From 35cdd91089d3e04b4ce01d1fef246f3add91fad3 Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Thu, 27 Sep 2018 18:54:08 -0600 Subject: [PATCH] Initial Logwatch integration readme --- etc/logwatch/README.md | 243 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 243 insertions(+) create mode 100644 etc/logwatch/README.md diff --git a/etc/logwatch/README.md b/etc/logwatch/README.md new file mode 100644 index 0000000..5d83c5b --- /dev/null +++ b/etc/logwatch/README.md @@ -0,0 +1,243 @@ +# Using Logwatch to monitor Cloudflare DDNS updater script + +The Cloudflare DDNS update script's log file has been setup so that utilities +like Logwatch can easily parse it. In order to make that happen, a LogFile +group file, service and script have to be created for Logwatch to generate +reports. The correct (general) directory structure has been created in this git +archive already. Below are the details of each file. + +## LogFile Group file (/etc/logwatch/conf/logfiles/cfddns.conf) + +### Log file location + +This file is commented so you can update it as necessary for your environment +(i.e. you've changed the name of the log file generated by the script via the -l +parameter). + +```Ini +LogFile = /path/to/your/cfddns.log +... +``` + +Update this needed to point to the location and name of the log file generated +by the updater script. Remember, by default, the log file is created in the +same directory as the script itself. Best practices suggest you use the *-l* +flag to change this location to something like */var/log/cfddns.log*, for +example. In that case, the entry would look like: + +```Ini +LogFile = /var/log/cfddns.log +... +``` + +### Archive location and name format + +If you want Logwatch to process old (archived) log files generated by something +like *Logrotate*, then you have to specify that location and file name format of +those files. I've included the generalized compressed format of such rotated +files as the default in the script. Suppose you store your log files in the +recommended location (*/var/log/*) and are using *Logrotate* with compression +enabled, the archive line would look like: + +```Ini +... +Archive = /var/log/cfddns.log.?.gz +... +``` + +This would tell Logwatch, when the archive option is set to true, that your +*cfddns.log* files are archived as: *cfddns.log.1.gz*, *cfddns.log.2.gz*, etc. +and are all located in */var/log/*. + +**Note: This line is totally optional and only used if you set the archive +option in Logwatch to true. You can comment/delete this line if you wish.** + +### External script for timestamp processing + +Since the log file uses a non-standard (according to Logwatch) method of +time-stamping, a custom filter had to be created. See the relevant section of +this document for more information. + +The script file is called with an *\** before the filename. + +```Ini +... +*sqFullStampAnywhere +... +``` + +If you change the name of this file, you will have to change this line. +Remember that whatever you type here as a name is converted to all-lowercase +so your filename should be all lowercase also. + +## Service definition file (/etc/logwatch/conf/services/cfddns.conf) + +### LogFile group definition +The service file needs to know what group of log file it is responsible for +processing. This MUST match the name of your *LogFile Group file*: + +```Ini +LogFile = cfddns +... +``` + +If you change your LogFile Group filename, then update it here too without the +*.conf* extension. + +### Report title +The Logwatch output file (html or text) is divided into sections. You can +define the title to be anything that has meaning for you. I have arbitrarily +chosen *"CloudFlare DDNS update"* but you can change it to anything you want by +modifying the line: + +```Ini +... +Title = "CloudFlare DDNS update" +``` + +## Service script (/etc/logwatch/scripts/services/cfddns) + +Logwatch calls any script with a name that **matches the service name**. You'll +notice that I just named everything *cfddns* to keep things simple. You can +change this to whatever you want, however. If you changed the service name to +*"cloudflare*.conf", for example, you would have to rename this script file to +"*cloudflare*" with no extension. Note: The script is a PERL file. + +In essence, Logwatch just spits out the log file(s) defined in the LogFile Group +file as standard input (STDIN) and then takes whatever is output (STDOUT) and +assembles that into it's report. + +### Detail levels + +The script supports four (4) detail levels as follows: + +- **Level 0: Summary output only** + - This will display an aggregate total of certain logged elements. It will + display the total number of hostnames (A and AAAA) that are already + up-to-date, those that needed updated, those successfully updated and the + total number of errors (or any type) encountered by the script. All + totals are relative to the reporting period Logwatch is using (--range + parameter). **This is the recommended reporting level.