Latest News from 100TB

Get it from the source

How To Use Logwatch To Do Log File Analysis

Published Mar 17, 2016 by Hayden Smith


Anyone who has been working with dedicated or virtual private servers for any length of time will appreciate how useful log files are for fault finding in the aftermath of a system problem. Unfortunately, log files tend to be used in a very reactionary process, based on the administrator actually spotting the problem occurring in the first place in order to go looking back through the logs to find the cause. It’s often the case that a number of services or systems can fail in a manner that’s not noticed by an administrator in order to search the logs for information. Here’s where logwatch can come in helpful.


What is Logwatch?

Logwatch is a tool that will parse through your log files and email you a daily digest of what has been happening on the server. This digest can be sent to a local user’s mailbox, or - if you have a mail server installed on the server - it can be emailed to a remote mailbox. Logwatch comes with the ability to monitor the most common Linux services, and the configuration files can be tweaked to reflect any changes you may have made to the default logging for your services. You can also monitor your own custom services by creating new scripts and config files for them.

Installation of logwatch is a simple affair as it’s part of the default repositories for most distributions, so to install for Debian/Ubuntu and related distributions:

apt-get update

apt-get install logwatch

mkdir /var/cache/logwatch

And for Red Hat/CentOS you can use the following command:

yum install logwatch

There’s a small difference between the package installers here: the Debian/Ubuntu will present the option of installing a mailserver (in this case Postfix) for emailing the results if needed, whereas the Red Hat/CentOS installer won’t. Also, the Debian/Ubuntu package installer doesn’t create the /var/cache/logwatch directory which is needed for logwatch to work, hence the command to create that directory.

With the default configuration, both systems will mail their results to the local root user mailbox on the system to view the digests. They will also monitor all the services that logwatch is capable of watching and report low detail message digests. The configuration files are installed to the /usr/share/logwatch/default.conf/ directory, but this can be overwritten when the package is updated. It’s recommended that if you are going to change any of the configuration that you copy the relevant config file to the /etc/logwatch/conf/ directory which logwatch will scan for configuration, and will use to override it’s default configuration. So let’s start with making a copy of the default logwatch configuration file:

cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

Now you can edit the new file with the following command. Take note that I’m using nano in my example, but other editors are available:

nano /etc/logwatch/conf/logwatch.conf

Any changes you make to this file now will override the default configuration. The main changes you are likely to want to make are the email address to which the log digests are sent, and the detail level of the digests.

To change the email address used then you need to find the MailTo lines in the file and then add a new MailTo line with your email address, for example:

MailTo =

As I previously mentioned, please note that for emails to work you must have a working email server set up on your server - without this it will fail to send anything.


Can I control the level of digest detail?

The log digest detail level can be changed by editing the line starting with Detail in the file; by default this is set to Low:

Detail = Low

The Detail setting can be changed to Low, Med or High. In addition, numbers can be used: 0 equates to Low, 5 to Med and 10 to High. Essentially the definition of the different detail levels are such that Low is for errors and security messages, Med for messages that most sysadmins may be interested in and High is for details that paranoid sysadmins may be interested in. It’s possible that some scripts may use numbers higher than 10 for details logged, for which the logwatch documentation states: “This would be reserved for information so trivial that it would not even interest the US Government.”  So for most cases the Low setting would remain adequate if you are only interested in being notified if any problems occurred and in knowing about user access to the server. If you would like a little more information then step up to Med.

This ends a somewhat whistlestop tour of the logwatch tool. Whilst it adds yet another email coming into a mailbox, it’s definitely a useful one and worth using as part of your server monitoring systems.

Sign up for the 100TB newsletter here for more 100TB how-to-guides to keep your server running at top notch.

What You Need To Know When Calculating Bandwidth Costs

Previous Article

How Virtual Reality Could Transform The TV Experience

Next Article

Receive The Latest 100TB News

Share This Post

Latest News