Logwatch Iptables Tweak

Logwatch is a great program, used by sysadmins everywhere. As part of it’s output, it shows any packets logged by iptables.

I have iptables set to log dropped packets, as it makes it FAR easier to debug server access issues. However, logwatch on RHEL/CentOS (and possibly other distributions) likes to report a nice big list of every single access attempt. As an example:

Logged 152 packets on interface eth2
  From 8.31.57.109 - 1 packet to udp(1026)
  From 10.128.75.2 - 1 packet to udp(1434)
  From 21.197.212.79 - 1 packet to udp(1026)
  From 24.64.176.243 - 3 packets to udp(1026,1027,1028)
  From 24.64.178.77 - 3 packets to udp(1026,1027,1028)

This can get annoying if you have lots of packets dropped (eg: junk coming off my cable modem), as you have to scroll down 5 pages of log.

If you want to turn off this long list, and just see “Logged 152 packets on interface eth2”, you can make a minor tweak to the logwatch script to do this.

CentOS 4
Open the file “/etc/log.d/scripts/services/kernel”, and turn line 250 (or the line near there) into a comment by adding a # in front of it. Eg:

Line 250:   # print $outputMain;

CentOS 5
Open the file “/usr/share/logwatch/scripts/services/iptables”, and change line 217 (or the one near there) into a comment by adding a # in front of it. Eg:

Line 217:   # print $outputMain;

Other?
Using another distribution? See if either of the above applies for you, otherwise just look around for either a kernel or iptables service in the logwatch scripts directory. Use your package manager to help find where the files are. :-)