dcsimg

From the Sys Admin Toolbox: Logwatch

Q: What did one lumberjack say to the other lumberjack? A: Watch those logs.

Last week we provided an introduction to the Linux system logs. (See Logs: Your Linux System’s Lovable Worker Bees.) Now, what will you, as a system administrator, use to watch logs? Logwatch, of course. As so many others have succinctly put it, messing with log files is a royal pain in the backside. Logwatch makes the experience of keeping track of system activity almost painless for you.

Logwatch is a log file parser program (Perl script) that provides a report to you on any “interesting” activity on your system. It is not, I repeat not, a pre-emptive tool or a tool that’s used to catch anyone “in the act” of breaking into your system. It is an after-the-fact tool that provides you with a daily report of service activity. It reports on yesterday’s log information.

We’ll explore active monitoring tools in the coming weeks to catch a would-be system hacker. Logwatch’s value isn’t in its ability to catch a criminal with his hands on your system, its value is instead, designed to save you the effort of manually scraping logs.

Logwatch

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use – works right out of the package on almost all systems.

The Basics

Before we begin, if you need a bit more background on Linux logs and system information, check out any of the following articles:

Now, let’s dive in.

Install logwatch in the usual way for your particular distribution using a package manager or download the source from the Logwatch Project page.

Primary setup is easy. If you installed via package, an automatic cron entry in cron.daily runs logwatch every day for you. Default setup includes all services, default log location /var/log and mail to the local root account. Logwatch installs to the /usr/share/logwatch directory for Debian-based and Red Hat-based systems. The main configuration file is under /usr/share/logwatch/default.conf. Some packagers create a symbolic link from /usr/sbin/logwatch to the perl script under /usr/share/logwatch/scripts/logwatch.pl.

Using Logwatch

Logwatch, by default, runs daily on yesterday’s logs, sends an email to the local root account with a low level of detail. For most of you, this is enough information in a daily summary to satisfy your needs and curiosity about what’s going on with your system. For others with systems that are a bit more security sensitive, you’ll need to slightly tweak the parameters of this “near perfect by default” tool.

You can run logwatch with a specific date range. For example, if you want to see information about today’s SSHD activity, you can run this command:

# logwatch --service sshd --range=Today

Check root’s mail to see the details of the report. Shown is the SSHD section of the report.

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

This is your default “Low” detail logwatch output report. For a more detailed report, try using –detail=Medium. Check root’s mail for the report.

# logwatch --service sshd --range=Today --detail=Medium

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

You can see that there’s more detail in this report. You can try using the High parameter to squeeze more detail from logs.

# logwatch --service sshd --range=Today --detail=High

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

As you can see, the detail didn’t change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won’t receive more detail than what’s supplied in the logs.

For those of you, like me, who don’t love command line mail, you can tell logwatch to save its report to a file.

# logwatch --service sshd --range=Today --detail=High --save=logwatch.today

If you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.

Logwatch Paranoid Configuration

As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.

For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.

The defaults settings are

Range = yesterday

Detail = Low

Archives = No.
You should change these to:

Range = All

Detail = High

Archives = Yes.

The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they’re located under the /var/log directory and have a .X filename to designate their rotation number.

These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.

# logwatch --detail=High --range=All --archives

Customizing Output

Here’s a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.

The command line version is shown below.

# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.html

The equivalent settings in the configuration file are:

Save = /var/www/html/logwatch.html

Output = html

The SSHD section from the HTML report is shown in Figure 1.

Figure 1: SSHD Section from the Logwatch HTML Report
Figure 1: SSHD Section from the Logwatch HTML Report

Logwatch is a useful script for system administrators who don’t have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that’s installed on every system you manage.

Next week, you’ll take a look at some real-time log monitoring with swatch.

Comments on "From the Sys Admin Toolbox: Logwatch"

lumix

I think Logwatch offers the best when it comes to watching and monitoring logs. If it weren’t for logwatch, then most of the system administrators would have experienced a really hard time monitoring all those log files intact. Furthermore, it is a really simple to use daily reporter. The choice of reporting the previous days’ log files makes this really handy in certain situations. Anyway, I am really looking forward to see the active monitoring tools from you guys! Regards Jane hr services

Reply
fantom

Logwatch, this log file parser program ( Perl script ) that provides a report to you on any “interesting” activity on your system is a very useful thing. I know that it is not, a pre-emptive tool or a tool that’s used to catch anyone “in the act” of breaking into your system, it is an after-the-fact tool that provides you with a daily report of service activity. I needed to see the reports on yesterday’s log information, so I installed Logwatch 7.3.6 via the rpm on my CentOS 5.4 server. But the issue is I’m getting basically empty reports from logwatch. The only two sections which have any information are sam…Tis drives me mad(

Reply

Equality is essential, especially with something as epic and classy as a Pulitzer Prize. You don’t want something like that to gain a bad name or reputation. Women have their place in the spotlight, they will keep things cuu du lieu

Reply

when we find the rare opportunity to express those emotions with and without words, in a book or screenplay, it’s real. It’s real, because it’s everything we are, as women.
cuu du lieu

Reply

I want to thank you for your effort. Your site is great.
Scot

Reply

you’re truly a just right webmaster. The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!

