Install logwatch
The open source tool logwatch creates a short, concise check on the logs of a Linux based server.[1] It provides a good and transparent source and enables you to display pre-filtered messages (e. g. hard disk full, faulty logins to security-relevant services or simply to see the status of the last installed or modified packages in the package management).
Installation
logwatch is included in the most popular distributions, the installation is done conveniently via the integrated package management.
- Under Debian/Ubuntu by:
# apt-get install logwatch
- With CentOS and RHEL by:
# yum install -y logwatch
Alternatively, the current version can be downloaded from the project page at Sourceforge.
The tool is ready for use after installation, no further configuration is required by default.
Utilization
Logwatch takes over the analysis of the log files, prepares them according to the specified level of detail. A summary report can be created, saved as text/HTML and sent by e-mail. The following examples show the possible applications of logwatch.
Status report (short) about the log files of today
This call creates a report about the log files of today. The level of detail is low and displayed at standard output.
# logwatch --detail low --range today
Status report (detailed), html formatted
This example creates a detailed report of yesterday, html formatted, and the report is saved in an html file.
# logwatch --detail high --range yesterday --format html --filename meindateiname.html
Status report of the last 14 days with mail delivery
A detailed report of the last 14 days in html-format with subsequent dispatch to a given e-mail address is also possible.
# logwatch --detail high --range 'between 14 days ago and yesterday' --format html --mailto xxxxxxx@xxxx.xxx
Status report specified on a service in text format
Example output of a detailed status report in text format.
# logwatch --service sshd --detail high --range 7 days
################### Logwatch 7.4.2 (02/27/16) ####################
Processing Initiated: Wed Oct 11 20:16:10 2017
Date Range Processed: 7
( 2017-Oct-11 )
Period is day.
Detail Level of Output: 10
Type of Output/Format: stdout / text
Logfiles for Host: dktp
##################################################################
--------------------- SSHD Begin ------------------------
SSHD Killed: 2 Time(s)
SSHD Started: 6 Time(s)
Failed logins from:
192.168.6.50: 10 times
root/password: 7 times
pandix/password: 3 times
**Unmatched Entries**
message repeated 2 times: [ Failed password for pandix from 192.168.6.50 port 32954 ssh2] : 1 time(s)
---------------------- SSHD End -------------------------
###################### Logwatch End #########################
Automate Logwatch
Logwatch runs daily via an automatic entry in /etc/cron.daily, it queries running services and associated log files. The log files are then processed and a report is sent to root. If you want the tool to run at a certain time, you can remove the script 00logwatch from the directory /etc/cron.daily. Then logwatch is called with an entry in the crontab.
Configuration
The scripts used to analyze the services are located in the directory /usr/share/logwatch/scripts/services. The main configuration file logwatch.conf is located in the directory /usr/share/logwatch/default.conf/. In this file the default values for the command line options are set.
References
Author: Wilfried Seifert Wilfried Seifert, working in the Systems Engineering department at Thomas-Krenn, is responsible for system/prototype development in his work area. LPIC 3 certified, deals with construction / programming of embedded / GPIO systems; in his spare time he likes to repair old home computers, attends Linux conferences or is on the road with his bike (MTB) for sporting compensation.
|