Logwatch Configuration in Debian

What is Logwatch?

Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line.

The output is by service and you can limit the output to one particular service. The subscripts which are responsible for the output, mostly convert the raw log lines in structured format.

Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details.

Logwatch Installation in Debian

#apt-get install logwatch

That's it installation done.Now you need to configure the logwatch

 Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf

 Default Logwatch configuration file as below and you need to change this file options


#   All these options are the defaults if you run logwatch with no

#   command-line arguments.  You can override all of these on the

#   command-line.

# You can put comments anywhere you want to.  They are effective for the

# rest of the line.

# this is in the format of <name> = <value>.  Whitespace at the beginning

# and end of the lines is removed.  Whitespace before and after the = sign

# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1

# No  = False = Off = 0

# Default Log Directory

# All log-files are assumed to be given relative to this directory.

LogDir = /var/log

# You can override the default temp directory (/tmp) here

TmpDir = /tmp

# Default person to mail reports to.  Can be a local account or a

# complete email address.

MailTo = root

# If set to 'Yes', the report will be sent to stdout instead of being

# mailed to above person.

Print = No

# Leave this to 'Yes' if you have the mktemp program and it supports

# the '-d' option.  Some older version of mktemp on pre-RH7.X did not

# support this option, so set this to no in that case and Logwatch will

# use internal temp directory creation that is (hopefully) just as secure

UseMkTemp = Yes


#       Some systems have mktemp in a different place


MkTemp = /bin/mktemp

# if set, the results will be saved in <filename> instead of mailed

# or displayed.

#Save = /tmp/logwatch

# Use archives?  If set to 'Yes', the archives of logfiles

# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will

# be searched in addition to the /var/log/messages file.

# This usually will not do much if your range is set to just

# 'Yesterday' or 'Today'... it is probably best used with

# Archives = Yes

# Range = All

# The default time range for the report...

# The current choices are All, Today, Yesterday

Range = yesterday

# The default detail level for the report.

# This can either be Low, Med, High or a number.

# Low = 0

# Med = 5

# High = 10

Detail = Med

# The 'Service' option expects either the name of a filter

# (in /etc/log.d/scripts/services/*) or 'All'.

# The default service(s) to report on.  This should be left as All for

# most people.

Service = All

# You can also disable certain services (when specifying all)

#Service = -zz-fortune

# If you only cared about FTP messages, you could use these 2 lines

# instead of the above:

#Service = ftpd-messages   # Processes ftpd messages in /var/log/messages

#Service = ftpd-xferlog    # Processes ftpd messages in /var/log/xferlog

# Maybe you only wanted reports on PAM messages, then you would use:

#Service = pam_pwdb     # PAM_pwdb messages - usually quite a bit

#Service = pam          # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option.  This will cause

# logwatch to only analyze that one logfile.. for example:

#LogFile = messages

# will process /var/log/messages.  This will run all the filters that

# process that logfile.  This option is probably not too useful to

# most people.  Setting 'Service' to 'All' above analyizes all LogFiles

# anyways...


# some systems have different locations for mailers


mailer = /usr/bin/mail


# With this option set to 'Yes', only log entries for this particular host

# (as returned by 'hostname' command) will be processed.  The hostname

# can also be overridden on the commandline (with --hostname option).  This

# can allow a log host to process only its own logs, or Logwatch can be

# run once per host included in the logfiles.


# The default is to report on all log entries, regardless of its source host.

# Note that some logfiles do not include host information and will not be

# influenced by this setting.


#HostLimit = Yes

Email Notifications With Logwatch

Logwatch is a slick Perl script that bundles up logfile reports and emails them to you. Debian users can install it by running apt-get install logwatch. Debian puts the configuration files in /etc/logwatch. The RPM puts them in /etc/log.d. Of course you may also install from sources. Be sure to consult the README for installation.

To make it go, first find logwatch.conf. You'll need to make a few tweaks. Set the "MailTo" directive to your desired email address, or local account. For local mail, most Linux systems still come with venerable old "mail", which works just fine:

MailTo = carla
mailer = /usr/bin/mail

Of course you may use any mailer you wish.

To make Logwatch send you daily reports, set the time range to "Today":

Range = Today

Other choices are "All" and "Yesterday." Now set your desired detail level for your reports:

Detail = High

Save your changes, and run Logwatch to send you a report:

# logwatch

The whole idea is to have Logwatch work without you having to exert yourself, so now you have to edit /etc/crontab to run Logwatch at your desired intervals. This runs it daily at 1am:

# m h dom mon dow user  command
  0 1  * * *   root       /usr/sbin/logwatch

For more details about logwatch configuration file check below man page for logwatch

logwatch manpage

 LOGWATCH(8)                                                            User Manuals                                                            LOGWATCH(8)


       logwatch - system log analyzer and reporter


       logwatch  [--detail  level  ]  [--logfile  log-file-group  ]  [--service service-name ]

       [--Print] [--mailto address ] [--archives] [--range range ] [--debug level ] [--save file-name ]

        [--logdir directory ] [--hostname hostname ] [--help|--usage]



       LogWatch is a customizable, pluggable log-monitoring system.  It will go through your logs for a given period of time and  make  a  report  in  the areas that you wish with the detail that you wish.  Easy to use - works right out of the package on almost all systems.


       --detail level

              This is the detail level of the report.  level can be high, med, low.

        --logfile log-file-group

              This  will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, ...).  LogWatch will there- fore process all services that use those logfiles.  This option can be specified more than once to specify multiple logfile-groups.

        --service service-name

              This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, ...).  LogWatch will therefore also process  any  log-file-groups necessary to process these services.  This option can be specified more than once to specify multiple services  to process.  A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.


              Print the results to stdout (i.e. the screen).

       --mailto address

              Mail the results to the email address or user specified in address.


              Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e.  /var/log/messages.?  or  /var/log/messages.?.gz).

               This  option  will  make  LogWatch search through the archives in addition to the regular logfiles.  The entries must still be in the proper date range (see below) to be processed, however.

        --range range

              You can specify a date-range to process.  This option is currently limited to only Yesterday, Today and All.

        --debug level

              For debugging purposes.  level can range from 0 to 100.  This will really clutter up your output.  You probably don't want to use this.

        --save file-name

              Save the output to file-name instead of displaying or mailing it.

        --logdir directory

              Look in directory for log files instead of the default directory.

        --hostname hostname

              Use hostname for the reports instead of this system's hostname.  In addition, if HostLimit is set  in  /etc/log.d/logwatch.conf,  then  only logs from this hostname will be processed (where appropriate).


              Displays usage information

        --help same as --usage.



              Really  a  symlink  to  /etc/log.d/conf/logwatch.conf.  This file sets the default values of all the above options.  These defaults are used

              when LogWatch is called without any parameters (i.e. from cron.daily).  The file is well-documented, but the explanations above  also  apply to this config file.


              Configuration files for the various services whose log entries LogWatch can process.


              Configuration files for the various logfiles that the above service's log entries are stored in.


              Filters common to many services and/or logfiles.


              Filters specific to just particular logfiles.


              Actual filter programs for the various services.


       logwatch --service ftpd-xferlog --range all --detail high --print --archives

              This will print out all FTP transfers that are stored in all current and archived xferlogs.

       logwatch --service pam_pwdb --range yesterday --detail high --print

              This will print out login information for the previous day...


       For  information  on adding your own filter, please see the file HOWTO-Make-Filter which should have been included with Logwatch.  If you installed from an RPM, it is probably under /usr/share/doc/logwatch-XXX.


       The --range option is very weak... this will be fixed in the future.