How can I make sense of....

[lamp]

Hello,

How can I make sense of my LogWatch logs.... What do all of these unmatched entries mean... Is there any docs out there? or has anyone seen these things before.

For instance I got the following:

--------------------- courier-mta Begin ------------------------
**Unmatched Entries**
Authenticated user=username domain=domain.com host=localhost [127.0.0.1]:
25 Time(s)
Logout user=??? domain=??? host=UNKNOWN: 39 Time(s)
---------------------- courier-mta End ------------------------- ------

--------------------- Kernel Begin ------------------------
Dropped 3317 packets on interface eth0
From 24.176.15.169 - 2 packets to tcp(5000)
From 24.209.115.120 - 1 packet to tcp(5000)
From 24.239.159.142 - 8 packets to tcp(901,901,901,901,901,901,901,901)
From 24.254.81.174 - 18 packets to tcp(1025,2745,6129,1025,2745,6129)
.... Hundreds more... (I guess this is APF working...)
--------------------- Kernel End ------------------------

--------------------- Named Begin ------------------------
**Unmatched Entries**
client 132.206.27.51 error sending response: host unreachable: 160 Time(s)
client 132.216.77.249 error sending response: host unreachable: 95 Time(s)
client 132.216.77.250 error sending response: host unreachable: 142 Time(s)
client 68.6.16.28 error sending response: host unreachable: 1 Time(s)
---------------------- Named End ------------------------


--------------------- proftpd-messages Begin ------------------------
**Unmatched Entries**
matrix.aladin.ca (127.0.0.1[127.0.0.1]) - FTP login timed out, disconnected
matrix.aladin.ca (127.0.0.1[127.0.0.1]) - FTP login timed out, disconnected
... Hundreds more ...
--------------------- proftpd-messages End ------------------------


Thanks (as always)

Lamp

[ctbhost]

i have simar - and would like to know what they all mean - can someone please advise

[picoyak]

Far as I can figure...

Reporting for logwatch is processed via scripts located at /etc/log.d/scripts/services/. When logwatch runs, it process your log files with these scripts and looks for criteria that will match output descriptions.

For instance, if logwatch was looking through /var/log/messages, then it's looking for things such as 'Connection Refused' or 'Timeout From'. Stuff like that. For each service that logwatch processes, it will look for all messages pertaining to that service.

So let's say logwatch is processing sshd messages out of /var/log/messages and running them through the script /etc/log.d/scripts/services/sshd. It'll hunt down everything related to sshd in /var/log/messages and process it, then create an output section of the logwatch message based on the rules in that script. Now if there are items in /var/log/messages that have no description defined in the sshd script then those are reported as Unmatched Entries. They may be things you want to look closer at, or they may be things that you want to add a custom filter in for logwatch to parse or not report at all.

Personally I haven't bothered with customizing logwatch output or filtering. Dunno whether that's good or bad. I'd love to hear other opinions on that myself