Home / server / Questions / 23962
In Process
Robert Munteanu
Asked: 2009-06-12 01:52:25 +0800 CST

Grouping vsftpd failures using logwatch

  • 772

I'm trying to compact the syslog entries from vsftpd with logwatch, to get from:

 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
 ... many many times

to

vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator : 125 time(s)

How can I do that?

ftp logwatch

3 Answers

  1. What version and distribution of Linux/Unix are you using and what version is logwatch? I am running Redhat 4 - logwatch 5.2.2, and in my vsftp script (/etc/log.d/scripts/services/vsftp) there is the following:

    if (keys %FailedLogins) {
   print "\nFailed FTP Logins:\n";
   foreach $ThisOne (keys %FailedLogins) {
      print $ThisOne . $FailedLogins{$ThisOne} . " Time(s)\n";
   }
}

    Earlier in the script it sums the failures for each user.

    • 1

  2. Upgrade logwatch. Newer logwatch scripts automatically do that.

    • 1

  3. uniq will do this for you: I don't think you can control the format, but you could easily fix that with awk.

    # echo -e "two\ntwo\none\ntwo\ntwo" | uniq -c
      2 two
      1 one
      2 two

    I'm assuming you don't care about timestamps, which you don't have on your examples.

    • 0