logwatch – system log analyzer and reporter for Linux January 15, 2011Posted by Tournas Dimitrios in Linux.
LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use – works right out of the package on almost all systems. This utility is not a daemon , it is a perl script and usually implemented as a cron job (daily) and reports via email the most important aspects of your log files .
The newcomers to the Linux world can just accept the default configurations , read the messages that are send to their mail box and getting a view of the status of the box ( security alerts , disk space available , failed ssh log-in attempts ….) . It is also possible to run logwatch via the terminal with parameters and display the result directly on the terminal , so there is no need to wait the report until it is executed from the cron job ( usually ones a day) .The daily report is setup via a symlink in /etc/cron.daily:
0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
If you prefer to customise logwatch , then you have to go through a rather confusing hierarchy of config files and a collection of service-specific filters to cut out logged information about the services you’re not interested in. On CentOs 5.x , logwatch is run daily as a result of a symlink to the main logwatch.pl script in the /etc/cron.daily directory.
Most people will be content to stick with the default configuration of logwatch, but once you’ve mastered its rather labyrinthine assortment of config files and scripts, there’s a lot you can do to configure it, including writing your own filter scripts if you have appropriate programming skills – probably with Perl or PHP.
The most important files of logwatch on CentOs 5.x are :
- /usr/share/logwatch/scripts/logwatch.pl : This script is run if cron executes the logwatch scheduled job . The /usr/sbin/logwatch command is a symlink to this script
- /usr/share/doc/logwatch.xxx/HOWTO-Customize-LogWatch : This is a must read file , not only for those that need to customize logwatch
- /etc/logwatch/conf/logwatch.con :This file sets the default values of all the options (see table below ) . These defaults are used when LogWatch is called without any parameters (i.e. from cron.daily). The file is well-documented, but the explanations below also apply to this config file.
- /etc/logwatch/scripts/services/* : Actual filter programs for the various services.
- /etc/logwatch/scripts/shared/* : Filters common to many services and/or logfiles.
- /etc/logwatch/scripts/logfiles/* : Filters specific to just particular logfiles.
Configuration files priority :
Logwatch can be highly customized through its configuration files , these files are organized on a directory structure .
Actualy logwatch contains 3 directories for the configuration files, all have the same structure but different priority level :
- /usr/share/logwatch/default.conf /…: The default configuration provided by logwatch
- /usr/share/logwatch/dist.con/….. : Distribution specific configuration file ( CentOs 5.x doesn’t recommend any configuration at all , so the default configurations will take place if no user specific configurations are available) .
- /etc/logwatch/….. : The place where the user makes his custom configuration changes
Think of it like the priority level of CSS in HTML .The first level (highest priority ) for the configuration files is the /etc/logwatch/… directory . If the first level is not present then the next level will take place ( distribution specific configuration files ) and if no second level exists then the last level ( default configuration from logwatch ) will take place .
Launching logwatch via the terminal : As mentioned previously , a fresh report can be enabled with the terminal . These are the most useful parameters that can be passed to the perl script .
|logwatch terminal options|
|–usage or –help||Displays usage information|
|–detail level||This is the detail level of the report. level can be high, med, low.|
|–logfile log-file-group||This will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, …). LogWatch will therefore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.|
|–service service-name||This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, …). LogWatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.|
|Print the results to stdout (i.e. the screen).|
|–mailto address||Mail the results to the email address or user specified in address.|
|–archives||Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz). This option will make LogWatch search through the archives in addition to the regular logfiles. The entries must still be in the proper date range (see below) to be processed, however.|
|–range range||You can specify a date-range to process. This option is currently limited to only Yesterday, Today and All.|
|–debug level||For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don’t want to use this.|
|–save file-name||Save the output to file-name instead of displaying or mailing it.|
|–logdir directory||Look in directory for log files instead of the default directory.|
|–hostname hostname||Use hostname for the reports instead of this system’s hostname. In addition, if HostLimit is set in /etc/log.d/logwatch.conf, then only logs from this hostname will be processed (where appropriate).|
Caution : All command line options has double dash vs “- – print ” , ” – – detail ” ect…
Some graphical card doesn’t show this clearly