Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Logwatch -- a syslog analyzer written in Perl

News

See also

Recommended Links Reference Event correlation Anomaly Detection Analyzers
Octopussy LogSurfer Kazimir[BB] LooperNG Swatch[BB] Xlogmaster
devialog OSSEC Sawmill Lire Logrep php-syslog-ng
logtail logcheck Net::Dev::
Tools::Syslog
loghound Sisyphus an event log data-mining toolkit Splunk [BB]
Http logs analyzers Multipurpose plug-in based analyzers Static pattern matching Humor Etc

Introduction


The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain.

 All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.

Scott Sidel in Logwatch Taking the pain out of log analysis 

Logwatch is a customizable log analyzer written in Perl.  Logwatch parses syslog logs for a given period of time and creates a report for specified daemons or applications.

The current version (as of Jan 2015) is 7.4.2 (Logwatch branches).  Logwatch is not a single script, but a set of Perl scripts and filters. RPM packages are available for both RHEL and SLES, but they are not installed by default.

The architecture is somewhat similar to /etc/inet.d and uses the idea "one script per service" to pickup relevant messages from a particular service. Relevant script is specified in invocation, for example

logwatch --service kernel  

Filtering logic is directly encoded in each Perl script (one script per daemon) . Which is not a bad idea for those who know Perl really well. No so great for everybody else: for them the program is by-and-large a blackbox.

Scripts for each service are stored in /usr/share/logwatch/scripts/services directory. In the current version there are about hundred of them  (91 in RHEL 6.5, 92 in SLES 11, SP3). That creates a real maintenance problem as some of them were never updated from 2007 and now are definitely outdated.

In loading "service script" logwatch first tries /etc/logwatch tree (the tree for locally customized scripts) and then /usr/share/logwatch tree (the default tree that comes with the distribution). So you can copy and modify any service script to /etc/logwatch without destroying the "default" version stored in /usr/share/logwatch tree.

In loading "service script" logwatch first tries /etc/logwatch tree (the tree for locally customized scripts) and then /usr/share/logwatch tree (the default tree that comes with the distribution). So you can copy and modify any service script to /etc/logwatch without destroying the "default" version stored in /usr/share/logwatch tree.

The program is abandonware and most scripts are outdated. Maintenance efforts are very limited as you can see from SourceForge logs. For example, the critical /usr/share/logwatch/scripts/services/kernel script was last updated in 2006 or seven years ago (this page was written in March 2013):

3 # $Id: kernel,v 1.33 2006/01/16 18:40:31 kirk Exp $

Documentation is so-so, although this is a standard level for most software packages ;-). At least it does exist.

Usage

Logwatch can either be used at the command-line to generate on-the-fly reports, or via cron to regularly create and possibly mail to you custom reports. You can specify, how much details are written in the report.

You basically tell logwatch for which service, time span and to which detail level to generate a report.

The first parameter to specify is service. If you want all services specify. For example:

logwatch --service All

If it is not specified the the value form active configuration file is used (All is default value)

For example to get a detailed report on all kernel messages from yesterday you can run the following command:

logwatch --service kernel --detail High --range Yesterday --print

The most difficult part is specifying timespan, which should be given as a parameter to the option --range . In the example above it is simply Yesterday . Other options are pretty transparent:

Timespan Specification

Timespan specification is pretty complex. The default is "for that day". At the beginning you can limit yourself to three typical cases:

To get help on timespan specification use logwatch --range help

Non-standard, but well-supported Perl module Date::Manip  is used. It provides pretty flexible means of specifying dates including two common keywords:

yesterday
today

All date specified in logwatch  time specification like between should have values that can be parsed by Perl Date::Manip module. The latter was written by Sullivan Beck and is documented on Cspan.

The format of the range option is:

--range "date_range [period]"
Both parameter date_range and optional period must be enclosed in quotes if it is more than one word. The default for date_range is "yesterday" but it can be changes in configuration file. Here are examples of valid date_range specifications:
all
between date1 and date2
since date1

Valid instances of the optional parameter period have one of the following formats:

   for (that|this) (year|month|day|hour|minute|second)
   for those (years|months|days|hours|minutes|seconds)

More examples:

   --range today
   --range yesterday
   --range '4 hours ago for that hour'
   --range '-3 days'
   --range 'since 2 hours ago for those hours'
   --range 'between -10 days and -2 days'
   --range 'Apr 15, 2005'
   --range 'first Monday in May'
   --range 'between 4/23/2005 and 4/30/2005'
   --range '2005/05/03 10:24:17 for that second'
(The last entry might be used by someone debugging a log or filter.)

A caution about efficiency: a range of "yesterday for those hours" will search for log entries for the last 24 hours, and is inefficient because it searches for individual matches for each hour. A range of "yesterday" will search for log entries for the previous day, and it searches for a single date match.

Examples

The --range option has got a complex syntax—see logwatch --range help for details. A list of all services that can be queried is available with the following command:

ls /usr/share/logwatch/default.conf/services/ | sed 's/\.conf//g'

Customarization

As this is a log analyzer and logs are pretty idiosyncratic and depend not only on flavor of Linux (REHEL/SLES/Debian, etc) but also on set of installed applications, logwatch can and should be customized. The configuration files for logwatch on RHEL/CentOS/SLES are stored at the directory /etc/logwatch. By default the following three files are present

./conf/override.conf
./conf/logwatch.conf
./conf/ignore.conf

You can also create as many custom configuration as you wish in /etc/logwatch/conf/ using the default configuration file as a template.

A detailed HOWTO on customizing logwatch is available at HOWTO-Customize-LogWatch.

The most important configuration file is logwatch.conf which is the main configuration file. The default version is extensively commented.  It can be configured to email the generated report and actually have several settings specifically designed for central loghost environment (multimail, etc).  That suggests that the initial design goal was to simplify working with a large central loghost.

Each configuration option can be overwritten from the command line. If you change the file itself please make a backup. Please understand that you need to have a backup copy of your custom files as they can be overwritten with the update to a new version of logwatch

File ignore.conf is used to specify patterns that should globally be ignored by logwatch.

There are several additional directories too:

The directory /usr/share/*/logwatch contains several files with additional documentation:

HOWTO-Customize-LogWatch Documents the directory structure of Logwatch configuration and executable files, and describes how to customize Logwatch by overriding these default files.

Directory Structure

This section describes the subdirectories and files shipped with the Logwatch distribution, using the names and locations used by default.

