Logwatch -- a syslog analyzer written in Perl

• Introduction
• Usage
• Timespan Specification
• Examples
• Customarization
  • How to prevent logwatch from reporting on a particular service
  • Directory Structure
  • Customizing the Configuration
• Installation
• Output

Introduction

Logwatch is a customizable log analyzer written in Perl.  Logwatch parses syslog logs for a given period of time and creates a report for specified daemons or applications.

The current version (as of Jan 2015) is 7.4.2 (Logwatch branches).  Logwatch is not a single script, but a set of Perl scripts and filters. RPM packages are available for both RHEL and SLES, but they are not installed by default.

The architecture is somewhat similar to /etc/inet.d and uses the idea "one script per service" to pickup relevant messages from a particular service. Relevant script is specified in invocation, for example

logwatch --service kernel  

Filtering logic is directly encoded in each Perl script (one script per daemon) . Which is not a bad idea for those who know Perl really well. No so great for everybody else: for them the program is by-and-large a blackbox.

Scripts for each service are stored in /usr/share/logwatch/scripts/services directory. In the current version there are about hundred of them  (91 in RHEL 6.5, 92 in SLES 11, SP3). That creates a real maintenance problem as some of them were never updated from 2007 and now are definitely outdated.

In loading "service script" logwatch first tries /etc/logwatch tree (the tree for locally customized scripts) and then /usr/share/logwatch tree (the default tree that comes with the distribution). So you can copy and modify any service script to /etc/logwatch without destroying the "default" version stored in /usr/share/logwatch tree.

The program is abandonware and most scripts are outdated. Maintenance efforts are very limited as you can see from SourceForge logs. For example, the critical /usr/share/logwatch/scripts/services/kernel script was last updated in 2006 or seven years ago (this page was written in March 2013):

3 # $Id: kernel,v 1.33 2006/01/16 18:40:31 kirk Exp $

Documentation is so-so, although this is a standard level for most software packages ;-). At least it does exist.

Usage

Logwatch can either be used at the command-line to generate on-the-fly reports, or via cron to regularly create and possibly mail to you custom reports. You can specify, how much details are written in the report.

You basically tell logwatch for which service, time span and to which detail level to generate a report.

The first parameter to specify is service. If you want all services specify. For example:

logwatch --service All

If it is not specified the the value form active configuration file is used (All is default value)

For example to get a detailed report on all kernel messages from yesterday you can run the following command:

logwatch --service kernel --detail High --range Yesterday --print

The most difficult part is specifying timespan, which should be given as a parameter to the option --range . In the example above it is simply Yesterday . Other options are pretty transparent:

• --range range This option is the most complex and provides timespan specification (see below). The most common values are Yesterday, Today and All.

• --print Print the results to stdout (i.e. the screen).
• --mailto address Mail the results to the email address or user specified in address.
• --archives Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz). This option will make LogWatch search through the archives in addition to the regular logfiles. The entries must still be in the proper date range (see below) to be processed, however.
• --debug level is used mainly for debugging purposes. The level can range from 0 to 100. High values can really clutter up your output.
• --save file-name Save the output to file-name instead of displaying or mailing it.
• --logdir directory  Look in directory for source syslog files instead of the default directory.
• --hostname hostname Use hostname for the reports instead of this system's hostname. In addition, if HostLimit is set in /etc/log.d/logwatch.conf, then only logs from this hostname will be processed (where appropriate).
• --usage Displays usage information
• --help same as --usage.

Timespan Specification

Timespan specification is pretty complex. The default is "for that day". At the beginning you can limit yourself to three typical cases:

• --range 'since date'. For example --range 'since March 1, 2013'
• --range All
• --range 'between 5/3/2013 and 5/3/2013'

Non-standard, but well-supported Perl module Date::Manip  is used. It provides pretty flexible means of specifying dates including two common keywords:

yesterday
today

All date specified in logwatch  time specification like between should have values that can be parsed by Perl Date::Manip module. The latter was written by Sullivan Beck and is documented on Cspan.

The format of the range option is:

--range "date_range [period]"

all
between date1 and date2
since date1

Valid instances of the optional parameter period have one of the following formats:

   for (that|this) (year|month|day|hour|minute|second)
   for those (years|months|days|hours|minutes|seconds)

More examples:

   --range today
   --range yesterday
   --range '4 hours ago for that hour'
   --range '-3 days'
   --range 'since 2 hours ago for those hours'
   --range 'between -10 days and -2 days'
   --range 'Apr 15, 2005'
   --range 'first Monday in May'
   --range 'between 4/23/2005 and 4/30/2005'
   --range '2005/05/03 10:24:17 for that second'

A caution about efficiency: a range of "yesterday for those hours" will search for log entries for the last 24 hours, and is inefficient because it searches for individual matches for each hour. A range of "yesterday" will search for log entries for the previous day, and it searches for a single date match.

Examples

• Detailed report on all kernel messages from yesterday

  logwatch --service kernel --detail High --range Yesterday --print

• Same from March 1, 2013

   logwatch --service kernel --detail High --range 'since March 1, 2013' --print

• Low detail report on all sshd events recorded (incl. archived logs)

  logwatch --service sshd --detail Low --range All --archives --print

• Mail a report on all smartd messages from May 5th to May 7th to root@localhost

  logwatch --service smartd --range 'between 5/3/2013 and 5/3/2013' \
  --mailto root@localhost --print

The --range option has got a complex syntax—see logwatch --range help for details. A list of all services that can be queried is available with the following command:

ls /usr/share/logwatch/default.conf/services/ | sed 's/\.conf//g'

Customarization

As this is a log analyzer and logs are pretty idiosyncratic and depend not only on flavor of Linux (REHEL/SLES/Debian, etc) but also on set of installed applications, logwatch can and should be customized. The configuration files for logwatch on RHEL/CentOS/SLES are stored at the directory /etc/logwatch. By default the following three files are present

./conf/override.conf
./conf/logwatch.conf
./conf/ignore.conf

You can also create as many custom configuration as you wish in /etc/logwatch/conf/ using the default configuration file as a template.

A detailed HOWTO on customizing logwatch is available at HOWTO-Customize-LogWatch.

The most important configuration file is logwatch.conf which is the main configuration file. The default version is extensively commented.  It can be configured to email the generated report and actually have several settings specifically designed for central loghost environment (multimail, etc).  That suggests that the initial design goal was to simplify working with a large central loghost.

