Q: What did one lumberjack say to the other lumberjack? A: Watch those logs.
Last week we provided an introduction to the Linux system logs. (See Logs: Your Linux System’s Lovable Worker Bees.) Now, what will you, as a system administrator, use to watch logs? Logwatch, of course. As so many others have succinctly put it, messing with log files is a royal pain in the backside. Logwatch makes the experience of keeping track of system activity almost painless for you.
Logwatch is a log file parser program (Perl script) that provides a report to you on any “interesting” activity on your system. It is not, I repeat not, a pre-emptive tool or a tool that’s used to catch anyone “in the act” of breaking into your system. It is an after-the-fact tool that provides you with a daily report of service activity. It reports on yesterday’s log information.
We’ll explore active monitoring tools in the coming weeks to catch a would-be system hacker. Logwatch’s value isn’t in its ability to catch a criminal with his hands on your system, its value is instead, designed to save you the effort of manually scraping logs.
The Basics
Before we begin, if you need a bit more background on Linux logs and system information, check out any of the following articles:
Now, let’s dive in.
Install logwatch in the usual way for your particular distribution using a package manager or download the source from the Logwatch Project page.
Primary setup is easy. If you installed via package, an automatic cron entry in cron.daily runs logwatch every day for you. Default setup includes all services, default log location /var/log and mail to the local root account. Logwatch installs to the /usr/share/logwatch directory for Debian-based and Red Hat-based systems. The main configuration file is under /usr/share/logwatch/default.conf. Some packagers create a symbolic link from /usr/sbin/logwatch to the perl script under /usr/share/logwatch/scripts/logwatch.pl.
Using Logwatch
Logwatch, by default, runs daily on yesterday’s logs, sends an email to the local root account with a low level of detail. For most of you, this is enough information in a daily summary to satisfy your needs and curiosity about what’s going on with your system. For others with systems that are a bit more security sensitive, you’ll need to slightly tweak the parameters of this “near perfect by default” tool.
You can run logwatch with a specific date range. For example, if you want to see information about today’s SSHD activity, you can run this command:
# logwatch --service sshd --range=Today
Check root’s mail to see the details of the report. Shown is the SSHD section of the report.
--------------------- SSHD Begin ------------------------
Illegal users from:
192.168.1.83: 12 times
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83 : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)
---------------------- SSHD End -------------------------
This is your default “Low” detail logwatch output report. For a more detailed report, try using –detail=Medium. Check root’s mail for the report.
# logwatch --service sshd --range=Today --detail=Medium
--------------------- SSHD Begin ------------------------
Illegal users from:
192.168.1.83: 12 times
bob/password: 6 times
george/password: 3 times
raphael/password: 3 times
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83 : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)
---------------------- SSHD End -------------------------
You can see that there’s more detail in this report. You can try using the High parameter to squeeze more detail from logs.
# logwatch --service sshd --range=Today --detail=High
--------------------- SSHD Begin ------------------------
Illegal users from:
192.168.1.83: 12 times
bob/password: 6 times
george/password: 3 times
raphael/password: 3 times
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83 : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)
---------------------- SSHD End -------------------------
As you can see, the detail didn’t change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won’t receive more detail than what’s supplied in the logs.
For those of you, like me, who don’t love command line mail, you can tell logwatch to save its report to a file.
# logwatch --service sshd --range=Today --detail=High --save=logwatch.today
If you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.
Logwatch Paranoid Configuration
As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.
For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.
The defaults settings are
Range = yesterday
Detail = Low
Archives = No.
You should change these to:
Range = All
Detail = High
Archives = Yes.
The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they’re located under the /var/log directory and have a .X filename to designate their rotation number.
These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.
# logwatch --detail=High --range=All --archives
Customizing Output
Here’s a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.
The command line version is shown below.
# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.html
The equivalent settings in the configuration file are:
Save = /var/www/html/logwatch.html
Output = html
The SSHD section from the HTML report is shown in Figure 1.
Figure 1: SSHD Section from the Logwatch HTML Report
Logwatch is a useful script for system administrators who don’t have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that’s installed on every system you manage.
Next week, you’ll take a look at some real-time log monitoring with swatch.
Kenneth Hess is a Linux evangelist and freelance technical writer on a variety of open source topics including Linux, SQL, databases, and web services. Ken can be reached via his website at
http://www.kenhess.com. Practical Virtualization Solutions by Kenneth Hess and Amy Newman is available now.