The directory /usr/share/logwatch contains both the configuration and (perl) executable files. The contents of this directory are the following subdirectories:
default.conf:		 Contains the default configuration files
	 		 shipped with the Logwatch distribution

dist.conf:		 Contains the configuration files shipped
	 		 with your specific Operating Systems
	 		 distribution.

lib:		 	 Contains perl library files.

scripts:		 Contains the perl executables.
The /etc/logwatch directory contains the localization subdirectories:

The three directories /usr/share/logwatch/default.conf, /usr/share/logwatch/dist.conf, and /etc/logwatch/conf, all have the same structure:

The /etc/logwatch/conf directory may also contain the file 'override.conf', which is described in section 4, "Customizing the Configuration."

Executables Structure

The contents of the two directories /usr/share/logwatch/scripts and /etc/logwatch/scripts have the same structure:

Customizing the Configuration

During installation Logwatch modify the default configuration according tot he distribution it encounter, if it knows it. Therefore, you generally can start using Logwatch "as is".

You can customize the output of logwatch by modifying variables in the /etc/logwatch/conf directory.

Default values are specified in the /usr/share/logwatch/default.conf directory. Your distribution may have set additional defaults in the /usr/share/logwatch/dist.conf directory. All the variables available are declared in the files under these directories. You can change the default values to modify how or what is displayed with logwatch. One variable available to all services, and which by default is not specified, is the 'Detail' variable (note that it is not preceded by a '$' symbol). Specifying a Detail value will override the global Detail level, for that service only.

There are two mechanisms for customizing the variables:

  1. The /etc/logwatch/conf directory is first searched for files with the same name and relative location as the /usr/share/logwatch/default.conf directory. Variables declared in these files override the defaults.

    For example, if file /etc/logwatch/conf/services/sendmail.conf has the single entry:

     $sendmail_unknownusersthreshold = 5
    then the threshold for unknown users is set to five instead of the default of one. All other parameters are not modified.

    The configuration files have four different types of declarations, determined by the first character in each line:

          '#': Rest of line is a comment, and is ignored.
          '$': Rest of first field is a variable
          '*': Denotes the name of an executable script
    Other than blank lines, the only other declarations are reserved variable names, such as LogFile, Archive, etc.

    In general, setting a variable overrides any value previously set. However, the following variables are cumulative:


    To remove all previous declarations of that variable, set the variable to the empty string. Duplicate values in the cumulative variables are deleted.

    If an executable script is declared in an /etc/logwatch/conf file, all of the executable script declarations in the corresponding file in /usr/share/logwatch/default.conf or /usr/share/logwatch/dist.conf are ignored.

    Because of the way variables and executable scripts are declared, the files in /etc/logwatch/conf/ can be created in one of two ways:

  2. The /etc/logwatch/conf/override.conf file is then searched. The first field in each line may be one of the following: For example, if the file /etc/logwatch/conf/override.conf has the single entry:
    logwatch: Detail = High
    then the default detail level for all services will be set to High.

    And, in file override.conf, the following declaration:

    logfiles/messages: LogFile = syslog
    will analyze the syslog file (in addition to the default messages file) for certain services. But the following two declarations combined:
    logfiles/messages: LogFile = 
    logfiles/messages: LogFile = syslog

    will cause the messages file to be ignored for those same services, and only the syslog file will be used.

How to prevent logwatch from reporting on a particular service

To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:

/etc/logwatch/conf/logwatch.conf

and add the following to the end of it to pevent log analysis of sendmail:

Service = "-sendmail"

or postfix:

Service = "-postfix"

The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:

/etc/cron.daily/0logwatch

 

Customizing the Scripts

Similarly to the way you can customize the configuration, as specified in section 4, you can override the default executable scripts.

This is accomplished by placing an executable file with the same name and relative path (with respect to /usr/share/logwatch/scripts) under the /etc/logwatch/scripts directory. If such a file is found in the /etc/logwatch/scripts directory, the corresponding file under /usr/share/logwatch/scripts will be ignored.

Creating New Service Filters

New services may be created by creating new configuration and executable files, described above, and placing them in the /etc/logwatch directory. This section provides additional details and examples for creating new service filters, but it might be easier to base the new files on the existing configuration and script files under the /usr/share/logwatch directory.

Logfile Groups

There is only one required line in the logfile group config file. This command is called 'LogFile'.
# This will be the logfile named 'messages' in the default logfile
# directory (probably /var/log).
LogFile = messages
# You can also give this command with an absolute path, like this: LogFile = /var/log/messages

You can have as many LogFile entries as you wish. All the files specified will be merged into one input stream for any filters that use this logfile group. You can also use standard wildcards when you specify the filename.

Another command that is optional is called 'Archive'. You can specify a file to also include in the data stream if the '--archives' option is used. If these files do not exist it is okay. For example:

# These 2 'Archive' entries will allow users of most Red Hat Linux
# systems to access their archives of the 'messages' logfile:
Archive = messages.?
# If they configure Compression to be on in /etc/logrotate.conf:
Archive = messages.?.gz
# It is best just to include both of these so that the logfile group
# will work for most systems.
Now, the general theory is that the LogFile Group should apply the date range requested. If the logfile is in the standard syslog format, you can use the shared script 'ApplyStdDate' to filter out only the appropriate log entries. The way to call shared scripts (located under /usr/share/logwatch/scripts/shared) is:
*ApplyStdDate = 
Anything following the equal sign will be passed to the program as arguments (the equal sign can be eliminated if no arguments are needed). You should look at the current logfile group config files for examples.

Finally, if the directory /usr/share/logwatch/scripts/logfiles exists, any scripts in that directory will be executed. All of these scripts take the contents of all the specified logfiles in through STDIN and output the modified logfile trought STDOUT.

Service Filter Configuration File

Once you have defined one or more logfile groups (or decided on one or more existing logfile groups), you need to define your service filter.

This file needs to be in /etc/logwatch/conf/services/ and it needs to be named service_name.conf, where service_name is the name of the service. You should probably copy an existing config for another service to create a new one.

There is only one required line. This is the command 'LogFile'. The LogFile command allows you to specify one or more *LogFile Groups* (as described above) that this filter will process. Remember, any filter can process any number of LogFile Groups, and any LogFile Group may contain the data from any number of logfiles (and archives).

For a service filter that needs messages from /var/log/messages you would add this line:

LogFile = 
NOTE: This is *not* because the name of the logfile is 'messages', but it is because the name of the LogFile Group that has been defined is 'messages'. You can have commands in the form of:
*SharedScriptName = Arguments
that will execute a script found in the
/usr/share/logwatch/scripts/shared/
directory named 'SharedScriptName' with arguments 'Arguments'. This filter will modify the input to the service's filter.