Each configuration option can be overwritten from the command line. If you change the file itself please make a backup. Please understand that you need to have a backup copy of your custom files as they can be overwritten with the update to a new version of logwatch

There are several additional directories too:

• services/*.conf The service directory holds configuration files for each service you can generate a report for.  You can delete those that you do not want to use.
• logfiles/*.conf Specifications on which log files should be parsed for each service.

Directory Structure

This section describes the subdirectories and files shipped with the Logwatch distribution, using the names and locations used by default.

default.conf:		 Contains the default configuration files
	 		 shipped with the Logwatch distribution

dist.conf:		 Contains the configuration files shipped
	 		 with your specific Operating Systems
	 		 distribution.

lib:		 	 Contains perl library files.

scripts:		 Contains the perl executables.

• /etc/logwatch/conf: local cofiguration file, that overwrite default one. Contains the configuration files specific to the system.
• /etc/logwatch/scripts: local configuration file, that overwrite default one. Contains the executable scripts specific to the system.  Can be used for disabling unwanted scripts by putting exit at the head of the script.

The three directories /usr/share/logwatch/default.conf, /usr/share/logwatch/dist.conf, and /etc/logwatch/conf, all have the same structure:

• services: This subdirectory contains the configuration files specific to each service. Logwatch determines which services are available by examining the contents of this directory. Each service configuration file is named by its service name with the ".conf" suffix.
• logfiles: This subdirectory contains the logfile group configuration files. Each logfile group configuration file contains information about one or more log files with the same format. Several services may use the same logfile group configuration file. Each of these configuration files are named by the group name with the ".conf" suffix. Many of the group names are taken from the name of a system log file (such as messages, maillog, secure, etc.), but not always.
• logwatch.conf: This file contains the defaults for the overall execution of Logwatch, and affect all of its services. Many of its parameters can be overridden by command-line switches when invoking the Logwatch executable, as described in the man page for Logwatch.
• ignore.conf: This file specifies regular expressions that, when matched by the output of logwatch, will suppress the matching line, regardless of which service is being executed.

The /etc/logwatch/conf directory may also contain the file 'override.conf', which is described in section 4, "Customizing the Configuration."

Executables Structure

• services: This subdirectory contains the executable for each service. Unless otherwise specified in the configuration service file (see above), the executables are written in the perl language.
• shared: This subdirectory contains executables that may be invoked by more than one configuration service file.
• logfiles: This subdirectory may contain subdirectories with logfile group names. The executables under each of these subdirectories are automatically invoked when running a service that uses the corresponding logfile group name.

Customizing the Configuration

During installation Logwatch modify the default configuration according tot he distribution it encounter, if it knows it. Therefore, you generally can start using Logwatch "as is".

You can customize the output of logwatch by modifying variables in the /etc/logwatch/conf directory.

Default values are specified in the /usr/share/logwatch/default.conf directory. Your distribution may have set additional defaults in the /usr/share/logwatch/dist.conf directory. All the variables available are declared in the files under these directories. You can change the default values to modify how or what is displayed with logwatch. One variable available to all services, and which by default is not specified, is the 'Detail' variable (note that it is not preceded by a '$' symbol). Specifying a Detail value will override the global Detail level, for that service only.

There are two mechanisms for customizing the variables:

1. The /etc/logwatch/conf directory is first searched for files with the same name and relative location as the /usr/share/logwatch/default.conf directory. Variables declared in these files override the defaults.

   For example, if file /etc/logwatch/conf/services/sendmail.conf has the single entry:

    $sendmail_unknownusersthreshold = 5

   then the threshold for unknown users is set to five instead of the default of one. All other parameters are not modified.

   The configuration files have four different types of declarations, determined by the first character in each line:

         '#': Rest of line is a comment, and is ignored.
         '$': Rest of first field is a variable
         '*': Denotes the name of an executable script

   Other than blank lines, the only other declarations are reserved variable names, such as LogFile, Archive, etc.

   In general, setting a variable overrides any value previously set. However, the following variables are cumulative:

   • In logwatch.conf: LogFile, Service
   • In services/service_name.conf: LogFile
   • In logfiles/service_name.conf: LogFile, Archive
   
   To remove all previous declarations of that variable, set the variable to the empty string. Duplicate values in the cumulative variables are deleted.

   If an executable script is declared in an /etc/logwatch/conf file, all of the executable script declarations in the corresponding file in /usr/share/logwatch/default.conf or /usr/share/logwatch/dist.conf are ignored.

   Because of the way variables and executable scripts are declared, the files in /etc/logwatch/conf/ can be created in one of two ways:

   • you can create a file with only the modified variables (and new executable script declarations, if needed), as described above, or
   • you can copy an entire configuration file from /usr/share/logwatch/default.conf to its corresponding location in /etc/logwatch/conf, and then modify those lines that require it. Because duplicates are removed from cumulative variables, and new executable script groups override the old ones, the output should be correct.
2. The /etc/logwatch/conf/override.conf file is then searched. The first field in each line may be one of the following:
   • # This character indicates that the rest of the line is a comment, and is ignored.
   • logwatch: This string indicates that the rest of the line is a global configuration option, and uses the same syntax as the /usr/share/logwatch/default.conf/logwatch.conf file.
   • services/service_name: (Where service_name is the name of a service.) This string indicates that the rest of the line is a configuration option for the specified service, and uses the same syntax as the /usr/share/logwatch/default.conf/services files.
   • logfiles/service_name: (Where service_name is the name of a service.) This string indicates that the rest of the line is a configuration option for the specified service, and uses the same syntax as the /usr/share/logwatch/default.conf/logfiles files.
   For example, if the file /etc/logwatch/conf/override.conf has the single entry:

   logwatch: Detail = High

   then the default detail level for all services will be set to High.

   And, in file override.conf, the following declaration:

   logfiles/messages: LogFile = syslog

   will analyze the syslog file (in addition to the default messages file) for certain services. But the following two declarations combined:

   logfiles/messages: LogFile = 
   logfiles/messages: LogFile = syslog

   will cause the messages file to be ignored for those same services, and only the syslog file will be used.

How to prevent logwatch from reporting on a particular service

To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:

/etc/logwatch/conf/logwatch.conf

and add the following to the end of it to pevent log analysis of sendmail:

Service = "-sendmail"

or postfix:

Service = "-postfix"

The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:

/etc/cron.daily/0logwatch

Customizing the Scripts

Similarly to the way you can customize the configuration, as specified in section 4, you can override the default executable scripts.

This is accomplished by placing an executable file with the same name and relative path (with respect to /usr/share/logwatch/scripts) under the /etc/logwatch/scripts directory. If such a file is found in the /etc/logwatch/scripts directory, the corresponding file under /usr/share/logwatch/scripts will be ignored.

