The two previous editions of "Tech Support" introduced software to help you monitor the security of your Linux system. March's column showed you how to monitor filesystem changes with Tripwire, and last month's column explained how to detect rootkits and loadable kernel modules (LKMs) with chkrootkit. This month, let's see how to monitor and analyze your system logs with Logwatch.
The two previous editions of “Tech Support” introduced software to help you monitor the security of your Linux system. March’s column showed you how to monitor filesystem changes with Tripwire, and last month’s column explained how to detect rootkits and loadable kernel modules (LKMs) with chkrootkit. This month, let’s see how to monitor and analyze your system logs with Logwatch.
Logwatch is a customizable log analysis system that parses through the logs you specify to create a report based on criteria you select. Logwatch can be as verbose as you’d like, has built-in filters for a variety of programs, and works right out of the box on most systems. You can download Logwatch from http://www.logwatch.org. It’s provided under an MIT/X11-style license. After you download the Logwatch sources, be sure to verify the MD5 checksum.
Since Logwatch is a set of Perl scripts and filters, installation differs from the usual ./configure && make && make install dance. To install, first unpack the Logwatch source files and cd into the resulting directory. Then, type the following commands as root:
# mkdir /etc/log.d
# cp -a conf scripts lib /etc/log.d/
# ln -s /etc/log.d/conf/logwatch.conf
# ln -s /etc/log.d/scripts/logwatch.pl
You can now edit /etc/log.d/logwatch.conf to suit your needs. (The file is very well documented.)
Pay particular attention to LogDir (all log-files are assumed to be given relative to this directory); MailTo (the default address to email reports to); Range (the default time range for the report, where options are All, Today, and Yesterday); Detail (the default detail level for the report); and Mailer, which must point to a valid mail program such as /bin/mail or /bin/mailx.
After setting those five options, you can run Logwatch by typing…
… as root or as any user that has sufficient access to the specified log files. After running the program, an email should be sent to the person listed in MailTo.
Keep in mind that if Logwatch doesn’t find anything it considers interesting, it won’t send email. If you don’t get an email after you run Logwatch, run the program with –debug Med to determine if you have a configuration problem or just nothing to report. If you’d rather see the output in your terminal window, use the –print switch.
Once you’ve configured Logwatch to meet your requirements, you should run it nightly via cron to automatically generate a daily report. If you see something unexpected or unusual in a Logwatch report, look into it. After all, the program is useless if you ignore its reports.
While Logwatch recognizes the output of many popular programs by default (over fifty at the time of this writing), you can easily write a plug-in for other programs with the HOWTO-Make-Filter instructions included in the source download.
If Logwatch doesn’t suit you, there are other options for log monitoring. You can try logsentry, swatch, or even create your own tool using awk. Visit http://loganalysis.org for more information on log analysis.
A Penguin, Some Popcorn, and a DVD
Now that we have a program watching our logs, let’s have some fun and watch a movie on DVD. Linux DVD players have come a long way, and you can now choose from a variety of mature and feature-rich packages. In fact, it’s likely that one of them is included in the distro you’re using now.
Among the best players are Xine available from http://xine.sourceforge.net), Igle (http://www.dtek.chalmers.se/groups/dvd), and mplayer (http://www.mplayerhq.hu).
Each player has its own unique look and feel, set of features, and list of supported codecs and file formats.
As DVD players are highly susceptible to personal tastes and preferences (like most audio- and video-related programs and equipment), consider all three and choose the one that suits you best.
After you get the player of your choice working you may want to “rip” some of your DVD’s to DivX for later viewing. To rip, try AcidRip (http://acidrip.sourceforge.net) or dvd::rip (http://www.exit1.org/dvdrip). The former is provided under the GPL and requires mencoder. The latter is provided under the GPL and the Perl Artistic License and requires transcode.
Now you can have a program keep an eye on your logs, while you keep an eye on your favorite movie. Have fun!
Jeremy Garcia is the founder and administrator of LinuxQuestions.org, a free, friendly, and active Linux community. If you have a topic or question for “Tech Support,” Jeremy would like to hear from you. Send email to email@example.com.