You can also have commands in the form:

$EnvironmentVariable = Value
This command will set the 'EnvironmentVariable' environment variable to the value 'Value'. This environment variable will be accessible by your filter program.

You will also usually want to specify a title for your script (new in Logwatch 4.0). If specified, then a start and stop delimiter will be added by Logwatch for your specific service (with your script's output between those delimiters). This will *only* happen if you produce output. If you produce no output, the headers will not be created. Here is how you define your title:

Title = "My Service Title"

Service Filter Executable

Once everything above has been done, you are ready to actually write your filter. This can be done in any language as all it does is:

  1. Read logfile entries from STDIN
  2. Access some environment variables
  3. Generate a report on STDOUT
Before you try to write a filter, you should create the filter and make its contents the test script given below. The filter needs to be located in /etc/logwatch/scripts/services/ and named service_name (because you named the config file service_name.conf).

###################### Cut Here #########################
#!/bin/bash
# This is as nice script that will show you the lines you will
# be processing and reporting on.  It will first display the
# standard environment variables and then it takes STDIN and
# dump it right back out to STDOUT.  

# These are the standard environment variables.  You can define
# more in your service config file (see above).
echo "Date Range: $LOGWATCH_DATE_RANGE"
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
echo "Debug Level: $LOGWATCH_DEBUG"

# Now take STDIN and dump it to STDOUT
cat
###################### Cut Here #########################
If you temporarily replace a script such as 'pam' with the above, you will notice that much has been cut out of /var/log/messages before it gets to this filter.

The value of the environment variable LOGWATCH_DETAIL_LEVEL can be any integer. In reality, it is usually 0 (for low), 5 (for medium), and 10 (for high).

Your script should only produce output as appropriate. If there are no relevant log entries, no output should be produced. Likewise, if you are reporting two things, such as "Good Logins" and "Bad Logins", you should only produce even the headers when appropriate. For example:

Bad Logins:
   amber (2 time(s))
   kirk (3 time(s))

Good Logins:
   amber (5 time(s))
   kirk (10 time(s))

But, if no failed logins occur, you should only output:

Good Logins:
   amber (5 time(s))
   kirk (10 time(s))
Note that there is no "Bad Logins:" header as there were no bad logins. You should also use the detail environment variable when deciding what to output. Bad logins might always be displayed, but good logins might only be displayed at higher detail levels. Here is a guide on how you should use the detail setting:
0 (Low): Display only errors and security-related issues
5 (Med): Display anything that a typical administator would be interested in
10 (High): Display anything that a paranoid administrator would want to see
In some cases, you can use a security setting higher than 10. This would be reserved for information so trivial that it would not even interest the US Government.

Installation

In most cases (RHEL/CentOS/SLES) logwatch is not installed by default, but RPM package is available from DVD and repositories. This is a pretty big package that supplied a set of "default configurations" in the directory /usr/share/logwatch/default.conf from which you can create your own:

[0]root@UNDER_CONSTRUCTION: # rpm -ql logwatch
/etc/cron.d/dmeventd
/etc/cron.daily/0logwatch
/etc/logwatch
/etc/logwatch/conf
/etc/logwatch/conf/ignore.conf
/etc/logwatch/conf/logfiles
/etc/logwatch/conf/logwatch.conf
/etc/logwatch/conf/override.conf
/etc/logwatch/conf/services
/etc/logwatch/scripts
/usr/sbin/logwatch
/usr/share/doc/packages/logwatch
/usr/share/doc/packages/logwatch/CHANGES
/usr/share/doc/packages/logwatch/HOWTO-Customize-LogWatch
/usr/share/doc/packages/logwatch/License
/usr/share/doc/packages/logwatch/README
/usr/share/doc/packages/logwatch/USEDFORBUILD.bz2
/usr/share/logwatch
/usr/share/logwatch/default.conf
/usr/share/logwatch/default.conf/html
/usr/share/logwatch/default.conf/html/footer.html
/usr/share/logwatch/default.conf/html/header.html
/usr/share/logwatch/default.conf/ignore.conf
/usr/share/logwatch/default.conf/logfiles
/usr/share/logwatch/default.conf/logfiles/autorpm.conf
/usr/share/logwatch/default.conf/logfiles/bfd.conf
/usr/share/logwatch/default.conf/logfiles/cisco.conf
/usr/share/logwatch/default.conf/logfiles/clam-update.conf
/usr/share/logwatch/default.conf/logfiles/cron.conf
/usr/share/logwatch/default.conf/logfiles/daemon.conf
/usr/share/logwatch/default.conf/logfiles/denyhosts.conf
/usr/share/logwatch/default.conf/logfiles/dnssec.conf
/usr/share/logwatch/default.conf/logfiles/dpkg.conf
/usr/share/logwatch/default.conf/logfiles/emerge.conf
/usr/share/logwatch/default.conf/logfiles/eventlog.conf
/usr/share/logwatch/default.conf/logfiles/exim.conf
/usr/share/logwatch/default.conf/logfiles/extreme-networks.conf
/usr/share/logwatch/default.conf/logfiles/fail2ban.conf
/usr/share/logwatch/default.conf/logfiles/http.conf
/usr/share/logwatch/default.conf/logfiles/iptables.conf
/usr/share/logwatch/default.conf/logfiles/kernel.conf
/usr/share/logwatch/default.conf/logfiles/maillog.conf
/usr/share/logwatch/default.conf/logfiles/messages.conf
/usr/share/logwatch/default.conf/logfiles/netopia.conf
/usr/share/logwatch/default.conf/logfiles/netscreen.conf
/usr/share/logwatch/default.conf/logfiles/php.conf
/usr/share/logwatch/default.conf/logfiles/pix.conf
/usr/share/logwatch/default.conf/logfiles/pureftp.conf
/usr/share/logwatch/default.conf/logfiles/qmail-pop3d-current.conf
/usr/share/logwatch/default.conf/logfiles/qmail-pop3ds-current.conf
/usr/share/logwatch/default.conf/logfiles/qmail-send-current.conf
/usr/share/logwatch/default.conf/logfiles/qmail-smtpd-current.conf
/usr/share/logwatch/default.conf/logfiles/resolver.conf
/usr/share/logwatch/default.conf/logfiles/rt314.conf
/usr/share/logwatch/default.conf/logfiles/samba.conf
/usr/share/logwatch/default.conf/logfiles/secure.conf
/usr/share/logwatch/default.conf/logfiles/sonicwall.conf
/usr/share/logwatch/default.conf/logfiles/syslog.conf
/usr/share/logwatch/default.conf/logfiles/tac_acc.conf
/usr/share/logwatch/default.conf/logfiles/up2date.conf
/usr/share/logwatch/default.conf/logfiles/vsftpd.conf
/usr/share/logwatch/default.conf/logfiles/windows.conf
/usr/share/logwatch/default.conf/logfiles/xferlog.conf
/usr/share/logwatch/default.conf/logfiles/yum.conf
/usr/share/logwatch/default.conf/logwatch.conf
/usr/share/logwatch/default.conf/services
/usr/share/logwatch/default.conf/services/afpd.conf
/usr/share/logwatch/default.conf/services/amavis.conf
/usr/share/logwatch/default.conf/services/arpwatch.conf
/usr/share/logwatch/default.conf/services/audit.conf
/usr/share/logwatch/default.conf/services/automount.conf
/usr/share/logwatch/default.conf/services/autorpm.conf
/usr/share/logwatch/default.conf/services/bfd.conf
/usr/share/logwatch/default.conf/services/cisco.conf
/usr/share/logwatch/default.conf/services/clam-update.conf
/usr/share/logwatch/default.conf/services/clamav-milter.conf
/usr/share/logwatch/default.conf/services/clamav.conf
/usr/share/logwatch/default.conf/services/courier.conf
/usr/share/logwatch/default.conf/services/cron.conf
/usr/share/logwatch/default.conf/services/denyhosts.conf
/usr/share/logwatch/default.conf/services/dhcpd.conf
/usr/share/logwatch/default.conf/services/dmeventd.conf
/usr/share/logwatch/default.conf/services/dnssec.conf
/usr/share/logwatch/default.conf/services/dovecot.conf
/usr/share/logwatch/default.conf/services/dpkg.conf
/usr/share/logwatch/default.conf/services/emerge.conf
/usr/share/logwatch/default.conf/services/evtapplication.conf
/usr/share/logwatch/default.conf/services/evtsecurity.conf
/usr/share/logwatch/default.conf/services/evtsystem.conf
/usr/share/logwatch/default.conf/services/exim.conf
/usr/share/logwatch/default.conf/services/eximstats.conf
/usr/share/logwatch/default.conf/services/extreme-networks.conf
/usr/share/logwatch/default.conf/services/fail2ban.conf
/usr/share/logwatch/default.conf/services/ftpd-messages.conf
/usr/share/logwatch/default.conf/services/ftpd-xferlog.conf
/usr/share/logwatch/default.conf/services/http.conf
/usr/share/logwatch/default.conf/services/identd.conf
/usr/share/logwatch/default.conf/services/imapd.conf
/usr/share/logwatch/default.conf/services/in.qpopper.conf
/usr/share/logwatch/default.conf/services/init.conf
/usr/share/logwatch/default.conf/services/ipop3d.conf
/usr/share/logwatch/default.conf/services/iptables.conf
/usr/share/logwatch/default.conf/services/kernel.conf
/usr/share/logwatch/default.conf/services/mailscanner.conf
/usr/share/logwatch/default.conf/services/modprobe.conf
/usr/share/logwatch/default.conf/services/mountd.conf
/usr/share/logwatch/default.conf/services/named.conf
/usr/share/logwatch/default.conf/services/netopia.conf
/usr/share/logwatch/default.conf/services/netscreen.conf
/usr/share/logwatch/default.conf/services/oidentd.conf
/usr/share/logwatch/default.conf/services/openvpn.conf
/usr/share/logwatch/default.conf/services/pam.conf
/usr/share/logwatch/default.conf/services/pam_pwdb.conf
/usr/share/logwatch/default.conf/services/pam_unix.conf
/usr/share/logwatch/default.conf/services/php.conf
/usr/share/logwatch/default.conf/services/pix.conf
/usr/share/logwatch/default.conf/services/pluto.conf
/usr/share/logwatch/default.conf/services/pop3.conf
/usr/share/logwatch/default.conf/services/portsentry.conf
/usr/share/logwatch/default.conf/services/postfix.conf
/usr/share/logwatch/default.conf/services/pound.conf
/usr/share/logwatch/default.conf/services/proftpd-messages.conf
/usr/share/logwatch/default.conf/services/pureftpd.conf
/usr/share/logwatch/default.conf/services/qmail-pop3d.conf
/usr/share/logwatch/default.conf/services/qmail-pop3ds.conf
/usr/share/logwatch/default.conf/services/qmail-send.conf
/usr/share/logwatch/default.conf/services/qmail-smtpd.conf
/usr/share/logwatch/default.conf/services/qmail.conf
/usr/share/logwatch/default.conf/services/raid.conf
/usr/share/logwatch/default.conf/services/resolver.conf
/usr/share/logwatch/default.conf/services/rt314.conf
/usr/share/logwatch/default.conf/services/samba.conf
/usr/share/logwatch/default.conf/services/saslauthd.conf
/usr/share/logwatch/default.conf/services/scsi.conf
/usr/share/logwatch/default.conf/services/secure.conf
/usr/share/logwatch/default.conf/services/sendmail-largeboxes.conf
/usr/share/logwatch/default.conf/services/sendmail.conf
/usr/share/logwatch/default.conf/services/shaperd.conf
/usr/share/logwatch/default.conf/services/slon.conf
/usr/share/logwatch/default.conf/services/smartd.conf