Creating New Service Filters

New services may be created by creating new configuration and executable files, described above, and placing them in the /etc/logwatch directory. This section provides additional details and examples for creating new service filters, but it might be easier to base the new files on the existing configuration and script files under the /usr/share/logwatch directory.

Logfile Groups

# This will be the logfile named 'messages' in the default logfile
# directory (probably /var/log).
LogFile = messages

You can have as many LogFile entries as you wish. All the files specified will be merged into one input stream for any filters that use this logfile group. You can also use standard wildcards when you specify the filename.

Another command that is optional is called 'Archive'. You can specify a file to also include in the data stream if the '--archives' option is used. If these files do not exist it is okay. For example:

# These 2 'Archive' entries will allow users of most Red Hat Linux
# systems to access their archives of the 'messages' logfile:
Archive = messages.?
# If they configure Compression to be on in /etc/logrotate.conf:
Archive = messages.?.gz
# It is best just to include both of these so that the logfile group
# will work for most systems.

*ApplyStdDate = 

Finally, if the directory /usr/share/logwatch/scripts/logfiles exists, any scripts in that directory will be executed. All of these scripts take the contents of all the specified logfiles in through STDIN and output the modified logfile trought STDOUT.

Service Filter Configuration File

Once you have defined one or more logfile groups (or decided on one or more existing logfile groups), you need to define your service filter.

This file needs to be in /etc/logwatch/conf/services/ and it needs to be named service_name.conf, where service_name is the name of the service. You should probably copy an existing config for another service to create a new one.

For a service filter that needs messages from /var/log/messages you would add this line:

LogFile = 

*SharedScriptName = Arguments

/usr/share/logwatch/scripts/shared/

You can also have commands in the form:

$EnvironmentVariable = Value

You will also usually want to specify a title for your script (new in Logwatch 4.0). If specified, then a start and stop delimiter will be added by Logwatch for your specific service (with your script's output between those delimiters). This will *only* happen if you produce output. If you produce no output, the headers will not be created. Here is how you define your title:

Title = "My Service Title"

Service Filter Executable

Once everything above has been done, you are ready to actually write your filter. This can be done in any language as all it does is:

1. Read logfile entries from STDIN
2. Access some environment variables
3. Generate a report on STDOUT

###################### Cut Here #########################
#!/bin/bash
# This is as nice script that will show you the lines you will
# be processing and reporting on.  It will first display the
# standard environment variables and then it takes STDIN and
# dump it right back out to STDOUT.  

# These are the standard environment variables.  You can define
# more in your service config file (see above).
echo "Date Range: $LOGWATCH_DATE_RANGE"
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
echo "Debug Level: $LOGWATCH_DEBUG"

# Now take STDIN and dump it to STDOUT
cat
###################### Cut Here #########################

The value of the environment variable LOGWATCH_DETAIL_LEVEL can be any integer. In reality, it is usually 0 (for low), 5 (for medium), and 10 (for high).

Your script should only produce output as appropriate. If there are no relevant log entries, no output should be produced. Likewise, if you are reporting two things, such as "Good Logins" and "Bad Logins", you should only produce even the headers when appropriate. For example:

Bad Logins:
   amber (2 time(s))
   kirk (3 time(s))

Good Logins:
   amber (5 time(s))
   kirk (10 time(s))

But, if no failed logins occur, you should only output:

Good Logins:
   amber (5 time(s))
   kirk (10 time(s))

0 (Low): Display only errors and security-related issues
5 (Med): Display anything that a typical administator would be interested in
10 (High): Display anything that a paranoid administrator would want to see

Installation

In most cases (RHEL/CentOS/SLES) logwatch is not installed by default, but RPM package is available from DVD and repositories. This is a pretty big package that supplied a set of "default configurations" in the directory /usr/share/logwatch/default.conf from which you can create your own:

[0]root@UNDER_CONSTRUCTION: # rpm -ql logwatch
/etc/cron.d/dmeventd
/etc/cron.daily/0logwatch
/etc/logwatch
/etc/logwatch/conf
/etc/logwatch/conf/ignore.conf
/etc/logwatch/conf/logfiles
/etc/logwatch/conf/logwatch.conf
/etc/logwatch/conf/override.conf
/etc/logwatch/conf/services
/etc/logwatch/scripts
/usr/sbin/logwatch
/usr/share/doc/packages/logwatch
/usr/share/doc/packages/logwatch/CHANGES
/usr/share/doc/packages/logwatch/HOWTO-Customize-LogWatch
/usr/share/doc/packages/logwatch/License
/usr/share/doc/packages/logwatch/README
/usr/share/doc/packages/logwatch/USEDFORBUILD.bz2
/usr/share/logwatch
/usr/share/logwatch/default.conf
/usr/share/logwatch/default.conf/html
/usr/share/logwatch/default.conf/html/footer.html
/usr/share/logwatch/default.conf/html/header.html
/usr/share/logwatch/default.conf/ignore.conf
/usr/share/logwatch/default.conf/logfiles
/usr/share/logwatch/default.conf/logfiles/autorpm.conf
/usr/share/logwatch/default.conf/logfiles/bfd.conf
/usr/share/logwatch/default.conf/logfiles/cisco.conf
/usr/share/logwatch/default.conf/logfiles/clam-update.conf
/usr/share/logwatch/default.conf/logfiles/cron.conf
/usr/share/logwatch/default.conf/logfiles/daemon.conf
/usr/share/logwatch/default.conf/logfiles/denyhosts.conf
/usr/share/logwatch/default.conf/logfiles/dnssec.conf
/usr/share/logwatch/default.conf/logfiles/dpkg.conf
/usr/share/logwatch/default.conf/logfiles/emerge.conf
/usr/share/logwatch/default.conf/logfiles/eventlog.conf
/usr/share/logwatch/default.conf/logfiles/exim.conf
/usr/share/logwatch/default.conf/logfiles/extreme-networks.conf
/usr/share/logwatch/default.conf/logfiles/fail2ban.conf
/usr/share/logwatch/default.conf/logfiles/http.conf
/usr/share/logwatch/default.conf/logfiles/iptables.conf
/usr/share/logwatch/default.conf/logfiles/kernel.conf
/usr/share/logwatch/default.conf/logfiles/maillog.conf
/usr/share/logwatch/default.conf/logfiles/messages.conf
/usr/share/logwatch/default.conf/logfiles/netopia.conf
/usr/share/logwatch/default.conf/logfiles/netscreen.conf
/usr/share/logwatch/default.conf/logfiles/php.conf
/usr/share/logwatch/default.conf/logfiles/pix.conf
/usr/share/logwatch/default.conf/logfiles/pureftp.conf
/usr/share/logwatch/default.conf/logfiles/qmail-pop3d-current.conf
/usr/share/logwatch/default.conf/logfiles/qmail-pop3ds-current.conf
/usr/share/logwatch/default.conf/logfiles/qmail-send-current.conf
/usr/share/logwatch/default.conf/logfiles/qmail-smtpd-current.conf
/usr/share/logwatch/default.conf/logfiles/resolver.conf
/usr/share/logwatch/default.conf/logfiles/rt314.conf
/usr/share/logwatch/default.conf/logfiles/samba.conf
/usr/share/logwatch/default.conf/logfiles/secure.conf
/usr/share/logwatch/default.conf/logfiles/sonicwall.conf
/usr/share/logwatch/default.conf/logfiles/syslog.conf
/usr/share/logwatch/default.conf/logfiles/tac_acc.conf
/usr/share/logwatch/default.conf/logfiles/up2date.conf
/usr/share/logwatch/default.conf/logfiles/vsftpd.conf
/usr/share/logwatch/default.conf/logfiles/windows.conf
/usr/share/logwatch/default.conf/logfiles/xferlog.conf
/usr/share/logwatch/default.conf/logfiles/yum.conf
/usr/share/logwatch/default.conf/logwatch.conf
/usr/share/logwatch/default.conf/services
/usr/share/logwatch/default.conf/services/afpd.conf
/usr/share/logwatch/default.conf/services/amavis.conf
/usr/share/logwatch/default.conf/services/arpwatch.conf
/usr/share/logwatch/default.conf/services/audit.conf
/usr/share/logwatch/default.conf/services/automount.conf
/usr/share/logwatch/default.conf/services/autorpm.conf
/usr/share/logwatch/default.conf/services/bfd.conf
/usr/share/logwatch/default.conf/services/cisco.conf
/usr/share/logwatch/default.conf/services/clam-update.conf
/usr/share/logwatch/default.conf/services/clamav-milter.conf
/usr/share/logwatch/default.conf/services/clamav.conf
/usr/share/logwatch/default.conf/services/courier.conf
/usr/share/logwatch/default.conf/services/cron.conf
/usr/share/logwatch/default.conf/services/denyhosts.conf
/usr/share/logwatch/default.conf/services/dhcpd.conf
/usr/share/logwatch/default.conf/services/dmeventd.conf
/usr/share/logwatch/default.conf/services/dnssec.conf
/usr/share/logwatch/default.conf/services/dovecot.conf
/usr/share/logwatch/default.conf/services/dpkg.conf
/usr/share/logwatch/default.conf/services/emerge.conf
/usr/share/logwatch/default.conf/services/evtapplication.conf
/usr/share/logwatch/default.conf/services/evtsecurity.conf
/usr/share/logwatch/default.conf/services/evtsystem.conf
/usr/share/logwatch/default.conf/services/exim.conf
/usr/share/logwatch/default.conf/services/eximstats.conf
/usr/share/logwatch/default.conf/services/extreme-networks.conf
/usr/share/logwatch/default.conf/services/fail2ban.conf
/usr/share/logwatch/default.conf/services/ftpd-messages.conf
/usr/share/logwatch/default.conf/services/ftpd-xferlog.conf
/usr/share/logwatch/default.conf/services/http.conf
/usr/share/logwatch/default.conf/services/identd.conf
/usr/share/logwatch/default.conf/services/imapd.conf
/usr/share/logwatch/default.conf/services/in.qpopper.conf
/usr/share/logwatch/default.conf/services/init.conf
/usr/share/logwatch/default.conf/services/ipop3d.conf
/usr/share/logwatch/default.conf/services/iptables.conf
/usr/share/logwatch/default.conf/services/kernel.conf
/usr/share/logwatch/default.conf/services/mailscanner.conf
/usr/share/logwatch/default.conf/services/modprobe.conf
/usr/share/logwatch/default.conf/services/mountd.conf
/usr/share/logwatch/default.conf/services/named.conf
/usr/share/logwatch/default.conf/services/netopia.conf
/usr/share/logwatch/default.conf/services/netscreen.conf
/usr/share/logwatch/default.conf/services/oidentd.conf
/usr/share/logwatch/default.conf/services/openvpn.conf
/usr/share/logwatch/default.conf/services/pam.conf
/usr/share/logwatch/default.conf/services/pam_pwdb.conf
/usr/share/logwatch/default.conf/services/pam_unix.conf
/usr/share/logwatch/default.conf/services/php.conf
/usr/share/logwatch/default.conf/services/pix.conf
/usr/share/logwatch/default.conf/services/pluto.conf
/usr/share/logwatch/default.conf/services/pop3.conf
/usr/share/logwatch/default.conf/services/portsentry.conf
/usr/share/logwatch/default.conf/services/postfix.conf
/usr/share/logwatch/default.conf/services/pound.conf
/usr/share/logwatch/default.conf/services/proftpd-messages.conf
/usr/share/logwatch/default.conf/services/pureftpd.conf
/usr/share/logwatch/default.conf/services/qmail-pop3d.conf
/usr/share/logwatch/default.conf/services/qmail-pop3ds.conf
/usr/share/logwatch/default.conf/services/qmail-send.conf
/usr/share/logwatch/default.conf/services/qmail-smtpd.conf
/usr/share/logwatch/default.conf/services/qmail.conf
/usr/share/logwatch/default.conf/services/raid.conf
/usr/share/logwatch/default.conf/services/resolver.conf
/usr/share/logwatch/default.conf/services/rt314.conf
/usr/share/logwatch/default.conf/services/samba.conf
/usr/share/logwatch/default.conf/services/saslauthd.conf
/usr/share/logwatch/default.conf/services/scsi.conf
/usr/share/logwatch/default.conf/services/secure.conf
/usr/share/logwatch/default.conf/services/sendmail-largeboxes.conf
/usr/share/logwatch/default.conf/services/sendmail.conf
/usr/share/logwatch/default.conf/services/shaperd.conf
/usr/share/logwatch/default.conf/services/slon.conf
/usr/share/logwatch/default.conf/services/smartd.conf
