The two previous editions of “Tech Support” introduced software to help you monitor the security of your Linux system. March’s column showed you how to monitor filesystem changes with Tripwire, and last month’s column explained how to detect rootkits and loadable kernel modules (LKMs) with chkrootkit. This month, let’s see how to monitor and analyze your system logs with Logwatch.
The two previous editions of “Tech Support” introduced software to help you monitor the security of your Linux system. March’s column showed you how to monitor filesystem changes with Tripwire, and last month’s column explained how to detect rootkits and loadable kernel modules (LKMs) with chkrootkit. This month, let’s see how to monitor and analyze your system logs with Logwatch.
Logwatch is a customizable log analysis system that parses through the logs you specify to create a report based on criteria you select. Logwatch can be as verbose as you’d like, has built-in filters for a variety of programs, and works right out of the box on most systems. You can download Logwatch from http://www.logwatch.org. It’s provided under an MIT/X11-style license. After you download the Logwatch sources, be sure to verify the MD5 checksum.
Since Logwatch is a set of Perl scripts and filters, installation differs from the usual ./configure && make && make install dance. To install, first unpack the Logwatch source files and cd into the resulting directory. Then, type the following commands as root:
You can now edit /etc/log.d/logwatch.conf to suit your needs. (The file is very well documented.)
Pay particular attention to LogDir (all log-files are assumed to be given relative to this directory); MailTo (the default address to email reports to); Range (the default…
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