Comments on "From the Sys Admin Toolbox: Logwatch"
I think Logwatch offers the best when it comes to watching and monitoring logs. If it weren’t for logwatch, then most of the system administrators would have experienced a really hard time monitoring all those log files intact. Furthermore, it is a really simple to use daily reporter. The choice of reporting the previous days’ log files makes this really handy in certain situations. Anyway, I am really looking forward to see the active monitoring tools from you guys! Regards Jane hr services
Logwatch, this log file parser program ( Perl script ) that provides a report to you on any “interesting” activity on your system is a very useful thing. I know that it is not, a pre-emptive tool or a tool that’s used to catch anyone “in the act” of breaking into your system, it is an after-the-fact tool that provides you with a daily report of service activity. I needed to see the reports on yesterday’s log information, so I installed Logwatch 7.3.6 via the rpm on my CentOS 5.4 server. But the issue is I’m getting basically empty reports from logwatch. The only two sections which have any information are sam…Tis drives me mad(
Equality is essential, especially with something as epic and classy as a Pulitzer Prize. You don’t want something like that to gain a bad name or reputation. Women have their place in the spotlight, they will keep things cuu du lieu
when we find the rare opportunity to express those emotions with and without words, in a book or screenplay, it’s real. It’s real, because it’s everything we are, as women.
cuu du lieu
I want to thank you for your effort. Your site is great.
Scot
you’re truly a just right webmaster. The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!
Good overview of logwatch. Plese get a spam filter as your are getting over run.
they don’t want to turn in logs for pirvacy or other reasons and the first comments out accuse the person of cheating. Or hiding something that must be bad. Questioning their character. Wow.
Linux is the best operating system near me which is durable.
Toolbox snap in this blog is looking very attractive, i liked it a lot.
I am using Linux from a long time and i am fully satisfied from it.
I think Logwatch offers the best when it comes to watching and monitoring logs. If it weren’t for logwatch, then most of the system administrators would have experienced a really hard time monitoring all those log files intact.bank machines ontario
Thank you for providing information here, this page was so great I am very happy to have this websites. I will be back gain tomorrow to check more comments and messages Maid Services
The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!
Each and every woman wants to possess a coach bag. coach factory outlet online This brand of handbags will not price you a great deal of cash.Welcome to the Coach Factory Outlet store and Enjoy Shopping Here! We promise all the customers to have the superior qualities and low prices.If you have enough leisure time, you may go to the mall or go to the Coach franchised store to have a good look at varieties of coach factory outlet store the diverse styles and rich colors of the purses with low cost will surely impress you a lot! Decorative concrete Melbourne
Badgerland Health Insurance helps individuals and businesses find affordable health insurance in Wisconsin. Conact us today for a no obligation instant health insurance quote.
Badgerland Health Insurance helps individuals and businesses find affordable health insurance in Wisconsin. Conact us today for a no obligation instant health insurance quote.
Health Insurance Wisconsin
We all have appliances at home, and sooner or later we are all faced with an appliance repair. Do you need same-day appliance repair service?
We all have appliances at home, and sooner or later we are all faced with an appliance repair. Do you need same-day appliance repair service?
Whirlpool dryers repair
We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
audit service
The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!
Paving Adelaide
Yaz Lawsuit
Linux operating system is an open source system. It is server side operating system.
click here
LINUX OPERATING SYSTEM IS VERY GOOD SYSTEM.IT CONTAINS GOOD THINGS.
HANDYMAN IN WATFORD
HANDYMAN IN UXBRIDGE
I really like it! I’ll always appreciate your brief sharing in this awesome stuffs sincerely, this discussion has put light on this topic. Water Damage Schaumburg IL
Thank you for providing information here, this page was so great I am very happy to have this websites. you have performed a excellent job on this topic. Conact us today for a no obligation instant health insurance quote.
Handyman Services in Wembley
We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
branded content
Finding a high quality article is really hard. I’d like also to thank my friend for giving me the url of your blog. Hope you appreciate my quick comment though. I am looking forward to see your upcoming post.. Water Damage Elmsford NY
We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
glass Curio Cabinets
You are recommended tobluetooth elm327 health-related professionals have toobd2 bluetooth elm327 wear sunglasses when you are outdoors for a few months in summer and winter. You are an active vacation, Ray-Ban sunglasses, sun glasses, not only lexia 3 obd2a stylish look, the feeling, so that in addition to the protection of the world is bad, you should have.
