Logwatch is a highly customizable log analysis system. It parses your system's logs over a given period and creates a report analyzing the areas you care about. It is an essential tool for staying informed about your servers' activity without having to manually sift through large log files.
Why use Logwatch?
- Time-saving: Receive a daily or weekly summary of system activity by email.
- Anomaly detection: Highlights failed login attempts, disk errors, service issues, and more.
- Security: Helps you quickly spot suspicious activity or intrusion attempts.
- Customizable: You can easily set the level of detail in the reports and which services to monitor.
Prerequisites
- A Linux server (Ubuntu/Debian, CentOS/RHEL).
- Root access or sudo privileges.
- A mail transport agent (MTA) such as Postfix or msmtp, so the server can send emails.
Installation
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y logwatch
# On CentOS / RHEL
sudo yum install -y epel-release
sudo yum install -y logwatch
The installation sets up a cron job in /etc/cron.daily/00logwatch that will run every day.
Configuration
The default configuration is located in /usr/share/logwatch/default.conf/logwatch.conf. To customize it, create a copy in /etc/logwatch/conf/ that you will modify. This latter copy takes precedence.
sudo mkdir -p /etc/logwatch/conf
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
sudo nano /etc/logwatch/conf/logwatch.conf
Key parameters to modify
Here are the most important lines to adjust in your new /etc/logwatch/conf/logwatch.conf file:
# Send the report by email instead of printing it to standard output
Output = mail
# Report format (text or html)
Format = html
# Email address that will receive the report
MailTo = [email protected]
# Sender email address
MailFrom = [email protected]
# Time period to analyze. "yesterday" is the most common for a daily report.
Range = yesterday
# Report detail level. Possible values are: Low, Med, High or a number from 0 to 10.
# "Med" is a good starting point.
Detail = Med
With these settings, you will receive an HTML report of the previous day's activity every morning at the specified email address.
Customizing services
You can fine-tune the reports for specific services. For example, to get more detail on SSH connections, you can create a configuration file for that service:
sudo nano /etc/logwatch/conf/services/sshd.conf
And add the following:
# Get a more detailed report for the sshd service
Detail = High
Conversely, if you do not want a report for a service (e.g. `http` for Apache), you can disable it:
sudo nano /etc/logwatch/conf/services/http.conf
# Disable reports for Apache
Detail = None
Testing the configuration
You do not need to wait until the next day to see if it works. You can run Logwatch manually:
# Run logwatch with the options from the config file and print the result to the screen
sudo logwatch --output stdout --format text --detail Med --range today
This command will give you a preview of the report that will be sent.
For email sending to work (
Output = mail), your server must be able to send emails. Make sure you have a working MTA (such as Postfix, or an SMTP relay like msmtp) and that your server is not blacklisted.
Conclusion
Logwatch is an indispensable tool for the basic security hygiene of any Linux server. It turns the noise of log files into digestible, actionable information, allowing you to stay aware of what is happening on your systems with minimal effort. Configuring it to receive a daily email report is one of the first things to do when bringing a new machine into service.
Comments