Getting rid of LogWatch's "Unmatched sgi_fam" entries

An out-of-the-box installation of Fedora Core 1 will send you each night a mail with the message:

Excerpt from LogWatch mail

**Unmatched Entries**
xinetd[5012]: START: sgi_fam pid=12405 from=<no address>

These mails are sent by the LogWatch program, which analyzes all log-files on the computer, extracts interesting information, and sends this to the system administrator. sgi_fam is a daemon which monitors files for changes and informs interested programs of any such events.

The reason why LogWatch generates these messages is that it does not know about sgi_fam and thus thinks it must be something important, as it appears in the log-files, but cannot be matched with any rule. If you have lots of Fedora boxes installed, this can become very annoying. There are two ways to get rid of these messages:

  1. Shoot down the sgi_fam daemon (if you do not need it).
  2. Tell logwatch to shut up (the more elegant solution).

I am not aware which programs/services require the sgi_fam daemon, but at the moment I prefer to let it run (it only listens to 127.0.0.1, so it does not pose a high security risk).

Telling logwatch to shut up is relatively easy: responsible for the message is the script /etc/log.d/scripts/services/secure. We just have to add two lines, in order to ignore sgi_fam log-entries. Look for

/etc/log.d/scripts/services/secure (original)

} elsif ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) {
  # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response
  # I don't think these are important to log at this time
} elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {

and change these to:

/etc/log.d/scripts/services/secure (modified)

} elsif ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) {
  # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response
  # I don't think these are important to log at this time
} elsif ( $ThisLine =~ /^xinetd\[\d+\]: START: sgi_fam ([^ ]+) (.+)$/ ) {
  # We choose to ignore sgi_fam
} elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {

After changing the script, you do not need to restart any daemons, as logwatch is started via cron and reads its configuration each time.