/usr/share/logwatch/default.conf/services/sonicwall.conf
/usr/share/logwatch/default.conf/services/sshd.conf
/usr/share/logwatch/default.conf/services/sshd2.conf
/usr/share/logwatch/default.conf/services/stunnel.conf
/usr/share/logwatch/default.conf/services/sudo.conf
/usr/share/logwatch/default.conf/services/syslogd.conf
/usr/share/logwatch/default.conf/services/tac_acc.conf
/usr/share/logwatch/default.conf/services/up2date.conf
/usr/share/logwatch/default.conf/services/vpopmail.conf
/usr/share/logwatch/default.conf/services/vsftpd.conf
/usr/share/logwatch/default.conf/services/windows.conf
/usr/share/logwatch/default.conf/services/xntpd.conf
/usr/share/logwatch/default.conf/services/yum.conf
/usr/share/logwatch/default.conf/services/zz-disk_space.conf
/usr/share/logwatch/default.conf/services/zz-fortune.conf
/usr/share/logwatch/default.conf/services/zz-network.conf
/usr/share/logwatch/default.conf/services/zz-runtime.conf
/usr/share/logwatch/default.conf/services/zz-sys.conf
/usr/share/logwatch/dist.conf
/usr/share/logwatch/dist.conf/logfiles
/usr/share/logwatch/dist.conf/services
/usr/share/logwatch/lib
/usr/share/logwatch/lib/Logwatch.pm
/usr/share/logwatch/scripts
/usr/share/logwatch/scripts/logfiles
/usr/share/logwatch/scripts/logfiles/autorpm
/usr/share/logwatch/scripts/logfiles/autorpm/applydate
/usr/share/logwatch/scripts/logfiles/cron
/usr/share/logwatch/scripts/logfiles/cron/applydate
/usr/share/logwatch/scripts/logfiles/emerge
/usr/share/logwatch/scripts/logfiles/emerge/applydate
/usr/share/logwatch/scripts/logfiles/samba
/usr/share/logwatch/scripts/logfiles/samba/applydate
/usr/share/logwatch/scripts/logfiles/samba/removeheaders
/usr/share/logwatch/scripts/logfiles/up2date
/usr/share/logwatch/scripts/logfiles/up2date/applydate
/usr/share/logwatch/scripts/logfiles/up2date/removeheaders
/usr/share/logwatch/scripts/logfiles/xferlog
/usr/share/logwatch/scripts/logfiles/xferlog/applydate
/usr/share/logwatch/scripts/logfiles/xferlog/removeheaders
/usr/share/logwatch/scripts/logfiles/yum
/usr/share/logwatch/scripts/logfiles/yum/applydate
/usr/share/logwatch/scripts/logwatch.pl
/usr/share/logwatch/scripts/services
/usr/share/logwatch/scripts/services/afpd
/usr/share/logwatch/scripts/services/amavis
/usr/share/logwatch/scripts/services/arpwatch
/usr/share/logwatch/scripts/services/audit
/usr/share/logwatch/scripts/services/automount
/usr/share/logwatch/scripts/services/autorpm
/usr/share/logwatch/scripts/services/bfd
/usr/share/logwatch/scripts/services/cisco
/usr/share/logwatch/scripts/services/clam-update
/usr/share/logwatch/scripts/services/clamav
/usr/share/logwatch/scripts/services/clamav-milter
/usr/share/logwatch/scripts/services/courier
/usr/share/logwatch/scripts/services/cron
/usr/share/logwatch/scripts/services/denyhosts
/usr/share/logwatch/scripts/services/dhcpd
/usr/share/logwatch/scripts/services/dmeventd
/usr/share/logwatch/scripts/services/dnssec
/usr/share/logwatch/scripts/services/dovecot
/usr/share/logwatch/scripts/services/dpkg
/usr/share/logwatch/scripts/services/emerge
/usr/share/logwatch/scripts/services/evtapplication
/usr/share/logwatch/scripts/services/evtsecurity
/usr/share/logwatch/scripts/services/evtsystem
/usr/share/logwatch/scripts/services/exim
/usr/share/logwatch/scripts/services/eximstats
/usr/share/logwatch/scripts/services/extreme-networks
/usr/share/logwatch/scripts/services/fail2ban
/usr/share/logwatch/scripts/services/ftpd-messages
/usr/share/logwatch/scripts/services/ftpd-xferlog
/usr/share/logwatch/scripts/services/http
/usr/share/logwatch/scripts/services/identd
/usr/share/logwatch/scripts/services/imapd
/usr/share/logwatch/scripts/services/in.qpopper
/usr/share/logwatch/scripts/services/init
/usr/share/logwatch/scripts/services/ipop3d
/usr/share/logwatch/scripts/services/iptables
/usr/share/logwatch/scripts/services/kernel
/usr/share/logwatch/scripts/services/mailscanner
/usr/share/logwatch/scripts/services/modprobe
/usr/share/logwatch/scripts/services/mountd
/usr/share/logwatch/scripts/services/named
/usr/share/logwatch/scripts/services/netopia
/usr/share/logwatch/scripts/services/netscreen
/usr/share/logwatch/scripts/services/oidentd
/usr/share/logwatch/scripts/services/openvpn
/usr/share/logwatch/scripts/services/pam
/usr/share/logwatch/scripts/services/pam_pwdb
/usr/share/logwatch/scripts/services/pam_unix
/usr/share/logwatch/scripts/services/php
/usr/share/logwatch/scripts/services/pix
/usr/share/logwatch/scripts/services/pluto
/usr/share/logwatch/scripts/services/pop3
/usr/share/logwatch/scripts/services/portsentry
/usr/share/logwatch/scripts/services/postfix
/usr/share/logwatch/scripts/services/pound
/usr/share/logwatch/scripts/services/proftpd-messages
/usr/share/logwatch/scripts/services/pureftpd
/usr/share/logwatch/scripts/services/qmail
/usr/share/logwatch/scripts/services/qmail-pop3d
/usr/share/logwatch/scripts/services/qmail-pop3ds
/usr/share/logwatch/scripts/services/qmail-send
/usr/share/logwatch/scripts/services/qmail-smtpd
/usr/share/logwatch/scripts/services/raid
/usr/share/logwatch/scripts/services/resolver
/usr/share/logwatch/scripts/services/rt314
/usr/share/logwatch/scripts/services/samba
/usr/share/logwatch/scripts/services/saslauthd
/usr/share/logwatch/scripts/services/scsi
/usr/share/logwatch/scripts/services/secure
/usr/share/logwatch/scripts/services/sendmail
/usr/share/logwatch/scripts/services/sendmail-largeboxes
/usr/share/logwatch/scripts/services/shaperd
/usr/share/logwatch/scripts/services/slon
/usr/share/logwatch/scripts/services/smartd
/usr/share/logwatch/scripts/services/sonicwall
/usr/share/logwatch/scripts/services/sshd
/usr/share/logwatch/scripts/services/sshd2
/usr/share/logwatch/scripts/services/stunnel
/usr/share/logwatch/scripts/services/sudo
/usr/share/logwatch/scripts/services/syslogd
/usr/share/logwatch/scripts/services/tac_acc
/usr/share/logwatch/scripts/services/up2date
/usr/share/logwatch/scripts/services/vpopmail
/usr/share/logwatch/scripts/services/vsftpd
/usr/share/logwatch/scripts/services/windows
/usr/share/logwatch/scripts/services/xntpd
/usr/share/logwatch/scripts/services/yum
/usr/share/logwatch/scripts/services/zz-disk_space
/usr/share/logwatch/scripts/services/zz-fortune
/usr/share/logwatch/scripts/services/zz-network
/usr/share/logwatch/scripts/services/zz-runtime
/usr/share/logwatch/scripts/services/zz-sys
/usr/share/logwatch/scripts/shared
/usr/share/logwatch/scripts/shared/applybinddate
/usr/share/logwatch/scripts/shared/applyeurodate
/usr/share/logwatch/scripts/shared/applyhttpdate
/usr/share/logwatch/scripts/shared/applystddate
/usr/share/logwatch/scripts/shared/applytaidate
/usr/share/logwatch/scripts/shared/applyusdate
/usr/share/logwatch/scripts/shared/eventlogonlyservice
/usr/share/logwatch/scripts/shared/eventlogremoveservice
/usr/share/logwatch/scripts/shared/expandrepeats
/usr/share/logwatch/scripts/shared/hosthash
/usr/share/logwatch/scripts/shared/hostlist
/usr/share/logwatch/scripts/shared/multiservice
/usr/share/logwatch/scripts/shared/onlycontains
/usr/share/logwatch/scripts/shared/onlyhost
/usr/share/logwatch/scripts/shared/onlyservice
/usr/share/logwatch/scripts/shared/remove
/usr/share/logwatch/scripts/shared/removeheaders
/usr/share/logwatch/scripts/shared/removeservice
/usr/share/man/man8/logwatch.8.gz
/var/cache/logwatch
/var/cache/logwatch/timestamp.txt

