dcsimg

From the Sys Admin Toolbox: Logwatch

Q: What did one lumberjack say to the other lumberjack? A: Watch those logs.

Last week we provided an introduction to the Linux system logs. (See Logs: Your Linux System’s Lovable Worker Bees.) Now, what will you, as a system administrator, use to watch logs? Logwatch, of course. As so many others have succinctly put it, messing with log files is a royal pain in the backside. Logwatch makes the experience of keeping track of system activity almost painless for you.

Logwatch is a log file parser program (Perl script) that provides a report to you on any “interesting” activity on your system. It is not, I repeat not, a pre-emptive tool or a tool that’s used to catch anyone “in the act” of breaking into your system. It is an after-the-fact tool that provides you with a daily report of service activity. It reports on yesterday’s log information.

We’ll explore active monitoring tools in the coming weeks to catch a would-be system hacker. Logwatch’s value isn’t in its ability to catch a criminal with his hands on your system, its value is instead, designed to save you the effort of manually scraping logs.

Logwatch

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use – works right out of the package on almost all systems.

The Basics

Before we begin, if you need a bit more background on Linux logs and system information, check out any of the following articles:

Now, let’s dive in.

Install logwatch in the usual way for your particular distribution using a package manager or download the source from the Logwatch Project page.

Primary setup is easy. If you installed via package, an automatic cron entry in cron.daily runs logwatch every day for you. Default setup includes all services, default log location /var/log and mail to the local root account. Logwatch installs to the /usr/share/logwatch directory for Debian-based and Red Hat-based systems. The main configuration file is under /usr/share/logwatch/default.conf. Some packagers create a symbolic link from /usr/sbin/logwatch to the perl script under /usr/share/logwatch/scripts/logwatch.pl.

Using Logwatch

Logwatch, by default, runs daily on yesterday’s logs, sends an email to the local root account with a low level of detail. For most of you, this is enough information in a daily summary to satisfy your needs and curiosity about what’s going on with your system. For others with systems that are a bit more security sensitive, you’ll need to slightly tweak the parameters of this “near perfect by default” tool.

You can run logwatch with a specific date range. For example, if you want to see information about today’s SSHD activity, you can run this command:

# logwatch --service sshd --range=Today

Check root’s mail to see the details of the report. Shown is the SSHD section of the report.

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

This is your default “Low” detail logwatch output report. For a more detailed report, try using –detail=Medium. Check root’s mail for the report.

# logwatch --service sshd --range=Today --detail=Medium

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

You can see that there’s more detail in this report. You can try using the High parameter to squeeze more detail from logs.

# logwatch --service sshd --range=Today --detail=High

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

As you can see, the detail didn’t change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won’t receive more detail than what’s supplied in the logs.

For those of you, like me, who don’t love command line mail, you can tell logwatch to save its report to a file.

# logwatch --service sshd --range=Today --detail=High --save=logwatch.today

If you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.

Logwatch Paranoid Configuration

As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.

For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.

The defaults settings are

Range = yesterday

Detail = Low

Archives = No.
You should change these to:

Range = All

Detail = High

Archives = Yes.

The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they’re located under the /var/log directory and have a .X filename to designate their rotation number.

These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.

# logwatch --detail=High --range=All --archives

Customizing Output

Here’s a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.

The command line version is shown below.

# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.html

The equivalent settings in the configuration file are:

Save = /var/www/html/logwatch.html

Output = html

The SSHD section from the HTML report is shown in Figure 1.

Figure 1: SSHD Section from the Logwatch HTML Report
Figure 1: SSHD Section from the Logwatch HTML Report

Logwatch is a useful script for system administrators who don’t have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that’s installed on every system you manage.

Next week, you’ll take a look at some real-time log monitoring with swatch.

Comments on "From the Sys Admin Toolbox: Logwatch"

Every the moment inside a though we choose blogs that we study. Listed below are the newest websites that we pick out.

Just beneath, are numerous completely not connected web sites to ours, on the other hand, they may be certainly worth going over.