I am very enjoyed for this blog. Its an informative topic.It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.Thanks a lot for enjoying this beauty blog with me. What is cloud hosting
Many people do not know that muscle will actually help you burn fat, this is because your muscles need a lot of calories, so the more muscular you are, the thinner you should get. The extra muscle will also help you look even better. Creative website development CT
This blog is really very interesting and easy to understand the information provided in it. It is very nice to view this blog and it’s nice to see the best information cited here. Rezart Taci
The concept of your post is extremely unique which is a good element in driving more visitors to read your site.I even told my friends to check out your blog and in fact your blog is already bookmarked on my computer.
Handyman Services in Uxbridge
I am very enjoyed for this blog. Its an informative topic.It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you. Passive House
Linux is really good open source
fNIRS
I was very encouraged to find this site. I wanted to thank you for this special read. I definitely savored every little bit of it and I have you bookmarked to check out new stuff you post. Landscape Lighting Schaumburg IL
Excellent tips. Really useful stuff. Most of the music band follow new fashion. Never had an idea about this, will look for more of such informative posts from your side.. good job. Medium Bodied Cigars
it is a really simple to use daily reporter. The choice of reporting the previous days’ log files makes this really handy in certain situations. Anyway, I am really looking forward to see the active monitoring tools from you guys!
Cheap Fridge Freezers
I would have to disagree not only with the opinions that were made in this entry but I would also like to disagree. Water Damage Flower Mound TX
The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!
Kitchen Renovations
Thank you for sharing superb informations. Your website is so cool. I am impressed by the details that you have on this web site. It reveals how nicely you understand this subject. Bookmarked this web page, will come back for extra articles.. Chicago business funding
This is one of the testes operating system.It’s help to secure our data.Really helpful to virus’s and other problems.paper box printing
I activated Nvidia drivers and started to use the external video card I couldn’t do it any more via normal system settings. Lange Farm wedding
I’ve seen progression in every post. Your newer posts are simply wonderful compared to your posts in the past. Keep up the good work.
flödesmätare
Forget all that hazardous crap – that was a great article. I read every word and kept hoping there was more to read as I tapped to turn the page on my iPad. The pictures and commentary were perfect (I zoomed in many times), loved the details and explaination. I’m inspired to go work on my layout again and implement some of those techniques. That ‘mud’ is something I can’t wait to try.
http://www.midwestfloodrestoration.com/water-damage-godfrey-il.html
Thank you for this video i enjoyed it and really appreciate so that this was more than just this was something cool I did and turned it into here’s what I learned
Air Conditioning Melbourne
Vol10 Entertainment is a fully equipped, licensed mobile Entertainment company proudly serving the NY metro area (NJ, CT & PA). We provide DJ services for all of your special events including Weddings Reception, Parties plus more. Having a state of the art sound system and the most dazzling displays of intelligent lights, we will take your event to new heights and leave you and your guest with lasting fun filled memories.
dj services
This is a really good read for me, Must admit that you are one of the best bloggers I have read. Thanks for posting this informative article. decorative concrete melbourne
Parsing in pearl is not easy with this tool. But I got to give you heads up on the monitoring tools and process its great is an understatement. http://www.shopbedding.com/bed-skirts.html
Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.Thanks a lot for enjoying this beauty blog with me.
fNIRS
I read every word and kept hoping there was more to read as I tapped to turn the page on my iPad.
Bilingual Education
It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.
Brain and Language
We have released our first brandnewbag.tv branded entertainment video just few days back.
Developmental Cognitive Neuroscience
Its an informative topic.It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.
Language
Your website is so cool. I am impressed by the details that you have on this web site. It reveals how nicely you understand this subject.
Linguistics
I am impressed by the details that you have on this web site. It reveals how nicely you understand this subject.
Manual Babbling
The pictures and commentary were perfect (I zoomed in many times), loved the details and explaination.
Nim Chimpsky
Having a state of the art sound system and the most dazzling displays of intelligent lights, we will take your event to new heights and leave you and your guest with lasting fun filled memories.
Sign Language Research