** It does not + take up much space and is quick to read. If you see successful updates + match the number of needed updates and no errors logged, then things are + working properly. If you notice errors, you should consult the full + logs. +- **Levels 1-4: Critical messages** + - This uses the data which is summarized by Level 0 but outputs the actual + messages in the log file. For example, you will see the actual text of + the errors logged instead of just a total number of errors. This level + of reporting is useful when *initially* monitoring the script's + operation since you can see the actual text of any generated errors. +- **Level 5: Verbose (debugging) output** + - Like the previous level, this outputs the actual messages found in the + log file. However, it also includes *[INFO] tags* which contain logged + messages such as the detected IP address and the specific names of any + hostnames not found in your Cloudflare account, etc. This level of + reporting is useful in diagnosing why errors are occurring or if you just + want more insight into how the script works. **This level of output will + make your Logwatch reports longer and consume more of your time to + review. You should not use this level day-to-day.** +- **Levels 6+: Complete log file dump** + - Any number greater than 5 passed as a detail level will trigger the + script to dump the entire log file out to Logwatch line-by-line. This is + useful only if you are debugging an issue and cannot get access to the + actual raw log file itself. The actual log file is colour-coded which + makes it much easier to read. **Use this detail level only when you need + to see the entire log file and cannot otherwise access the log file.** + +## Timestamp processing script (/etc/logwatch/scripts/shared/sqfullstampanywhere) + +This is basically a modified version of the '*applyeurodate*' script that comes +with Logwatch. It had to be modified to search within [square brackets] and to +accept characters coming before the stamp (i.e. ANSI colour codes). If you +change '**stamp**' variable in the updater script to update the timestamp to +your liking (which to totally fine!) then you'll probably have to update this +file. There are two lines you need to modify to suit your new '**stamp**' +variable. + +### The time format specification + +SearchDate is the variable used in the PERL script to do exactly what it says, +search for the date stamp. I have it set up to look for the format +'*year-month-date hour:minute:second*'. Note, we don't care about brackets or +anything here, we're just defining the format of the date/time stamp. + +```Perl +... +$SearchDate = TimeFilter('%Y-%m-%d %H:%M:%S'); +... +``` + +If you changed the '**stamp**' variable so it was formatted as '*month/day/year +hour:minute*' (ex: '*[09/27/2018 18:38]*') then you'd update the **$SearchDate** +variable as follows: + +```Perl +... +$SearchDate = TimeFilter('%m/%d/%Y %H:%M'); +... +``` + +### The search REGEX + +The PERL script uses a '*regular expression*' (REGEX) to search within the log file for +'*$SearchDate*'. For the default datestamp, this specification looks like: + +```Perl +... +if ($ThisLine =~ m/\[$SearchDate\] /o) { +... +``` + +The REGEX appears between '*m/*' and '*/o*'. In this case, it searches for +'*$SearchDate*' inside [square brackets] appearing anywhere on the line. This +is because ANSI colour-codes often appear before the datestamp in the default +log file. If you have modified this so that your datestamp appears at the +beginning of the line and in the example format in the section above (using +slashes instead of dashes) then you'd rewrite this REGEX as follows: + +```Perl +... +if ($ThisLine =~ m/^\[$SearchDate\] /o) { +... +``` + +or using regular brackets anywhere on the line: + +```Perl +... +if ($ThisLine =~ m/\($SearchDate\) /o) { +... +``` + +or without any brackets but appearing at the beginning of the line: + +```Perl +... +if ($ThisLine =~ m/^$SearchDate /o) { +... +``` + +## Testing + +Run *logwatch --help* and note the options. You can test just this service +locally on your screen with the following command (assuming you kept default +names for everything): + +```Bash +# Summary output entire duration of log file +logwatch --service cfddns --output stdout --format text --range all --detail 0 + +# Minimal detail yesterday only +logwatch --service cfddns --output stdout --format text --range yesterday --detail 1 + +# Verbose output today only +logwatch --service cfddns --output stdout --format text --range today --detail 5 +``` + +## Final thoughts + +That's it! I'm a horrible PERL programmer so if anyone can optimize/improve the +script file used for Logwatch then please do it! Otherwise, I hope this made +sense and helped you out integrating the updater script with Logwatch for easy +monitoring :-) \ No newline at end of file