Always a massive fan of linking to bloggers that I love but don?t get lots of link like from.

Just beneath, are quite a few completely not associated websites to ours, however, they are surely worth going over.

We came across a cool web-site that you may get pleasure from. Take a search when you want.

Check beneath, are some completely unrelated web-sites to ours, however, they are most trustworthy sources that we use.

here infineoninfotech is a best solution provider services to stay connected with latest and trendy technology which are growing globally and their related issues , tech support etc

Hello,thanks for sharing this post and really good article.Such a very useful information.I am also sharing this post with friends and upload itech2020.

This is really nice post.I regularly visit your blog post and i love to read that post.well done keep it up.
idoinfotech

Hello, it was good to read this post which is a great guide of blog commenting. Appreciate all these tips
you’re trying to create value and good discussion which could produce better results in the same topic, that’s worth.

elitetechcity

The time to read or pay a visit to the content or web pages we’ve linked to beneath.

I APPRECIATE AND LIKE THIS BLOG POST
and I wanna suggest something here sevugainfotech is a best solution provider services to stay connected with latest and trendy global technology

Wonderful post..Glad to read about this…Thank you sooo much foe sharing this.
nablettech

I really like your blog. I really appreciate the good quality content you are posting here.The posts are really nice..
I would like to share about the
iruntechnology

I FOUND THIS BLOG POST IS IMPRESSIVE
and I wanna suggest something here irfantechnet is a best solution provider services to stay connected with latest and trendy global technology

I really like your Article. I really appreciate the good quality content it is really good .The posts are really nice..
I would like to share about the
theawesometechcoach

We like to honor several other world-wide-web websites on the internet, even if they aren?t linked to us, by linking to them. Beneath are some webpages really worth checking out.

We like to honor several other world-wide-web web sites around the web, even if they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

jVCt9s srmoelvliljf, [url=http://xqyjveyzgpoa.com/]xqyjveyzgpoa[/url], [link=http://elexlnqmbrlu.com/]elexlnqmbrlu[/link], http://twfcmupzwzjx.com/

Very few internet websites that come about to be detailed beneath, from our point of view are undoubtedly properly worth checking out.

Every when inside a when we choose blogs that we read. Listed beneath would be the newest sites that we opt for.

Its great as your other blog posts : D, appreciate it for putting up.

Please take a look at the internet sites we adhere to, like this one particular, because it represents our picks in the web.

Although internet sites we backlink to beneath are considerably not connected to ours, we feel they are essentially worth a go as a result of, so possess a look.

Always a huge fan of linking to bloggers that I love but do not get a whole lot of link appreciate from.

Heya are using WordPress for your site platform?
I’m new to the blog world but I’m trying to get started and create my own. Do you need any coding knowledge to make your own blog?
Any help would be greatly appreciated!

my homepage DeweyGPascoe

Just beneath, are many totally not associated sites to ours, nevertheless, they are certainly really worth going over.

The time to study or go to the content or sites we’ve linked to below.

Just beneath, are quite a few absolutely not related web sites to ours, however, they are surely worth going over.

We came across a cool site which you might take pleasure in. Take a appear should you want.

Here is a great Weblog You might Obtain Exciting that we encourage you to visit.

I appreciate your blog post.It is really nice and i found it very
informative..Keep updating such nice posts..Thank you
irctc sign up
irctc registration
irctc login registration

Wonderful story, reckoned we could combine a number of unrelated data, nonetheless seriously really worth taking a appear, whoa did 1 discover about Mid East has got more problerms also.

We like to honor lots of other online websites on the web, even if they aren?t linked to us, by linking to them. Below are some webpages really worth checking out.

Here are some links to web pages that we link to since we assume they are really worth visiting.

Always a significant fan of linking to bloggers that I enjoy but do not get a great deal of link like from.

Below you?ll obtain the link to some sites that we assume it is best to visit.

We like to honor a lot of other world wide web internet sites on the web, even though they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out.

Here are a few of the sites we suggest for our visitors.

Leave a Reply