/usr/share/logwatch/default.conf/services/sonicwall.conf
/usr/share/logwatch/default.conf/services/sshd.conf
/usr/share/logwatch/default.conf/services/sshd2.conf
/usr/share/logwatch/default.conf/services/stunnel.conf
/usr/share/logwatch/default.conf/services/sudo.conf
/usr/share/logwatch/default.conf/services/syslogd.conf
/usr/share/logwatch/default.conf/services/tac_acc.conf
/usr/share/logwatch/default.conf/services/up2date.conf
/usr/share/logwatch/default.conf/services/vpopmail.conf
/usr/share/logwatch/default.conf/services/vsftpd.conf
/usr/share/logwatch/default.conf/services/windows.conf
/usr/share/logwatch/default.conf/services/xntpd.conf
/usr/share/logwatch/default.conf/services/yum.conf
/usr/share/logwatch/default.conf/services/zz-disk_space.conf
/usr/share/logwatch/default.conf/services/zz-fortune.conf
/usr/share/logwatch/default.conf/services/zz-network.conf
/usr/share/logwatch/default.conf/services/zz-runtime.conf
/usr/share/logwatch/default.conf/services/zz-sys.conf
/usr/share/logwatch/dist.conf
/usr/share/logwatch/dist.conf/logfiles
/usr/share/logwatch/dist.conf/services
/usr/share/logwatch/lib
/usr/share/logwatch/lib/Logwatch.pm
/usr/share/logwatch/scripts
/usr/share/logwatch/scripts/logfiles
/usr/share/logwatch/scripts/logfiles/autorpm
/usr/share/logwatch/scripts/logfiles/autorpm/applydate
/usr/share/logwatch/scripts/logfiles/cron
/usr/share/logwatch/scripts/logfiles/cron/applydate
/usr/share/logwatch/scripts/logfiles/emerge
/usr/share/logwatch/scripts/logfiles/emerge/applydate
/usr/share/logwatch/scripts/logfiles/samba
/usr/share/logwatch/scripts/logfiles/samba/applydate
/usr/share/logwatch/scripts/logfiles/samba/removeheaders
/usr/share/logwatch/scripts/logfiles/up2date
/usr/share/logwatch/scripts/logfiles/up2date/applydate
/usr/share/logwatch/scripts/logfiles/up2date/removeheaders
/usr/share/logwatch/scripts/logfiles/xferlog
/usr/share/logwatch/scripts/logfiles/xferlog/applydate
/usr/share/logwatch/scripts/logfiles/xferlog/removeheaders
/usr/share/logwatch/scripts/logfiles/yum
/usr/share/logwatch/scripts/logfiles/yum/applydate
/usr/share/logwatch/scripts/logwatch.pl
/usr/share/logwatch/scripts/services
/usr/share/logwatch/scripts/services/afpd
/usr/share/logwatch/scripts/services/amavis
/usr/share/logwatch/scripts/services/arpwatch
/usr/share/logwatch/scripts/services/audit
/usr/share/logwatch/scripts/services/automount
/usr/share/logwatch/scripts/services/autorpm
/usr/share/logwatch/scripts/services/bfd
/usr/share/logwatch/scripts/services/cisco
/usr/share/logwatch/scripts/services/clam-update
/usr/share/logwatch/scripts/services/clamav
/usr/share/logwatch/scripts/services/clamav-milter
/usr/share/logwatch/scripts/services/courier
/usr/share/logwatch/scripts/services/cron
/usr/share/logwatch/scripts/services/denyhosts
/usr/share/logwatch/scripts/services/dhcpd
/usr/share/logwatch/scripts/services/dmeventd
/usr/share/logwatch/scripts/services/dnssec
/usr/share/logwatch/scripts/services/dovecot
/usr/share/logwatch/scripts/services/dpkg
/usr/share/logwatch/scripts/services/emerge
/usr/share/logwatch/scripts/services/evtapplication
/usr/share/logwatch/scripts/services/evtsecurity
/usr/share/logwatch/scripts/services/evtsystem
/usr/share/logwatch/scripts/services/exim
/usr/share/logwatch/scripts/services/eximstats
/usr/share/logwatch/scripts/services/extreme-networks
/usr/share/logwatch/scripts/services/fail2ban
/usr/share/logwatch/scripts/services/ftpd-messages
/usr/share/logwatch/scripts/services/ftpd-xferlog
/usr/share/logwatch/scripts/services/http
/usr/share/logwatch/scripts/services/identd
/usr/share/logwatch/scripts/services/imapd
/usr/share/logwatch/scripts/services/in.qpopper
/usr/share/logwatch/scripts/services/init
/usr/share/logwatch/scripts/services/ipop3d
/usr/share/logwatch/scripts/services/iptables
/usr/share/logwatch/scripts/services/kernel
/usr/share/logwatch/scripts/services/mailscanner
/usr/share/logwatch/scripts/services/modprobe
/usr/share/logwatch/scripts/services/mountd
/usr/share/logwatch/scripts/services/named
/usr/share/logwatch/scripts/services/netopia
/usr/share/logwatch/scripts/services/netscreen
/usr/share/logwatch/scripts/services/oidentd
/usr/share/logwatch/scripts/services/openvpn
/usr/share/logwatch/scripts/services/pam
/usr/share/logwatch/scripts/services/pam_pwdb
/usr/share/logwatch/scripts/services/pam_unix
/usr/share/logwatch/scripts/services/php
/usr/share/logwatch/scripts/services/pix
/usr/share/logwatch/scripts/services/pluto
/usr/share/logwatch/scripts/services/pop3
/usr/share/logwatch/scripts/services/portsentry
/usr/share/logwatch/scripts/services/postfix
/usr/share/logwatch/scripts/services/pound
/usr/share/logwatch/scripts/services/proftpd-messages
/usr/share/logwatch/scripts/services/pureftpd
/usr/share/logwatch/scripts/services/qmail
/usr/share/logwatch/scripts/services/qmail-pop3d
/usr/share/logwatch/scripts/services/qmail-pop3ds
/usr/share/logwatch/scripts/services/qmail-send
/usr/share/logwatch/scripts/services/qmail-smtpd
/usr/share/logwatch/scripts/services/raid
/usr/share/logwatch/scripts/services/resolver
/usr/share/logwatch/scripts/services/rt314
/usr/share/logwatch/scripts/services/samba
/usr/share/logwatch/scripts/services/saslauthd
/usr/share/logwatch/scripts/services/scsi
/usr/share/logwatch/scripts/services/secure
/usr/share/logwatch/scripts/services/sendmail
/usr/share/logwatch/scripts/services/sendmail-largeboxes
/usr/share/logwatch/scripts/services/shaperd
/usr/share/logwatch/scripts/services/slon
/usr/share/logwatch/scripts/services/smartd
/usr/share/logwatch/scripts/services/sonicwall
/usr/share/logwatch/scripts/services/sshd
/usr/share/logwatch/scripts/services/sshd2
/usr/share/logwatch/scripts/services/stunnel
/usr/share/logwatch/scripts/services/sudo
/usr/share/logwatch/scripts/services/syslogd
/usr/share/logwatch/scripts/services/tac_acc
/usr/share/logwatch/scripts/services/up2date
/usr/share/logwatch/scripts/services/vpopmail
/usr/share/logwatch/scripts/services/vsftpd
/usr/share/logwatch/scripts/services/windows
/usr/share/logwatch/scripts/services/xntpd
/usr/share/logwatch/scripts/services/yum
/usr/share/logwatch/scripts/services/zz-disk_space
/usr/share/logwatch/scripts/services/zz-fortune
/usr/share/logwatch/scripts/services/zz-network
/usr/share/logwatch/scripts/services/zz-runtime
/usr/share/logwatch/scripts/services/zz-sys
/usr/share/logwatch/scripts/shared
/usr/share/logwatch/scripts/shared/applybinddate
/usr/share/logwatch/scripts/shared/applyeurodate
/usr/share/logwatch/scripts/shared/applyhttpdate
/usr/share/logwatch/scripts/shared/applystddate
/usr/share/logwatch/scripts/shared/applytaidate
/usr/share/logwatch/scripts/shared/applyusdate
/usr/share/logwatch/scripts/shared/eventlogonlyservice
/usr/share/logwatch/scripts/shared/eventlogremoveservice
/usr/share/logwatch/scripts/shared/expandrepeats
/usr/share/logwatch/scripts/shared/hosthash
/usr/share/logwatch/scripts/shared/hostlist
/usr/share/logwatch/scripts/shared/multiservice
/usr/share/logwatch/scripts/shared/onlycontains
/usr/share/logwatch/scripts/shared/onlyhost
/usr/share/logwatch/scripts/shared/onlyservice
/usr/share/logwatch/scripts/shared/remove
/usr/share/logwatch/scripts/shared/removeheaders
/usr/share/logwatch/scripts/shared/removeservice
/usr/share/man/man8/logwatch.8.gz
/var/cache/logwatch
/var/cache/logwatch/timestamp.txt

/etc/cron.d/dmeventd can pollute /var/log/messages

Logwatch does not match system daemons with the chkconfig --list output.  Thaqt leas to excessive and generally unnesessary processing for "fake" or not active daemons. For some reason cron include dmeventd in the standard package specifies invocation of logwatch each minute:

*/1 * * * * root /usr/sbin/logwatch --service dmeventd

This service is controlled by config file /usr/share/logwatch/default.conf/services/dmeventd.conf

Title = "Dmeventd Errors"
LogFile = messages
*OnlyService = dmeventd

Per minute invocation pollutes /var/log/messages among other things. I think this cron include should better be deleted from /etc/cron.d. Your mileage may vary.

The module itself (/usr/share/logwatch/scripts/services/dmeventd) is pretty primitive:

[0]root@basfimgw: # cat /usr/share/logwatch/scripts/services/dmeventd
########################################################################
# Copyright (C) 2007-2008, Intel Corp. All rights reserved.
#
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
########################################################################

########################################################
# dmeventd
########################################################

########################################################
# This was written and is maintained by:
#    Brian Wood 
#
# Please send all comments, suggestions, bug reports,
#    etc, to .
########################################################

# Set the location of the folder to store last time stamp
# (This is used to record the last log sent out so repeats
#  are not mailed in error.)
$Storage_file = "/var/cache/logwatch/timestamp.txt";
$count = 0;
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

if (-e $Storage_file) {
        open(FD, "+<", "$Storage_file") or die $!;
        seek(FD, 0, 0);
        read(FD, $prev_time, 8);
}
else {
        open(FD, ">", "$Storage_file") or die $!;
        $prev_time = "";
}

while (defined($ThisLine = )) {
        #SAMPLE LOG DATA: Oct 15 01:14:33 dmraid-devhost dmeventd[24857]: Processing device "isw_febiihjha_Volume0" for events
        # All of the elements of the 'split()' aren't used, but could be if custom formating is desired.
        ($month, $day, $time, $hostname, $program, $message) = split(' ',$ThisLine, 6);
        chop($program); # Chop off the colon
        if ($prev_time eq "" || $time gt $prev_time) { # If this is the first run or the time is newer than that stored print log entry
                #print "$ThisLine";
                if($ThisLine =~ /Processing Raid|End of|Monitoring device|No longer/ ) {
                        $entries{$count} = "$month $day $time:  $message";
                }
                else {
                        $entries{$count} = "$month $day $time:    $message";
                }
                $count++; #Keep a count of the number of new logs
        }
}

if ($count != 0) {
        print ("There were a total of $count new log entries\n\n");
        print ("Date             Message\n");
        print ("------------------------\n");
        $num = 0;
        while ($num < $count) {
                print ("$entries{$num}");
                $num++;
        }
}

seek(FD, 0, 0);
printf FD $time;
close(FD);
exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et

Output

Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details.

# logwatch --service kernel --detail Low --range 'since March 1, 2013' --print

 ################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Mon Apr  1 15:40:44 2013
        Date Range Processed: since march 1, 2013
                              ( 2013-Feb-28 / 2013-Apr-01 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: mailserver
  ##################################################################

 --------------------- Kernel Begin ------------------------

 WARNING:  Kernel Errors Present
    [3029872.072498] ACPI Error: SMBus or IPMI w ...:  2 Time(s)
    [3029872.072504] ACPI Error (psparse-0537):  ...:  2 Time(s)
    [3029876.331261] ACPI Error: SMBus or IPMI w ...:  2 Time(s)
    [3029876.331266] ACPI Error (psparse-0537):  ...:  2 Time(s)

 ---------------------- Kernel End -------------------------

NEWS CONTENTS

• 20151207 : How to monitor server log files with Logwatch on Debian and Ubuntu ( How to monitor server log files with Logwatch on Debian and Ubuntu, Dec 07, 2015 )
• 20130326 : From the Sys Admin Toolbox Logwatch ( Linux Magazine )
• 20130326 : Using Logwatch and Watching DVDs by Jeremy Garcia ( May 15th, 2004 , Linux Magazine )
• 20130326 : Logwatch Taking the pain out of log analysis by Scott Sidel ( Logwatch Taking the pain out of log analysis, )
• 20130326 : Stop logwatch reporting on a particular service on CentOS ( May 3, 2008 , www.electrictoolbox.com )
• 20130326 : What is Logwatch? ( )
• 20130326 : Stop logwatch reporting on a particular service on CentOS ( May 3, 2008 , www.electrictoolbox.com )

Old News ;-)

[Dec 07, 2015] How to monitor server log files with Logwatch on Debian and Ubuntu

"Just my 2 cents, the configuration file at /usr/share/logwatch/default.conf/logwatch.conf contains all the default settings and comments on what they do. It is recommended to leave the default conf alone and instead re-define a setting variable you want to change in /etc/logwatch/conf/logwatch.conf. "

"On Mint/Debian, the default configuration is overridden by /usr/share/logwatch/dist.conf/logwatch.conf. I also recommend to define the running configuration as /etc/logwatch/conf/logwatch.conf and to redefine any useful variables."