/etc/cron.d/dmeventd can pollute /var/log/messages

Logwatch does not match system daemons with the chkconfig --list output.  Thaqt leas to excessive and generally unnesessary processing for "fake" or not active daemons. For some reason cron include dmeventd in the standard package specifies invocation of logwatch each minute:

*/1 * * * * root /usr/sbin/logwatch --service dmeventd

This service is controlled by config file /usr/share/logwatch/default.conf/services/dmeventd.conf

Title = "Dmeventd Errors"
LogFile = messages
*OnlyService = dmeventd

Per minute invocation pollutes /var/log/messages among other things. I think this cron include should better be deleted from /etc/cron.d. Your mileage may vary.

The module itself (/usr/share/logwatch/scripts/services/dmeventd) is pretty primitive:

[0]root@basfimgw: # cat /usr/share/logwatch/scripts/services/dmeventd
########################################################################
# Copyright (C) 2007-2008, Intel Corp. All rights reserved.
#
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
########################################################################

########################################################
# dmeventd
########################################################

########################################################
# This was written and is maintained by:
#    Brian Wood 
#
# Please send all comments, suggestions, bug reports,
#    etc, to .
########################################################

# Set the location of the folder to store last time stamp
# (This is used to record the last log sent out so repeats
#  are not mailed in error.)
$Storage_file = "/var/cache/logwatch/timestamp.txt";
$count = 0;
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

if (-e $Storage_file) {
        open(FD, "+<", "$Storage_file") or die $!;
        seek(FD, 0, 0);
        read(FD, $prev_time, 8);
}
else {
        open(FD, ">", "$Storage_file") or die $!;
        $prev_time = "";
}

while (defined($ThisLine = )) {
        #SAMPLE LOG DATA: Oct 15 01:14:33 dmraid-devhost dmeventd[24857]: Processing device "isw_febiihjha_Volume0" for events
        # All of the elements of the 'split()' aren't used, but could be if custom formating is desired.
        ($month, $day, $time, $hostname, $program, $message) = split(' ',$ThisLine, 6);
        chop($program); # Chop off the colon
        if ($prev_time eq "" || $time gt $prev_time) { # If this is the first run or the time is newer than that stored print log entry
                #print "$ThisLine";
                if($ThisLine =~ /Processing Raid|End of|Monitoring device|No longer/ ) {
                        $entries{$count} = "$month $day $time:  $message";
                }
                else {
                        $entries{$count} = "$month $day $time:    $message";
                }
                $count++; #Keep a count of the number of new logs
        }
}

if ($count != 0) {
        print ("There were a total of $count new log entries\n\n");
        print ("Date             Message\n");
        print ("------------------------\n");
        $num = 0;
        while ($num < $count) {
                print ("$entries{$num}");
                $num++;
        }
}

seek(FD, 0, 0);
printf FD $time;
close(FD);
exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et

Output

Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details.

# logwatch --service kernel --detail Low --range 'since March 1, 2013' --print

 ################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Mon Apr  1 15:40:44 2013
        Date Range Processed: since march 1, 2013
                              ( 2013-Feb-28 / 2013-Apr-01 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: mailserver
  ##################################################################

 --------------------- Kernel Begin ------------------------

 WARNING:  Kernel Errors Present
    [3029872.072498] ACPI Error: SMBus or IPMI w ...:  2 Time(s)
    [3029872.072504] ACPI Error (psparse-0537):  ...:  2 Time(s)
    [3029876.331261] ACPI Error: SMBus or IPMI w ...:  2 Time(s)
    [3029876.331266] ACPI Error (psparse-0537):  ...:  2 Time(s)

 ---------------------- Kernel End -------------------------

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Dec 07, 2015] How to monitor server log files with Logwatch on Debian and Ubuntu

"Just my 2 cents, the configuration file at /usr/share/logwatch/default.conf/logwatch.conf contains all the default settings and comments on what they do. It is recommended to leave the default conf alone and instead re-define a setting variable you want to change in /etc/logwatch/conf/logwatch.conf. "
"On Mint/Debian, the default configuration is overridden by /usr/share/logwatch/dist.conf/logwatch.conf. I also recommend to define the running configuration as /etc/logwatch/conf/logwatch.conf and to redefine any useful variables."

This is what you are supposed to see in the config file. Find out the following in it:

MailTo = root change it to MailTo = xyz@abc.com

Editing the second line is optional. It is used when you want a notification at mutiple mails.
The third line is to state that you will be receiving the mail from logwatch. After completing the above you would like to check the report range or the time in which you will receive reports.

Range = All

You might want to change it to Yesterday for reports of yesterday, Today for today's report of All for everyday report. The report that are available since the beginning will be sent.
The next options is the level of report you would like to send Low, Medium or High. After this you can also go ahead and add particular services you would like to have in your reports. By default all the services are sent in the reports but user can specify all those services by himself:

You can check the synopsis of logwatch:

logwatch [--detail level ] [--logfile log-file-group ] [--service ser‐ vice-name ] [--mailto address ] [--archives] [--range range ] [--debug level ] [--filename file-name ] [--logdir directory ] [--hostname host‐ name ] [--hostformat host based options ] [--output output-type ] [--format report format ] [--encode encoding to use ] [--numeric] [--version] [--help|--usage]

You can use this to use logwatch manually and skip all the above config.

logwatch --detail High --service http --mailto abc@xyz.com --range all --logdirectory /var/cache/logwatch

The above is a custom command by a user for his own needs you my go ahead and check, what suits your needs.

