provides the
*Remove
shared script which will tell Logwatch to ignore lines which contain a particular string (e.g.grep -v
), before they are processed later on./usr/share/logwatch/default.conf/services/sshd.conf
to/etc/logwatch/conf/services/sshd.conf
3. Now, no logwatch messages are generated for these hosts.
I couldn't do this with ignore.conf. I cannot come up with a regular expression which will allow Logwatch to print messages about attacks from evil domains:
While hiding messages generated by friendly scanners:
Background:
The Logwatch methods to do this are very poorly documented, and are not well googleable.
The shared script at
/usr/share/logwatch/scripts/shared/remove
will perform an inverse grep on a string./usr/share/doc/logwatch-*/HOWTO-Customize-LogWatch
documents how to execute these scripts: