Install logwatch

From Thomas-Krenn-Wiki
Jump to: navigation, search

The open source tool logwatch creates a short, concise check on the logs of a Linux based server.[1] It provides a good and transparent source and enables you to display pre-filtered messages (e. g. hard disk full, faulty logins to security-relevant services or simply to see the status of the last installed or modified packages in the package management).

Installation

Output of logwatch
logwatch is included in the most popular distributions, the installation is done conveniently via the integrated package management.
  • Under Debian/Ubuntu by: # apt-get install logwatch
  • With CentOS and RHEL by: # yum install -y logwatch

Alternatively, the current version can be downloaded from the project page at Sourceforge.

The tool is ready for use after installation, no further configuration is required by default.

Utilization

Logwatch takes over the analysis of the log files, prepares them according to the specified level of detail. A summary report can be created, saved as text/HTML and sent by e-mail. The following examples show the possible applications of logwatch.

Status report (short) about the log files of today

This call creates a report about the log files of today. The level of detail is low and displayed at standard output.

# logwatch --detail low --range today

Status report (detailed), html formatted

This example creates a detailed report of yesterday, html formatted, and the report is saved in an html file.

# logwatch --detail high --range yesterday --format html --filename meindateiname.html

Status report of the last 14 days with mail delivery

A detailed report of the last 14 days in html-format with subsequent dispatch to a given e-mail address is also possible.

# logwatch --detail high --range 'between 14 days ago and yesterday' --format html --mailto xxxxxxx@xxxx.xxx

Status report specified on a service in text format

Example output of a detailed status report in text format.

# logwatch --service sshd --detail high --range 7 days
 
 ################### Logwatch 7.4.2 (02/27/16) #################### 
        Processing Initiated: Wed Oct 11 20:16:10 2017
        Date Range Processed: 7
                              ( 2017-Oct-11 )
                              Period is day.
        Detail Level of Output: 10
        Type of Output/Format: stdout / text
        Logfiles for Host: dktp
 ################################################################## 
 
 --------------------- SSHD Begin ------------------------ 

 SSHD Killed: 2 Time(s)
 
 SSHD Started: 6 Time(s)
 
 Failed logins from:
    192.168.6.50: 10 times
       root/password: 7 times
       pandix/password: 3 times
 
 **Unmatched Entries**
 message repeated 2 times: [ Failed password for pandix from 192.168.6.50 port 32954 ssh2] : 1 time(s)
 
 ---------------------- SSHD End ------------------------- 

 
 ###################### Logwatch End #########################

Automate Logwatch

Logwatch runs daily via an automatic entry in /etc/cron.daily, it queries running services and associated log files. The log files are then processed and a report is sent to root. If you want the tool to run at a certain time, you can remove the script 00logwatch from the directory /etc/cron.daily. Then logwatch is called with an entry in the crontab.

Configuration

The scripts used to analyze the services are located in the directory /usr/share/logwatch/scripts/services. The main configuration file logwatch.conf is located in the directory /usr/share/logwatch/default.conf/. In this file the default values for the command line options are set.

References

  1. Logwatch (sourceforge.net)

Author: Wilfried Seifert

Related articles

Linux Performance Measurements using vmstat
Mounting a Windows Share in Linux
Wake On LAN under Linux