Additional logwatch options

Usage information about Logwatch can be obtained through the man page:

man logwatch

The section titled "MORE INFORMATION" in the man page lists additional documentation files available with the distribution.

A summary of the command-line switches described in the man page can be obtained with the '--help' option:

logwatch --help

[Mar 26, 2013] From the Sys Admin Toolbox Logwatch

Linux Magazine

... ... ...

You can run logwatch with a specific date range. For example, if you want to see information about today's SSHD activity, you can run this command:

# logwatch --service sshd --range=Today

Check root's mail to see the details of the report. Shown is the SSHD section of the report.

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

This is your default "Low" detail logwatch output report. For a more detailed report, try using –detail=Medium. Check root's mail for the report.

# logwatch --service sshd --range=Today --detail=Medium

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

You can see that there's more detail in this report. You can try using the High parameter to squeeze more detail from logs.

# logwatch --service sshd --range=Today --detail=High

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

As you can see, the detail didn't change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won't receive more detail than what's supplied in the logs.

For those of you, like me, who don't love command line mail, you can tell logwatch to save its report to a file.

# logwatch --service sshd --range=Today --detail=High --save=logwatch.today

If you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.

Logwatch Paranoid Configuration

As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.

For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.

The defaults settings are

Range = yesterday

Detail = Low

Archives = No.
You should change these to:

Range = All

Detail = High

Archives = Yes.

The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they're located under the /var/log directory and have a .X filename to designate their rotation number.

These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.

# logwatch --detail=High --range=All --archives

Customizing Output

Here's a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.

The command line version is shown below.

# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.html

The equivalent settings in the configuration file are:

Save = /var/www/html/logwatch.html

Output = html

The SSHD section from the HTML report is shown in Figure 1.

Figure 1: SSHD Section from the Logwatch HTML Report

Logwatch is a useful script for system administrators who don't have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that's installed on every system you manage.

Next week, you'll take a look at some real-time log monitoring with swatch.

[Mar 26, 2013] Using Logwatch and Watching DVDs By Jeremy Garcia

May 15th, 2004 | Linux Magazine

Configuring Logwatch

First you need to make sure you server is able to send the mails outside you can do this using postfix with SMTP server configuration

Now you need to edit logwatch.conf file

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following information

Output = mail
Format = html
MailTo = test@gmail.com

Save and exit the file

If you want to know more available options check logcheck manpage using the following command from your terminal

man logcheck

Now edit the 00logwatch file

sudo nano /etc/cron.daily/00logwatch

add the following line

/usr/sbin/logwatch --mailto test@gmail.com

Save and exit the file

This tool is very useful give it a try

You can check more configuration from here

Logwatch Taking the pain out of log analysis by Scott Sidel

Each month, the editor of our downloads section recommends the security freeware that he finds most valuable. This month, Scott Sidel reviews the benefits of Logwatch.

If you've been searching for a tool to help simplify your security log analysis process consider, Logwatch. This powerful tool specifies which events are important to you, and then scans the log files and reports on those key events. It can parse through systems and application log files, and its output is easily customizable by modifying variables in the /etc/logwatch/conf directory. Additionally, Logwatch comes with many pre-written log parsing PERL scripts.

Logwatch ships as a standard part of several Linux systems and is also downloadable as a binary RPM or as source. While it runs on Unix/Linux, it can analyze logs from nearly any system. Simply create a log repository via syslog (exported Windows logs can be read and examined too) and Logwatch can read logs originating from multiple appliances and systems.

Why it's a cool tool

The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.

Additionally, Logwatch can help fill in the information gap if you can't afford an expensive security event management correlation engine. For example, Logwatch can email a report on brute force login attempts, like this:

anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)

This beats looking through systems logs manually to discover how many failed login attempts are occurring.

About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.

Stop logwatch reporting on a particular service on CentOS

May 3, 2008 | www.electrictoolbox.com

logwatch is a system log analyzer and reporter which emails daily reports about information in the system log files in /log. On CentOS and Red Hat Enterprise Linux this is usually configured by default to email the root user on a daily basis with the results from the log analysis. This post looks at how to stop logwatch from reporting on a particular service, for example sendmail and postfix.

The configuration files for logwatch on CentOS are stored at /etc/logwatch. The subdirectories and configuration files at this location are empty to start with and override the default settings, so you can safely add your own settings to these files without causing issues to the defaults. Simply remove your changes from these files at a later stage and you will restore the default behaviour.

To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:

/etc/logwatch/conf/logwatch.conf

and add the following to the end of it to pevent log analysis of sendmail:

Service = "-sendmail"

or postfix:

Service = "-postfix"

The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:

/etc/cron.daily/0logwatch

You do not need to restart any services for your configuration changes to take effect; they will be used the next time logwatch is run.

What is Logwatch?

... ... ...

Logwatch Installation in Debian

#apt-get install logwatch

That's it installation done. Now you need to configure the logwatch

Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf

Default Logwatch configuration file as below and you need to change this file options

# NOTE:

# All these options are the defaults if you run logwatch with no

# command-line arguments. You can override all of these on the

# command-line.

# You can put comments anywhere you want to. They are effective for the

# rest of the line.

# this is in the format of <name> = <value>. Whitespace at the beginning

# and end of the lines is removed. Whitespace before and after the = sign

# is removed. Everything is case *insensitive*.

# Yes = True = On = 1

# No = False = Off = 0

# Default Log Directory

# All log-files are assumed to be given relative to this directory.

LogDir = /var/log

# You can override the default temp directory (/tmp) here

TmpDir = /tmp

# Default person to mail reports to. Can be a local account or a

# complete email address.

MailTo = root

# If set to 'Yes', the report will be sent to stdout instead of being

# mailed to above person.

Print = No

# Leave this to 'Yes' if you have the mktemp program and it supports

# the '-d' option. Some older version of mktemp on pre-RH7.X did not

# support this option, so set this to no in that case and Logwatch will

# use internal temp directory creation that is (hopefully) just as secure

UseMkTemp = Yes

#

# Some systems have mktemp in a different place

#

MkTemp = /bin/mktemp

# if set, the results will be saved in <filename> instead of mailed

# or displayed.

#Save = /tmp/logwatch

# Use archives? If set to 'Yes', the archives of logfiles

# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will

# be searched in addition to the /var/log/messages file.

# This usually will not do much if your range is set to just

# 'Yesterday' or 'Today'... it is probably best used with

# Archives = Yes

# Range = All

# The default time range for the report...

# The current choices are All, Today, Yesterday

Range = yesterday

# The default detail level for the report.

# This can either be Low, Med, High or a number.

# Low = 0

# Med = 5

# High = 10

Detail = Med

# The 'Service' option expects either the name of a filter

# (in /etc/log.d/scripts/services/*) or 'All'.

# The default service(s) to report on. This should be left as All for

# most people.

Service = All

# You can also disable certain services (when specifying all)

#Service = -zz-fortune

# If you only cared about FTP messages, you could use these 2 lines

# instead of the above:

#Service = ftpd-messages # Processes ftpd messages in /var/log/messages

#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog

# Maybe you only wanted reports on PAM messages, then you would use:

#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit

#Service = pam # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option. This will cause

