logwatch?

[Steve Siegfried]

Jeffrey Ross wrote:
> 
> When logwatch reports that a host probed the server, what information 
> does it use to determine that?  I tried to grep for the IP address that 
> did the probing in /var/log/* and came up empty handed.
> 
> Thanks...Jeff

It would be helpful if you reproduced the relevant portion of logwatch's
output.

I've only seen "probed the server" output from logwatch in conjunction
with httpd reporting (ie: in the "-- httpd Begin --"/"-- httpd End --"
part of the report).

If what you're seeing isn't in that part of your logwatch report, then
this probably isn't what's going on.

However, if it is, then you need to look for the IP address of the site
that probed your server in the log file that records hits.  In apache on
Fedora, that's normally /var/log/httpd/access_log.

Hope this helps,

-S