This is what you are supposed to see in the config file. Find out the following in it:

MailTo = root change it to MailTo = [email protected]

Editing the second line is optional. It is used when you want a notification at mutiple mails.
The third line is to state that you will be receiving the mail from logwatch. After completing the above you would like to check the report range or the time in which you will receive reports.

Range = All

You might want to change it to Yesterday for reports of yesterday, Today for today's report of All for everyday report. The report that are available since the beginning will be sent.
The next options is the level of report you would like to send Low, Medium or High. After this you can also go ahead and add particular services you would like to have in your reports. By default all the services are sent in the reports but user can specify all those services by himself:

You can check the synopsis of logwatch:

logwatch [--detail level ] [--logfile log-file-group ] [--service ser� vice-name ] [--mailto address ] [--archives] [--range range ] [--debug level ] [--filename file-name ] [--logdir directory ] [--hostname host� name ] [--hostformat host based options ] [--output output-type ] [--format report format ] [--encode encoding to use ] [--numeric] [--version] [--help|--usage]

You can use this to use logwatch manually and skip all the above config.

logwatch --detail High --service http --mailto [email protected] --range all --logdirectory /var/cache/logwatch

The above is a custom command by a user for his own needs you my go ahead and check, what suits your needs.

Additional logwatch options

Usage information about Logwatch can be obtained through the man page:

man logwatch

The section titled "MORE INFORMATION" in the man page lists additional documentation files available with the distribution.

A summary of the command-line switches described in the man page can be obtained with the '--help' option:

logwatch --help

[Mar 26, 2013] From the Sys Admin Toolbox Logwatch

Linux Magazine

... ... ...

You can run logwatch with a specific date range. For example, if you want to see information about today's SSHD activity, you can run this command:

# logwatch --service sshd --range=Today

Check root's mail to see the details of the report. Shown is the SSHD section of the report.

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

This is your default "Low" detail logwatch output report. For a more detailed report, try using –detail=Medium. Check root's mail for the report.

# logwatch --service sshd --range=Today --detail=Medium

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

You can see that there's more detail in this report. You can try using the High parameter to squeeze more detail from logs.

# logwatch --service sshd --range=Today --detail=High

 --------------------- SSHD Begin ------------------------

 Illegal users from:
    192.168.1.83: 12 times
       bob/password: 6 times
       george/password: 3 times
       raphael/password: 3 times

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s)
 PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83  : 4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s)

 ---------------------- SSHD End -------------------------

As you can see, the detail didn't change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won't receive more detail than what's supplied in the logs.

For those of you, like me, who don't love command line mail, you can tell logwatch to save its report to a file.

# logwatch --service sshd --range=Today --detail=High --save=logwatch.today

If you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.

Logwatch Paranoid Configuration

As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.

For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.

The defaults settings are

Range = yesterday

Detail = Low

Archives = No.
You should change these to:

Range = All

Detail = High

Archives = Yes.

The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they're located under the /var/log directory and have a .X filename to designate their rotation number.

These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.

# logwatch --detail=High --range=All --archives

Customizing Output

Here's a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.

The command line version is shown below.

# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.html

The equivalent settings in the configuration file are:

Save = /var/www/html/logwatch.html

Output = html

The SSHD section from the HTML report is shown in Figure 1.

Figure 1: SSHD Section from the Logwatch HTML Report

Logwatch is a useful script for system administrators who don't have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that's installed on every system you manage.

Next week, you'll take a look at some real-time log monitoring with swatch.

[Mar 26, 2013] Using Logwatch and Watching DVDs By Jeremy Garcia

May 15th, 2004 | Linux Magazine

Configuring Logwatch

First you need to make sure you server is able to send the mails outside you can do this using postfix with SMTP server configuration

Now you need to edit logwatch.conf file

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following information

Output = mail
Format = html
MailTo = [email protected]

Save and exit the file

If you want to know more available options check logcheck manpage using the following command from your terminal

man logcheck

Now edit the 00logwatch file

sudo nano /etc/cron.daily/00logwatch

add the following line

/usr/sbin/logwatch --mailto [email protected]

Save and exit the file

This tool is very useful give it a try

You can check more configuration from here

Logwatch Taking the pain out of log analysis by Scott Sidel

Each month, the editor of our downloads section recommends the security freeware that he finds most valuable. This month, Scott Sidel reviews the benefits of Logwatch.

---

If you've been searching for a tool to help simplify your security log analysis process consider, Logwatch. This powerful tool specifies which events are important to you, and then scans the log files and reports on those key events. It can parse through systems and application log files, and its output is easily customizable by modifying variables in the /etc/logwatch/conf directory. Additionally, Logwatch comes with many pre-written log parsing PERL scripts.

Logwatch ships as a standard part of several Linux systems and is also downloadable as a binary RPM or as source. While it runs on Unix/Linux, it can analyze logs from nearly any system. Simply create a log repository via syslog (exported Windows logs can be read and examined too) and Logwatch can read logs originating from multiple appliances and systems.

Why it's a cool tool

The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.

Additionally, Logwatch can help fill in the information gap if you can't afford an expensive security event management correlation engine. For example, Logwatch can email a report on brute force login attempts, like this:

anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)

This beats looking through systems logs manually to discover how many failed login attempts are occurring.

About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.

Stop logwatch reporting on a particular service on CentOS

May 3, 2008 | www.electrictoolbox.com

logwatch is a system log analyzer and reporter which emails daily reports about information in the system log files in /log. On CentOS and Red Hat Enterprise Linux this is usually configured by default to email the root user on a daily basis with the results from the log analysis. This post looks at how to stop logwatch from reporting on a particular service, for example sendmail and postfix.

