--- a/config.lua Sun Apr 12 22:19:54 2009 +0300
+++ b/config.lua Sun Apr 12 23:27:15 2009 +0300
@@ -4,28 +4,57 @@
--
-- match all lines and output them as-is
-local function logwatch_filter_all ()
- return { pat=nil, fmt=nil }
+local function logwatch_filter_all (name)
+ return { name=name }
end
-- match using a regex pattern, but output the full line
-local function logwatch_filter_raw (pat)
- return { pat=pat, fmt=nil }
+local function logwatch_filter_raw (name, pat)
+ return { name=name, pat=pat }
end
-- match using a regexp pattern, and output a formatted line
-local function logwatch_filter (pat, fmt)
- return { pat=pat, fmt=fmt }
+local function logwatch_filter (name, pat, fmt)
+ return { name=name, pat=pat, fmt=fmt }
end
+-- match using a regexp pattern, and do *not* output
+local function logwatch_filter_blackhole (name, pat)
+ return { name=name, pat=pat, channel_is_null=true }
+end
+
+logwatch_timestamp_pat = "\\w{3} [0-9 ]\\d \\d{2}:\\d{2}:\\d{2}"
+
-- match auth.log sudo entries
-local function logwatch_filter_sudo ()
- return logwatch_filter(
- "(?P<hostname>\\S+)\\s+sudo:\\s*(?P<username>\\S+) : TTY=(?P<tty>\\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<target_user>\\S+) ; COMMAND=(?P<command>.*)",
+local function logwatch_filter_sudo (name)
+ return logwatch_filter(name,
+ "^" .. logwatch_timestamp_pat .. " (?P<hostname>\\S+)\\s+sudo:\\s*(?P<username>\\S+) : TTY=(?P<tty>\\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<target_user>\\S+) ; COMMAND=(?P<command>.*)$",
"{username}:{tty} - {target_user}@{hostname}:{pwd} - {command:r}"
)
end
+-- filter out the prefixed timestamp from lines
+local function logwatch_filter_strip_timestamp (name)
+ return logwatch_filter(name,
+ "^" .. logwatch_timestamp_pat .. " (?P<line>.+)$",
+ "{line}"
+ )
+end
+
+-- filter out auth.log cron messages
+local function logwatch_filter_no_cron (name)
+ return logwatch_filter_blackhole(name,
+ "^" .. logwatch_timestamp_pat .. " \\S+\\s+(CRON|su)\\[\\d+\\]: pam_unix\\(\\w+:\\w+\\): session (opened|closed) for user \\w+( by \\(uid=\\d+\\))?$"
+ )
+end
+
+-- filter out auth.log 'su for nobody by root' messages
+local function logwatch_filter_no_su_nobody (name)
+ return logwatch_filter_blackhole(name,
+ "^" .. logwatch_timestamp_pat .. " \\S+\\s+su\\[\\d+\\]: (Successful su for nobody by root|\\+ \\?\\?\\? root:nobody)$"
+ )
+end
+
--
-- Procedural config
--
@@ -71,8 +100,14 @@
module:conf("source_fifo", fifo_path)
source_name = fifo_path
- for filter_name, filter in pairs(settings.filters) do
- module:conf("filter", filter_name, source_name, filter.pat, filter.fmt, settings.channel)
+ for i, filter in ipairs(settings.filters) do
+ if filter.channel_is_null then
+ channel = nil
+ else
+ channel = settings.channel
+ end
+
+ module:conf("filter", filter.name, source_name, filter.pat, filter.fmt, channel)
end
end
end
@@ -116,11 +151,13 @@
channel = "PVLNet/#test",
filters = {
- ["test.foo"] = logwatch_filter_raw("foo"),
- ["test.sudo"] = logwatch_filter_sudo(),
+ logwatch_filter_raw ("test.foo", "foo" ),
+ logwatch_filter_sudo ("test.sudo" ),
+ logwatch_filter_no_cron ("test.no_cron" ),
+ logwatch_filter_no_su_nobody ("test.no_cron_su" ),
+ logwatch_filter_strip_timestamp ("test.all" )
}
},
},
}
-