jump to navigation

logwatch – system log analyzer and reporter for Linux January 15, 2011

Posted by Tournas Dimitrios in Linux.

LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use – works right out of the package on almost all systems. This utility is not a daemon , it is a perl script and usually implemented as a cron job (daily) and reports via email the most important aspects of your log files .

The newcomers to the Linux world can just accept the default configurations , read the messages that are send to their mail box and getting a view of the status of the box ( security alerts , disk space available , failed ssh log-in attempts ….) . It is also possible to run logwatch via the terminal with  parameters and display the result directly on the terminal , so there is no need to wait the report until it is executed from the cron job ( usually ones a day) .The daily report is setup via a symlink in /etc/cron.daily:
0logwatch -> /usr/share/logwatch/scripts/logwatch.pl

If you prefer to customise logwatch , then you have to go through a rather confusing hierarchy of config files and a collection of service-specific filters to cut out logged information about the services you’re not interested in. On CentOs 5.x , logwatch is run daily as a result of a symlink to the main logwatch.pl script in the /etc/cron.daily directory.

Most people will be content to stick with the default configuration of logwatch, but once you’ve mastered its rather labyrinthine assortment of config files and scripts, there’s a lot you can do to configure it, including writing your own filter scripts if you have appropriate programming skills – probably with Perl or PHP.

The most important files of logwatch on CentOs 5.x are :

  • /usr/share/logwatch/scripts/logwatch.pl :  This script is run if  cron  executes the logwatch scheduled job . The /usr/sbin/logwatch command  is a symlink to this script
  • /usr/share/doc/logwatch.xxx/HOWTO-Customize-LogWatch : This is a must read file , not only for those that need to customize logwatch
  • /etc/logwatch/conf/logwatch.con  :This file sets the default values of all the  options (see table below ) . These defaults are used when LogWatch is called without any parameters (i.e. from cron.daily). The file is well-documented, but the explanations below also apply to this config file.
  • /etc/logwatch/scripts/services/* : Actual filter programs for the various services.
  • /etc/logwatch/scripts/shared/* : Filters common to many services and/or logfiles.
  • /etc/logwatch/scripts/logfiles/* : Filters specific to just particular logfiles.

Configuration files priority :

Logwatch can be highly customized through its configuration files , these files are organized on a directory structure .
Actualy logwatch contains 3 directories for the configuration files, all have the same structure but different priority level :

  • /usr/share/logwatch/default.conf /…: The default configuration provided by logwatch
  • /usr/share/logwatch/dist.con/….. : Distribution specific configuration file ( CentOs 5.x doesn’t recommend any configuration at all , so the default configurations will take place if no user specific configurations are available) .
  • /etc/logwatch/….. : The place where the user makes his custom configuration changes

Think of it like the priority level of CSS in HTML .The first level (highest priority ) for the configuration files is the /etc/logwatch/… directory . If the first level is not present then the next level will take place ( distribution specific configuration files ) and if no second level exists then the last level ( default configuration from logwatch ) will take place .

Launching logwatch via the terminal : As mentioned previously , a fresh report can be enabled with the terminal . These are the most useful parameters that can be passed to the perl script .

logwatch terminal options
–usage    or    –help Displays usage information
–detail level This is the detail level of the report. level can be high, med, low.
–logfile log-file-group This will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, …). LogWatch will therefore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.
–service service-name This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, …). LogWatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.
–print Print the results to stdout (i.e. the screen).
–mailto address Mail the results to the email address or user specified in address.
–archives Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz). This option will make LogWatch search through the archives in addition to the regular logfiles. The entries must still be in the proper date range (see below) to be processed, however.
–range range You can specify a date-range to process. This option is currently limited to only Yesterday, Today and All.
–debug level For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don’t want to use this.
–save file-name Save the output to file-name instead of displaying or mailing it.
–logdir directory Look in directory for log files instead of the default directory.
–hostname hostname Use hostname for the reports instead of this system’s hostname. In addition, if HostLimit is set in /etc/log.d/logwatch.conf, then only logs from this hostname will be processed (where appropriate).


  • logwatch –service ftpd-xferlog –range all –detail high –print –archives
    This will print out all FTP transfers that are stored in all current and archived xferlogs.
  • logwatch –service pam_pwdb  –range yesterday –detail high –print

    This will print out login information for the previous day…
  • logwatch  –print
    Just force to execute logwatch immediately and print out results to the terminal
  • logwatch
    logwatch will be excecuted as it was  enabled through cron , so jour mail box will receive the report
  • logwatch  –detail  high  –logfile secure –print
  • logwatch –detail high –logfile messages –mailto yourname@domain.com
    Scan the “messages” log and send the report to a custom email

Caution : All command line options has double dash vs “- – print ”  , ” – – detail ” ect…
Some graphical card doesn’t show this clearly

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s