Wade through that haystack of logs to find the proverbial needle.
If you’re
logging almost every piece of information you can from all services
and hosts on your network, no doubt you’re drowning
in a sea of information. One way to
keep abreast of the real issues affecting your systems is summarizing
your logs. This easy with the
logwatch
tool (http://www.logwatch.org).
Logwatch
analyzes your system logs over a given
period of time and automatically generates reports, and it can easily
be run from cron
so that it can email you the
results.
Logwatch
is
available with most Red Hat Linux distributions. You can also download RPM packages from the
project’s web site if you are using another
RPM-based Linux distribution.
To compile logwatch
from source, you can
download the source code package.
Since it is a script there is no need to compile
anything. Thus installing it is as
simple as copying the logwatch
script to a
directory.
You can install it by running commands similar to these:
#tar xfz logwatch-5.0.tar.gz
#cd logwatch-5.0
#mkdir /etc/log.d
#cp -R conf lib scripts /etc/log.d
You can also install the manpage and, for added convenience, create a
link from the logwatch.pl
script to
/usr/sbin/logwatch
:
#cp logwatch.8 /usr/share/man/man8
#(cd /usr/sbin
&& \
ln -s ../../etc/log.d/scripts/logwatch.pl logwatch)
Running the following command will give you a taste of the summaries
logwatch
creates:
# logwatch --print | less
################### LogWatch 4.3.1 (01/13/03) ####################
Processing Initiated: Sat Dec 27 21:12:26 2003
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: colossus
################################################################
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
andrew logged in from kryten.nnc (192.168.0.60) using password: 2 Time(s)
---------------------- SSHD End -------------------------
###################### LogWatch End #########################
If you have an /etc/cron.daily
directory, you
can simply make a symbolic link from the
logwatch.pl
script to
/etc/cron.daily/logwatch.pl
, and the script will
be run daily. Alternatively, you can
create an entry in root’s crontab, in which case you
can also modify logwatch
’s
behavior by passing it command-line switches.
For instance, you can change the email address that
logwatch
sends reports to by using the
--mailto
command-line option. They are sent to the
local root account by default, which is probably not what you want.
Logwatch
supports most standard log files
without any additional configuration, but you can add support for any
type of log file. To do this, you first need to create a logfile
group configuration for the new file type in
/etc/log.d/conf/logfiles
.
This file just needs to contain an entry pointing
logwatch
to the logfile for the service and
another entry specifying a globbing pattern for any archived log
files for that service.
For example, if you had a service called
myservice
, you could create
/etc/log.d/conf/logfiles/myservice.conf
with
these contents:
LogFile = /var/log/myservice Archive = /var/log/myservice.*
Next, you need to create a service definition file. This should be called
/etc/log.d/conf/services/myservice.conf
and
should contain the following line:
LogFile = myservice
Finally, since logwatch
is merely a framework
for generating log file summaries, you’ll also need
to create a script in
/etc/log.d/scripts/services
called
myservice
. When
logwatch
executes, it will strip all time
entries from the logs and pass the rest of the log entry through
standard input to the myservice
script. Therefore, you must write your script to read
from standard input, parse out the pertinent information, and then
print it to standard out.
This just scratches the surface of how to get
logwatch
running on your system. There is a great deal of information in the
HOWTO-Make-Filter, which is included with the
logwatch
distribution.
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.