Logwatch, socklog and svlogd

Updated
Tagged
logwatch runit socklog

Runit is a great package that provides process supervision and can be used as a replacement for ‘sysvinit’. The author of the package has also made a syslogd replacement called socklog which works well with runit.

Logwatch is a collection of scripts that can be used to notify you of changes to your logs. Out of the box on a Debian machine, though, logwatch will not be able to read all the logs spat out by socklog. The default setup produces logs that have the log facility and level appended to the log entry and the hostname removed:

authpriv.info: Aug 21 20:45:44 sshd: pam_unix(sshd...

The following configs should be placed in the /etc/logwatch directory so they are not overwritten on package upgrades:

conf/logfiles/messages.conf

LogFile = 
Archive = 
LogFile = socklog/*/current
Archive = socklog/*/@*

*RemoveFacility
*ExpandRepeats
*RemoveService = talkd,telnetd,inetd,nfsd,/sbin/mingetty
*ApplyStdDate

conf/logfiles/syslog.conf

Logfile = 
Archive = 
LogFile = socklog/*/current
Archive = socklog/*/@*

*RemoveFacility
*ExpandRepeats
*RemoveService = talkd,telnetd,inetd,nfsd,/sbin/mingetty
*ApplyStdDate

conf/logfiles/secure.conf

LogFile = 
Archive = 
LogFile = socklog/auth/current
Archive = socklog/auth/@*

*RemoveFacility
*ExpandRepeats
*ApplyStdDate

conf/logfiles/maillog.conf

LogFile =
LogFile = socklog/mail/current
Archive =
Archive = socklog/mail/@*

*RemoveFacility

conf/logfiles/kernel.conf

LogFile = socklog/kern/current
Archive = socklog/kern/@*
*RemoveFacility
*ExpandRepeats
*ApplyStdDate

There may be others needed for your own system. All these configurations reference the script RemoveFacility does the bit of removing the facility and level from each log entry.

scripts/shared/removefacility

1
2
3
4
5
6
7
8
9
# removes the facility and level from logfiles generated by socklog
if ( $ENV{'LOGWATCH_DEBUG'} > 4 ) {
   print STDERR "DEBUG: Inside RemoveFacility\n";
}

while (defined($ThisLine = <STDIN>)) {
   $ThisLine =~ s/^[a-z]+.[a-z]+: //i;
   print $ThisLine;
}

and also the onlyhost script which is used to restrict entries by host but since the hostname is not even there we just return them all:

scripts/shared/onlyhost

1
2
3
4
5
6
use strict;

my $line;
while (defined($line = <STDIN>)) {
    print $line;
}