# logwatch to only analyze that one logfile.. for example:

#LogFile = messages

# will process /var/log/messages. This will run all the filters that

# process that logfile. This option is probably not too useful to

# most people. Setting 'Service' to 'All' above analyizes all LogFiles

# anyways...

#

# some systems have different locations for mailers

#

mailer = /usr/bin/mail

#

# With this option set to 'Yes', only log entries for this particular host

# (as returned by 'hostname' command) will be processed. The hostname

# can also be overridden on the commandline (with --hostname option). This

# can allow a log host to process only its own logs, or Logwatch can be

# run once per host included in the logfiles.

#

# The default is to report on all log entries, regardless of its source host.

# Note that some logfiles do not include host information and will not be

# influenced by this setting.

#

#HostLimit = Yes

Email Notifications With Logwatch

Logwatch is a slick Perl script that bundles up logfile reports and emails them to you. Debian users can install it by running apt-get install logwatch. Debian puts the configuration files in /etc/logwatch. The RPM puts them in /etc/log.d. Of course you may also install from sources. Be sure to consult the README for installation.

To make it go, first find logwatch.conf. You'll need to make a few tweaks. Set the "MailTo" directive to your desired email address, or local account. For local mail, most Linux systems still come with venerable old "mail", which works just fine:

MailTo = carla
mailer = /usr/bin/mail

Of course you may use any mailer you wish.

To make Logwatch send you daily reports, set the time range to "Today":

Range = Today

Other choices are "All" and "Yesterday." Now set your desired detail level for your reports:

Detail = High

Save your changes, and run Logwatch to send you a report:

# logwatch

The whole idea is to have Logwatch work without you having to exert yourself, so now you have to edit /etc/crontab to run Logwatch at your desired intervals. This runs it daily at 1am:

# m h dom mon dow user command
0 1 * * * root /usr/sbin/logwatch

Stop logwatch reporting on a particular service on CentOS

May 3, 2008 | www.electrictoolbox.com

logwatch is a system log analyzer and reporter which emails daily reports about information in the system log files in /log. On CentOS and Red Hat Enterprise Linux this is usually configured by default to email the root user on a daily basis with the results from the log analysis. This post looks at how to stop logwatch from reporting on a particular service, for example sendmail and postfix.

The configuration files for logwatch on CentOS are stored at /etc/logwatch. The subdirectories and configuration files at this location are empty to start with and override the default settings, so you can safely add your own settings to these files without causing issues to the defaults. Simply remove your changes from these files at a later stage and you will restore the default behaviour.

To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:

/etc/logwatch/conf/logwatch.conf

and add the following to the end of it to pevent log analysis of sendmail:

Service = "-sendmail"

or postfix:

Service = "-postfix"

The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:

/etc/cron.daily/0logwatch

You do not need to restart any services for your configuration changes to take effect; they will be used the next time logwatch is run.

login attempts, like this:

anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)

This beats looking through systems logs manually to discover how many failed login attempts are occurring.

About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.


Reference

logwatch - Linux man page

logwatch - system log analyzer and reporter

SYNOPSIS

logwatch [--detail level ] [--logfile log-file-group ] [--service service-name ]

[--Print] [--mailto address ] [--archives] [--range range ] [--debug level ] [--save file-name ]

[--logdir directory ] [--hostname hostname ] [--help|--usage]

DESCRIPTION

LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems.

OPTIONS

--detail level

This is the detail level of the report. level can be high, med, low.

--logfile log-file-group

This will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, ...). LogWatch will there- fore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.

--service service-name

This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, ...). LogWatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.

  • --print

    Print the results to stdout (i.e. the screen).

  • --mailto address

    Mail the results to the email address or user specified in address.

  • --archives

    Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz).

    This option will make LogWatch search through the archives in addition to the regular logfiles. The entries must still be in the proper date range (see below) to be processed, however.

  • --range range

    You can specify a date-range to process. This option is currently limited to only Yesterday, Today and All.

  • --debug level

    For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don't want to use this.

  • --save file-name

    Save the output to file-name instead of displaying or mailing it.

  • --logdir directory

    Look in directory for source syslog files instead of the default directory.

  • --hostname hostname

    Use hostname for the reports instead of this system's hostname. In addition, if HostLimit is set in /etc/log.d/logwatch.conf, then only logs from this hostname will be processed (where appropriate).

  • --usage

    Displays usage information

  • --help same as --usage.

    FILES

    /etc/log.d/logwatch.conf

    Really a symlink to /etc/log.d/conf/logwatch.conf. This file sets the default values of all the above options. These defaults are used when LogWatch is called without any parameters (i.e. from cron.daily). The file is well-documented, but the explanations above also apply to this config file.

    /etc/log.d/conf/services/*

    Configuration files for the various services whose log entries LogWatch can process.

    /etc/log.d/conf/logfiles/*

    Configuration files for the various logfiles that the above service's log entries are stored in.

    /etc/log.d/scripts/shared/*

    Filters common to many services and/or logfiles.

    /etc/log.d/scripts/logfiles/*

    Filters specific to just particular logfiles.

    /etc/log.d/scripts/services/*

    Actual filter programs for the various services.

    EXAMPLES

    logwatch --service ftpd-xferlog --range all --detail high --print --archives

    This will print out all FTP transfers that are stored in all current and archived xferlogs.

    logwatch --service pam_pwdb --range yesterday --detail high --print

    This will print out login information for the previous day...

    MORE INFORMATION

    For information on adding your own filter, please see the file HOWTO-Make-Filter which should have been included with Logwatch. If you installed from an RPM, it is probably under /usr/share/doc/logwatch-XXX.

    BUGS

    The --range option is very weak... this will be fixed in the future.



    Etc

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

    ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least


    Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    Last modified: September 12, 2017