Re: How to get logwatch to ignore something

To: Linux Debian Mailing List <debian-user@lists.debian.org>
Subject: Re: How to get logwatch to ignore something
From: David Guntner <david@guntner.com>
Date: Mon, 12 Aug 2013 08:56:11 -0700
Message-id: <[🔎] 5209059B.4050505@guntner.com>
In-reply-to: <[🔎] 5209035D.4040109@guntner.com>
References: <[🔎] 5209035D.4040109@guntner.com>

[Following up to myself]

David Guntner grabbed a keyboard and wrote:
> Since upgrading to Wheezy, I've had the following entries showing up in
> my morning logwatch E-Mail:
> 
>> --------------------- Dovecot Begin ------------------------ 
>>
>>  Dovecot disconnects:
>>     Inactivity: 27 Time(s)
>>     Inactivity (tried to use disallowed plaintext auth): 2 Time(s)
>>     Logged out in=1115 out=13676: 1 Time(s)
>>     Logged out in=12173 out=351935: 1 Time(s)
>>     Logged out in=1272 out=27883: 1 Time(s)
>>     Logged out in=1303 out=25234: 1 Time(s)
>>     Logged out in=1337 out=25064: 1 Time(s)
>>     Logged out in=1419 out=30466: 1 Time(s)
>>     Logged out in=1527 out=13360: 1 Time(s)
>>     [...]
> 
> Now, the way those entries are showing up in the syslog looks like this:
> 
>> Aug 11 09:12:48 janet dovecot: imap({username}): Disconnected: Logged out in=1714 out=32525
>> Aug 11 09:56:55 janet dovecot: imap({username}): Disconnected: Logged out in=2348 out=48815
>> Aug 11 13:06:15 janet dovecot: imap({username}): Disconnected: Logged out in=2566 out=44455
>> [...]
> 
> "{username}" is just me blanking out the username that appeared there.  :-)
> 
> Now, for the topper, here's what's in /etc/logwatch/conf/ignore.conf:
> 
>> dovecot: .*Connection closed in=
>> dovecot: .*Logged out in=
>> dovecot: .*Disconnected for inactivity in=
> 
> So, the $64,000 question is:  Why are those entries showing up in the
> report??  What am I missing here? :-)
> 
> (It's all the "logged out" messages I'm trying to ignore.)

Ok, upon further searching around, I think I found the problem.  It
looks like the config file location for the program moved somewhere
along the way.  It's no longer using /etc/logwatch (I *thought* that
directory seemed kinda empty other than my lone ignore.conf file which
had been there; it probably didn't get removed because it knew I had
modified the file), but is now in /usr/share/logwatch/default.config.
Which strikes me as a rather strange place to put config files....  I'll
put my entries in the ignore.conf file there and see if that takes care
of it.

               --Dave

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to:

Follow-Ups:
- Re: How to get logwatch to ignore something
  - From: Bob Proulx <bob@proulx.com>

References:
- How to get logwatch to ignore something
  - From: David Guntner <david@guntner.com>

Prev by Date: How to get logwatch to ignore something
Next by Date: Re: How to apply patch?
Previous by thread: How to get logwatch to ignore something
Next by thread: Re: How to get logwatch to ignore something
Index(es):
- Date
- Thread