dcsimg

From the Sys Admin Toolbox: Logwatch

Q: What did one lumberjack say to the other lumberjack? A: Watch those logs.

Last week we provided an introduction to the Linux system logs. (See Logs: Your Linux System’s Lovable Worker Bees.) Now, what will you, as a system administrator, use to watch logs? Logwatch, of course. As so many others have succinctly put it, messing with log files is a royal pain in the backside. Logwatch makes the experience of keeping track of system activity almost painless for you.

Logwatch is a log file parser program (Perl script) that provides a report to you on any “interesting” activity on your system. It is not, I repeat not, a pre-emptive tool or a tool that’s used to catch anyone “in the act” of breaking into your system. It is an after-the-fact tool that provides you with a daily report of service activity. It reports on yesterday’s log information.

We’ll explore active monitoring tools in the coming weeks to catch a would-be system hacker. Logwatch’s value isn’t in its ability to catch a criminal with his hands on your system, its value is instead, designed to save you the effort of manually scraping logs.

Logwatch

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use – works right out of the package on almost all systems.

The Basics

Before we begin, if you need a bit more background on Linux logs and system information, check out any of the following articles:

Now, let’s dive in.

Install logwatch in the usual way for your particular distribution using a package manager or download the source from the Logwatch Project page.

Primary setup is easy. If you installed via package, an automatic cron entry in cron.daily runs logwatch every day for you. Default setup includes all services, default log location /var/log and mail to the local root account. Logwatch installs to the /usr/share/logwatch directory for Debian-based and Red Hat-based systems. The main configuration file is under /usr/share/logwatch/default.conf. Some packagers create a symbolic link from /usr/sbin/logwatch to the perl script under /usr/share/logwatch/scripts/logwatch.pl.

Using Logwatch

Logwatch, by default, runs daily on yesterday’s logs, sends an email to the local root account with a low level of detail. For most of you, this is enough information in a daily summary to satisfy your needs and curiosity about what’s going on with your system. For others with systems that are a bit more security sensitive, you’ll need to slightly tweak the parameters of this “near perfect by default” tool.

You can run logwatch with a specific date range. For example, if you want to see information about today’s SSHD activity, you can run this command:

# logwatch --service sshd --range=Today

Check root’s mail to see the details of the report. Shown is the SSHD section of the report.

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

This is your default “Low” detail logwatch output report. For a more detailed report, try using –detail=Medium. Check root’s mail for the report.

# logwatch --service sshd --range=Today --detail=Medium

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

You can see that there’s more detail in this report. You can try using the High parameter to squeeze more detail from logs.

# logwatch --service sshd --range=Today --detail=High

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

As you can see, the detail didn’t change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won’t receive more detail than what’s supplied in the logs.

For those of you, like me, who don’t love command line mail, you can tell logwatch to save its report to a file.

# logwatch --service sshd --range=Today --detail=High --save=logwatch.today

If you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.

Logwatch Paranoid Configuration

As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.

For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.

The defaults settings are

Range = yesterday

Detail = Low

Archives = No.
You should change these to:

Range = All

Detail = High

Archives = Yes.

The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they’re located under the /var/log directory and have a .X filename to designate their rotation number.

These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.

# logwatch --detail=High --range=All --archives

Customizing Output

Here’s a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.

The command line version is shown below.

# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.html

The equivalent settings in the configuration file are:

Save = /var/www/html/logwatch.html

Output = html

The SSHD section from the HTML report is shown in Figure 1.

Figure 1: SSHD Section from the Logwatch HTML Report
Figure 1: SSHD Section from the Logwatch HTML Report

Logwatch is a useful script for system administrators who don’t have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that’s installed on every system you manage.

Next week, you’ll take a look at some real-time log monitoring with swatch.

Comments on "From the Sys Admin Toolbox: Logwatch"

Here is a superb Weblog You may Come across Interesting that we encourage you to visit.

Just beneath, are a lot of absolutely not connected internet sites to ours, having said that, they are certainly really worth going over.

Usually posts some very fascinating stuff like this. If you are new to this site.

Below you will come across the link to some web pages that we consider it is best to visit.

