Logwatch Configuration in Debian
What is Logwatch?
Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line.
The output is by service and you can limit the output to one particular service. The subscripts which are responsible for the output, mostly convert the raw log lines in structured format.
Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details.
Logwatch Installation in Debian
#apt-get install logwatch
That's it installation done.Now you need to configure the logwatch
Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf
Default Logwatch configuration file as below and you need to change this file options
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log
# You can override the default temp directory (/tmp) here
TmpDir = /tmp
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = root
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No
# Leave this to 'Yes' if you have the mktemp program and it supports
# the '-d' option. Some older version of mktemp on pre-RH7.X did not
# support this option, so set this to no in that case and Logwatch will
# use internal temp directory creation that is (hopefully) just as secure
UseMkTemp = Yes
# Some systems have mktemp in a different place
MkTemp = /bin/mktemp
# if set, the results will be saved in <filename> instead of mailed
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Med
# The 'Service' option expects either the name of a filter
# (in /etc/log.d/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
#Service = -zz-fortune
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# some systems have different locations for mailers
mailer = /usr/bin/mail
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#HostLimit = Yes
Email Notifications With Logwatch
For more details about logwatch configuration file check below man page for logwatch
LOGWATCH(8) User Manuals LOGWATCH(8)
logwatch - system log analyzer and reporter
logwatch [--detail level ] [--logfile log-file-group ] [--service service-name ]
[--Print] [--mailto address ] [--archives] [--range range ] [--debug level ] [--save file-name ]
[--logdir directory ] [--hostname hostname ] [--help|--usage]
LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems.
This is the detail level of the report. level can be high, med, low.
This will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, ...). LogWatch will there- fore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.
This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, ...). LogWatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.
Print the results to stdout (i.e. the screen).
Mail the results to the email address or user specified in address.
Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz).
This option will make LogWatch search through the archives in addition to the regular logfiles. The entries must still be in the proper date range (see below) to be processed, however.
You can specify a date-range to process. This option is currently limited to only Yesterday, Today and All.
For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don't want to use this.
Save the output to file-name instead of displaying or mailing it.
Look in directory for log files instead of the default directory.
Use hostname for the reports instead of this system's hostname. In addition, if HostLimit is set in /etc/log.d/logwatch.conf, then only logs from this hostname will be processed (where appropriate).
Displays usage information
--help same as --usage.
Really a symlink to /etc/log.d/conf/logwatch.conf. This file sets the default values of all the above options. These defaults are used
when LogWatch is called without any parameters (i.e. from cron.daily). The file is well-documented, but the explanations above also apply to this config file.
Configuration files for the various services whose log entries LogWatch can process.
Configuration files for the various logfiles that the above service's log entries are stored in.
Filters common to many services and/or logfiles.
Filters specific to just particular logfiles.
Actual filter programs for the various services.
logwatch --service ftpd-xferlog --range all --detail high --print --archives
This will print out all FTP transfers that are stored in all current and archived xferlogs.
logwatch --service pam_pwdb --range yesterday --detail high --print
This will print out login information for the previous day...
For information on adding your own filter, please see the file HOWTO-Make-Filter which should have been included with Logwatch. If you installed from an RPM, it is probably under /usr/share/doc/logwatch-XXX.
The --range option is very weak... this will be fixed in the future.