Anyone who has been working with dedicated or virtual private servers for any length of time will appreciate how useful log files are for fault finding in the aftermath of a system problem. Unfortunately, log files tend to be used in a very reactionary process, based on the administrator actually spotting the problem occurring in the first place in order to go looking back through the logs to find the cause. It’s often the case that a number of services or systems can fail in a manner that’s not noticed by an administrator in order to search the logs for information. Here’s where logwatch can come in helpful.
What is Logwatch?
Logwatch is a tool that will parse through your log files and email you a daily digest of what has been happening on the server. This digest can be sent to a local user’s mailbox, or - if you have a mail server installed on the server - it can be emailed to a remote mailbox. Logwatch comes with the ability to monitor the most common Linux services, and the configuration files can be tweaked to reflect any changes you may have made to the default logging for your services. You can also monitor your own custom services by creating new scripts and config files for them.
Installation of logwatch is a simple affair as it’s part of the default repositories for most distributions, so to install for Debian/Ubuntu and related distributions:
apt-get install logwatch
And for Red Hat/CentOS you can use the following command:
yum install logwatch
There’s a small difference between the package installers here: the Debian/Ubuntu will present the option of installing a mailserver (in this case Postfix) for emailing the results if needed, whereas the Red Hat/CentOS installer won’t. Also, the Debian/Ubuntu package installer doesn’t create the /var/cache/logwatch directory which is needed for logwatch to work, hence the command to create that directory.
With the default configuration, both systems will mail their results to the local root user mailbox on the system to view the digests. They will also monitor all the services that logwatch is capable of watching and report low detail message digests. The configuration files are installed to the /usr/share/logwatch/default.conf/ directory, but this can be overwritten when the package is updated. It’s recommended that if you are going to change any of the configuration that you copy the relevant config file to the /etc/logwatch/conf/ directory which logwatch will scan for configuration, and will use to override it’s default configuration. So let’s start with making a copy of the default logwatch configuration file:
cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
Now you can edit the new file with the following command. Take note that I’m using nano in my example, but other editors are available:
Any changes you make to this file now will override the default configuration. The main changes you are likely to want to make are the email address to which the log digests are sent, and the detail level of the digests.
To change the email address used then you need to find the MailTo lines in the file and then add a new MailTo line with your email address, for example:
MailTo = firstname.lastname@example.org
As I previously mentioned, please note that for emails to work you must have a working email server set up on your server - without this it will fail to send anything.
Can I control the level of digest detail?
The log digest detail level can be changed by editing the line starting with Detail in the file; by default this is set to Low:
Detail = Low
The Detail setting can be changed to Low, Med or High. In addition, numbers can be used: 0 equates to Low, 5 to Med and 10 to High. Essentially the definition of the different detail levels are such that Low is for errors and security messages, Med for messages that most sysadmins may be interested in and High is for details that paranoid sysadmins may be interested in. It’s possible that some scripts may use numbers higher than 10 for details logged, for which the logwatch documentation states: “This would be reserved for information so trivial that it would not even interest the US Government.” So for most cases the Low setting would remain adequate if you are only interested in being notified if any problems occurred and in knowing about user access to the server. If you would like a little more information then step up to Med.
This ends a somewhat whistlestop tour of the logwatch tool. Whilst it adds yet another email coming into a mailbox, it’s definitely a useful one and worth using as part of your server monitoring systems.