Reply

Good overview of logwatch. Plese get a spam filter as your are getting over run.

Reply

they don’t want to turn in logs for pirvacy or other reasons and the first comments out accuse the person of cheating. Or hiding something that must be bad. Questioning their character. Wow.

Reply

Linux is the best operating system near me which is durable.

Reply

Toolbox snap in this blog is looking very attractive, i liked it a lot.

Reply

I am using Linux from a long time and i am fully satisfied from it.

Reply

I think Logwatch offers the best when it comes to watching and monitoring logs. If it weren’t for logwatch, then most of the system administrators would have experienced a really hard time monitoring all those log files intact.bank machines ontario

Reply

Thank you for providing information here, this page was so great I am very happy to have this websites. I will be back gain tomorrow to check more comments and messages Maid Services

Reply

The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!

Reply

Each and every woman wants to possess a coach bag. coach factory outlet online This brand of handbags will not price you a great deal of cash.Welcome to the Coach Factory Outlet store and Enjoy Shopping Here! We promise all the customers to have the superior qualities and low prices.If you have enough leisure time, you may go to the mall or go to the Coach franchised store to have a good look at varieties of coach factory outlet store the diverse styles and rich colors of the purses with low cost will surely impress you a lot! Decorative concrete Melbourne

Reply

Badgerland Health Insurance helps individuals and businesses find affordable health insurance in Wisconsin. Conact us today for a no obligation instant health insurance quote.

Reply

We all have appliances at home, and sooner or later we are all faced with an appliance repair. Do you need same-day appliance repair service?

Reply

We all have appliances at home, and sooner or later we are all faced with an appliance repair. Do you need same-day appliance repair service?
Whirlpool dryers repair

Reply

We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
audit service

Reply

The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!
Paving Adelaide
Yaz Lawsuit

Reply

Linux operating system is an open source system. It is server side operating system.
click here

Reply

LINUX OPERATING SYSTEM IS VERY GOOD SYSTEM.IT CONTAINS GOOD THINGS.
HANDYMAN IN WATFORD
HANDYMAN IN UXBRIDGE

Reply

I really like it! I’ll always appreciate your brief sharing in this awesome stuffs sincerely, this discussion has put light on this topic. Water Damage Schaumburg IL

Reply

Thank you for providing information here, this page was so great I am very happy to have this websites. you have performed a excellent job on this topic. Conact us today for a no obligation instant health insurance quote.

Handyman Services in Wembley

Reply

We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.

Reply

We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
branded content

Reply

Finding a high quality article is really hard. I’d like also to thank my friend for giving me the url of your blog. Hope you appreciate my quick comment though. I am looking forward to see your upcoming post.. Water Damage Elmsford NY

Reply

We are producers of creative content for brands seeking to engage their audience in unique and memorable ways. We have released our first brandnewbag.tv branded entertainment video just few days back.
glass Curio Cabinets

Reply

You are recommended tobluetooth elm327 health-related professionals have toobd2 bluetooth elm327 wear sunglasses when you are outdoors for a few months in summer and winter. You are an active vacation, Ray-Ban sunglasses, sun glasses, not only lexia 3 obd2a stylish look, the feeling, so that in addition to the protection of the world is bad, you should have.

Reply

I am very enjoyed for this blog. Its an informative topic.It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.Thanks a lot for enjoying this beauty blog with me. What is cloud hosting

Reply

Many people do not know that muscle will actually help you burn fat, this is because your muscles need a lot of calories, so the more muscular you are, the thinner you should get. The extra muscle will also help you look even better. Creative website development CT

Reply

This blog is really very interesting and easy to understand the information provided in it. It is very nice to view this blog and it’s nice to see the best information cited here. Rezart Taci

Reply

The concept of your post is extremely unique which is a good element in driving more visitors to read your site.I even told my friends to check out your blog and in fact your blog is already bookmarked on my computer.