Please take a look at the internet sites we adhere to, including this a single, because it represents our picks from the web.

Usually posts some pretty fascinating stuff like this. If you?re new to this site.

“Hey there. I discovered your blog via Google while searching for a related matter, your website got here up. It appears to be great. I have bookmarked it in my google bookmarks to come back then.”

Below you?ll come across the link to some websites that we consider you’ll want to visit.

Every the moment inside a whilst we pick out blogs that we study. Listed below are the latest web pages that we choose.

Just beneath, are various completely not associated websites to ours, even so, they’re surely worth going over.

You actually make it appear so easy along with your presentation but I to find this topic to be really one thing which I believe I would by no means understand. It seems too complex and very broad for me. I’m taking a look ahead on your subsequent submit, I¦ll try to get the dangle of it!

Please visit the websites we follow, including this one, as it represents our picks through the web.

We like to honor several other internet sites on the internet, even though they aren?t linked to us, by linking to them. Below are some webpages worth checking out.

Very few web-sites that take place to be in depth beneath, from our point of view are undoubtedly properly worth checking out.

I think the article is very helpful for people,it has solved our problem,thanks!
Wholesale Oakley sunglasses green ruby iridium black friday deals online outlet

Please stop by the web-sites we stick to, including this one, as it represents our picks from the web.

That will be the finish of this post. Here you will locate some web-sites that we feel you will appreciate, just click the hyperlinks.

Although websites we backlink to beneath are considerably not related to ours, we feel they are in fact really worth a go through, so possess a look.

Here are a few of the web sites we suggest for our visitors.

Here are several of the internet sites we advocate for our visitors.

Wonderful story, reckoned we could combine several unrelated data, nonetheless actually really worth taking a search, whoa did one learn about Mid East has got far more problerms too.

We prefer to honor numerous other online web-sites around the internet, even if they aren?t linked to us, by linking to them. Beneath are some webpages really worth checking out.

hi admin
i just appreciate your blog post and thank you for sharing with us

The data mentioned in the write-up are a number of the top offered.

The time to study or go to the subject material or internet sites we’ve linked to beneath.

Sites of interest we’ve a link to.

Wonderful story, reckoned we could combine some unrelated data, nonetheless actually really worth taking a look, whoa did 1 discover about Mid East has got more problerms also.

Very couple of sites that come about to become comprehensive below, from our point of view are undoubtedly nicely worth checking out.

Very handful of websites that happen to be in depth beneath, from our point of view are undoubtedly very well worth checking out.

We came across a cool web site which you may well get pleasure from. Take a appear for those who want.

Here is a great Weblog You may Come across Interesting that we encourage you to visit.

Here are some of the internet sites we suggest for our visitors.

The info talked about in the article are several of the best available.

We like to honor many other net web sites on the web, even when they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out.

Very handful of internet sites that occur to become comprehensive beneath, from our point of view are undoubtedly nicely really worth checking out.

Always a massive fan of linking to bloggers that I really like but really don’t get quite a bit of link enjoy from.

The time to read or check out the content material or sites we have linked to beneath.

Every as soon as inside a though we opt for blogs that we study. Listed beneath would be the most up-to-date sites that we pick out.

Here is a great Blog You may Discover Intriguing that we encourage you to visit.

Seriously, didn’t think that aspect of technology.

Usually posts some extremely intriguing stuff like this. If you are new to this site.

One of our visitors not long ago advised the following website.

Fantastic website. Lots of useful information here. I am sending it to a few friends ans additionally sharing in delicious. And of course, thank you to your effort!

Please go to the web pages we stick to, including this 1, because it represents our picks from the web.

Every the moment in a although we pick blogs that we read. Listed beneath are the latest web pages that we decide on.

This can be a topic which can be in close proximity to my heart…
Cheers! Precisely where are your contact information though?

My page ThanhDPerret

Very couple of sites that take place to be detailed beneath, from our point of view are undoubtedly nicely really worth checking out.

One of our guests recently encouraged the following website.

The data talked about in the report are several of the best offered.

That will be the finish of this write-up. Here you will uncover some websites that we assume you?ll value, just click the links.

Leave a Reply