Logwatch And Logrotate Configuration in debian

Logwatch Configuration

When you look after a group of machines it becomes increasingly difficult to watch the logfiles to see if anything suspicious is happening.

Enter logwatch, a simple Perl script which will keep an eye on all the common logfiles syslog produces and mail you a summery.

The summeries are simple enough to read and are sent by email once a day - they show things like available disk space, logins, rejected logins, commands ran by users via sudo and more.

Installing Logwatch in debian

#apt-get install logwatch

Follow the on screen Instructions. For more details click here

Logrotate Configuration

The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size. Normally, logrotate runs as a daily cron job.

Installing Logrotate in debian

#apt-get install logrotate

The most obvious package which uses logrotate is Apache, the webserver, which by default keeps its logfiles in the directory /var/log/apache2.

If you examine this directory you will see that there are a bunch of logfiles which are archived:

[email protected]:~# ls -1 /var/log/apache2/

Here the current logfiles access.log, error.log are kept raw as are yesterday's logfiles (access.log.1 and error.log.1). Previous logfiles are compressed with gzip and only kept for five weeks.


The process that is in charge of compressing and rotating these logfiles is called logrotate and it is executed once per day upon Debian installations.


Logrotate files can be scheduled using cron.In /etc we have one folder called

/etc/cron.daily which contains scripts which are executed once per day. Here you will find the logrotate driver script.

Every day this script runs and examines two things:

  • The configuration file /etc/logrotate.conf
  • The configuration directory /etc/logrotate.d


 This directory contains configuration files which other packages have installed. For example if you install apache2 the file /etc/logrotate.d/apache2 will be installed.

Many servers such as Postfix the mailserver will install their own configuration file, and you can add your own.

A typical logrotate configuration file looks like this:

/var/log/apache2/*.log {
        rotate 52
        create 640 root adm
                if [ -f /var/run/ ]; then
                        /etc/init.d/apache restart > /dev/null

You can see several important things here. The most obvious is the list of files that will be matched by this configuration file:


/var/log/apache2/*.log {

After this we have a collection of configuration terms, a different one on each line. In the example above we have:

  • weekly
    • The files should be rotated every week. Opposite: daily
  • rotate nn
    • We should keep no more than nn files.
  • compress
    • Compress older files with gzip. Opposite: nocompress
  • delaycompress
    • Don't compress yesterdays files. Opposite: compress
  • notifempty
    • Don't do any rotation if the logfile is empty. Opposite: ifempty
  • create xx user group
    • If we have to create the new file give it the given mode, owner, and group.
  • sharedscripts
    • Run any given prerotate or postrotate script for each logfile individually. Opposite: nosharedscripts.
  • postrotate + endscript
    • Anything between these is executed after the rotation process. Opposite : prerotate


The upshot of this script is that any file which matches /var/log/apache2/*.log is rotated every week, compressed, if it's non-empty. The new file is created with the file mode of 640, and after the rotation has finished the server is restarted.

If we wish to install a local service which creates a logfile we can cause it to be rotated very easily, just by adding a new logrotate configuration file.


Assuming we have a new service "web" which produces its output in /var/log/web/output.log we can cause this to be rotated every day with a script like this:


/var/log/web/*.log {
  rotate 7
  create 640 web web
     /etc/init.d/web restart

This will:

  • Run daily.
  • Keep no more than 7 days worth of logfiles at any one time.
  • Not complain if there is a logfile missing.
  • Compress the older files, but not yesterdays.
  • Create the new logfiles as being owned by the user and group fred.
  • Restart the service after rotating the logfiles.

Default /etc/logrotate.conf file as follows

# see "man logrotate" for details

# rotate log files weekly


# keep 4 weeks worth of backlogs

rotate 4

# create new (empty) log files after rotating old ones


# uncomment this if you want your log files compressed


# packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here

/var/log/wtmp {



    create 0664 root utmp

    rotate 1


/var/log/btmp {



    create 0664 root utmp

    rotate 1


# system-specific logs may be configured here