Handyman Services in Uxbridge

Reply

I am very enjoyed for this blog. Its an informative topic.It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you. Passive House

Reply

Linux is really good open source
fNIRS

Reply

I was very encouraged to find this site. I wanted to thank you for this special read. I definitely savored every little bit of it and I have you bookmarked to check out new stuff you post. Landscape Lighting Schaumburg IL

Reply

Excellent tips. Really useful stuff. Most of the music band follow new fashion. Never had an idea about this, will look for more of such informative posts from your side.. good job. Medium Bodied Cigars

Reply

it is a really simple to use daily reporter. The choice of reporting the previous days’ log files makes this really handy in certain situations. Anyway, I am really looking forward to see the active monitoring tools from you guys!
Cheap Fridge Freezers

Reply

I would have to disagree not only with the opinions that were made in this entry but I would also like to disagree. Water Damage Flower Mound TX

Reply

The web site loading pace is incredible. It seems that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you have performed a excellent job on this topic!
Kitchen Renovations

Reply

Thank you for sharing superb informations. Your website is so cool. I am impressed by the details that you have on this web site. It reveals how nicely you understand this subject. Bookmarked this web page, will come back for extra articles.. Chicago business funding

Reply

This is one of the testes operating system.It’s help to secure our data.Really helpful to virus’s and other problems.paper box printing

Reply

I activated Nvidia drivers and started to use the external video card I couldn’t do it any more via normal system settings. Lange Farm wedding

Reply

I’ve seen progression in every post. Your newer posts are simply wonderful compared to your posts in the past. Keep up the good work.
flödesmätare

Reply

Forget all that hazardous crap – that was a great article. I read every word and kept hoping there was more to read as I tapped to turn the page on my iPad. The pictures and commentary were perfect (I zoomed in many times), loved the details and explaination. I’m inspired to go work on my layout again and implement some of those techniques. That ‘mud’ is something I can’t wait to try.
http://www.midwestfloodrestoration.com/water-damage-godfrey-il.html

Reply

Thank you for this video i enjoyed it and really appreciate so that this was more than just this was something cool I did and turned it into here’s what I learned
Air Conditioning Melbourne

Reply

Vol10 Entertainment is a fully equipped, licensed mobile Entertainment company proudly serving the NY metro area (NJ, CT & PA). We provide DJ services for all of your special events including Weddings Reception, Parties plus more. Having a state of the art sound system and the most dazzling displays of intelligent lights, we will take your event to new heights and leave you and your guest with lasting fun filled memories.
dj services

Reply

This is a really good read for me, Must admit that you are one of the best bloggers I have read. Thanks for posting this informative article. decorative concrete melbourne

Reply

Parsing in pearl is not easy with this tool. But I got to give you heads up on the monitoring tools and process its great is an understatement. http://www.shopbedding.com/bed-skirts.html

Reply

Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.Thanks a lot for enjoying this beauty blog with me.
fNIRS

Reply

I read every word and kept hoping there was more to read as I tapped to turn the page on my iPad.
Bilingual Education

Reply

It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.
Brain and Language

Reply

We have released our first brandnewbag.tv branded entertainment video just few days back.
Developmental Cognitive Neuroscience

Reply

Its an informative topic.It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.I think it may be help all of you.
Language

Reply

Your website is so cool. I am impressed by the details that you have on this web site. It reveals how nicely you understand this subject.
Linguistics

Reply

I am impressed by the details that you have on this web site. It reveals how nicely you understand this subject.
Manual Babbling

Reply

The pictures and commentary were perfect (I zoomed in many times), loved the details and explaination.
Nim Chimpsky

Reply

Having a state of the art sound system and the most dazzling displays of intelligent lights, we will take your event to new heights and leave you and your guest with lasting fun filled memories.
Sign Language Research

Reply

If you want to do the master’s and PhD degrees in Criminal Justice?

Reply

Hi! I know this is kinda off topic nevertheless I’d figured I’d ask. Would you be interested in trading links or maybe guest writing a blog post or vice-versa? My blog covers a lot of the same topics as yours and I believe we could greatly benefit from each other. If you happen to be interested feel free to shoot me an email. I look forward to hearing from you! Fantastic blog by the way!

Reply

Of course, what a great site and illuminating posts, I will bookmark your blog.All the Best!

Reply

Once I originally commented I clicked the -Notify me when new comments are added- checkbox and now each time a remark is added I get 4 emails with the same comment. Is there any manner you possibly can remove Thanks!

Reply

Looking for ahead to studying more from you in a while! typically to blogging and i actually admire your content. The article has really peaks my interest.

Reply

I supply the thoughts above as normal inspiration however clearly there are questions just like the one you deliver up the place

Reply

Thanks for each of your labor on this web site. Kim enjoys engaging in investigations and it’s really easy to understand why. I know all about the powerful means you offer important items on this web blog and even cause response from others about this issue while my child is in fact becoming educated a whole lot. Take advantage of the remaining portion of the year. You have been doing a fantastic job.

Reply

I used to be more than happy to find this internet-site.I needed to thanks for your time for this excellent read!!

Reply

It impressed, I need to say. Really not often do I encounter a blog that both educative and entertaining, and let me let you know, you’ve gotten hit the nail on the head.

Reply

This was really nice and impressive blog i really love to see this kind of helpful and informative blog it was so good you are doing the excellent job great keep it up. We also write many other topics related to academic carrier if anyone intrested then visit on this site http://www.excellentacademichelp.com/ it’s help you to solve you problem which you are faced in your academic carrier.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>