The configuration files for logwatch on CentOS are stored at /etc/logwatch. The subdirectories and configuration files at this location are empty to start with and override the default settings, so you can safely add your own settings to these files without causing issues to the defaults. Simply remove your changes from these files at a later stage and you will restore the default behaviour.

To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:

/etc/logwatch/conf/logwatch.conf

and add the following to the end of it to pevent log analysis of sendmail:

Service = "-sendmail"

or postfix:

Service = "-postfix"

The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:

/etc/cron.daily/0logwatch

You do not need to restart any services for your configuration changes to take effect; they will be used the next time logwatch is run.

What is Logwatch?

... ... ...

Logwatch Installation in Debian

#apt-get install logwatch

That's it installation done. Now you need to configure the logwatch

Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf

Default Logwatch configuration file as below and you need to change this file options

# NOTE:

# All these options are the defaults if you run logwatch with no

# command-line arguments. You can override all of these on the

# command-line.

# You can put comments anywhere you want to. They are effective for the

# rest of the line.

# this is in the format of <name> = <value>. Whitespace at the beginning

# and end of the lines is removed. Whitespace before and after the = sign

# is removed. Everything is case *insensitive*.

# Yes = True = On = 1

# No = False = Off = 0

# Default Log Directory

# All log-files are assumed to be given relative to this directory.

LogDir = /var/log

# You can override the default temp directory (/tmp) here

TmpDir = /tmp

# Default person to mail reports to. Can be a local account or a

# complete email address.

MailTo = root

# If set to 'Yes', the report will be sent to stdout instead of being

# mailed to above person.

Print = No

# Leave this to 'Yes' if you have the mktemp program and it supports

# the '-d' option. Some older version of mktemp on pre-RH7.X did not

# support this option, so set this to no in that case and Logwatch will

# use internal temp directory creation that is (hopefully) just as secure

UseMkTemp = Yes

#

# Some systems have mktemp in a different place

#

MkTemp = /bin/mktemp

# if set, the results will be saved in <filename> instead of mailed

# or displayed.

#Save = /tmp/logwatch

# Use archives? If set to 'Yes', the archives of logfiles

# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will

# be searched in addition to the /var/log/messages file.

# This usually will not do much if your range is set to just

# 'Yesterday' or 'Today'... it is probably best used with

# Archives = Yes

# Range = All

# The default time range for the report...

# The current choices are All, Today, Yesterday

Range = yesterday

# The default detail level for the report.

# This can either be Low, Med, High or a number.

# Low = 0

# Med = 5

# High = 10

Detail = Med

# The 'Service' option expects either the name of a filter

# (in /etc/log.d/scripts/services/*) or 'All'.

# The default service(s) to report on. This should be left as All for

# most people.

Service = All

# You can also disable certain services (when specifying all)

#Service = -zz-fortune

# If you only cared about FTP messages, you could use these 2 lines

# instead of the above:

#Service = ftpd-messages # Processes ftpd messages in /var/log/messages

#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog

# Maybe you only wanted reports on PAM messages, then you would use:

#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit

#Service = pam # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option. This will cause

# logwatch to only analyze that one logfile.. for example:

#LogFile = messages

# will process /var/log/messages. This will run all the filters that

# process that logfile. This option is probably not too useful to

# most people. Setting 'Service' to 'All' above analyizes all LogFiles

# anyways...

#

# some systems have different locations for mailers

#

mailer = /usr/bin/mail

#

# With this option set to 'Yes', only log entries for this particular host

# (as returned by 'hostname' command) will be processed. The hostname

# can also be overridden on the commandline (with --hostname option). This

# can allow a log host to process only its own logs, or Logwatch can be

# run once per host included in the logfiles.

#

# The default is to report on all log entries, regardless of its source host.

# Note that some logfiles do not include host information and will not be

# influenced by this setting.

#

#HostLimit = Yes

Email Notifications With Logwatch

Logwatch is a slick Perl script that bundles up logfile reports and emails them to you. Debian users can install it by running apt-get install logwatch. Debian puts the configuration files in /etc/logwatch. The RPM puts them in /etc/log.d. Of course you may also install from sources. Be sure to consult the README for installation.

To make it go, first find logwatch.conf. You'll need to make a few tweaks. Set the "MailTo" directive to your desired email address, or local account. For local mail, most Linux systems still come with venerable old "mail", which works just fine:

MailTo = carla
mailer = /usr/bin/mail

Of course you may use any mailer you wish.

To make Logwatch send you daily reports, set the time range to "Today":

Range = Today

Other choices are "All" and "Yesterday." Now set your desired detail level for your reports:

Detail = High

Save your changes, and run Logwatch to send you a report:

# logwatch

The whole idea is to have Logwatch work without you having to exert yourself, so now you have to edit /etc/crontab to run Logwatch at your desired intervals. This runs it daily at 1am:

# m h dom mon dow user command
0 1 * * * root /usr/sbin/logwatch

Stop logwatch reporting on a particular service on CentOS

May 3, 2008 | www.electrictoolbox.com

logwatch is a system log analyzer and reporter which emails daily reports about information in the system log files in /log. On CentOS and Red Hat Enterprise Linux this is usually configured by default to email the root user on a daily basis with the results from the log analysis. This post looks at how to stop logwatch from reporting on a particular service, for example sendmail and postfix.

The configuration files for logwatch on CentOS are stored at /etc/logwatch. The subdirectories and configuration files at this location are empty to start with and override the default settings, so you can safely add your own settings to these files without causing issues to the defaults. Simply remove your changes from these files at a later stage and you will restore the default behaviour.

To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:

/etc/logwatch/conf/logwatch.conf

and add the following to the end of it to pevent log analysis of sendmail:

Service = "-sendmail"

or postfix:

Service = "-postfix"

The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:

/etc/cron.daily/0logwatch

You do not need to restart any services for your configuration changes to take effect; they will be used the next time logwatch is run.

login attempts, like this:

anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)

This beats looking through systems logs manually to discover how many failed login attempts are occurring.

About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.

Recommended Links

Softpanorama Recommended

Top articles

Sites

• Logwatch - Browse Files at SourceForge.net
• Logwatch - Community Ubuntu Documentation
• Logwatch - ArchWiki
• How to monitor server log files with Logwatch on Debian and Ubuntu
• Use Logwatch to make log watching a little easier | TechRepublic

Reference

logwatch - Linux man page

logwatch - system log analyzer and reporter

SYNOPSIS

logwatch [--detail level ] [--logfile log-file-group ] [--service service-name ]

[--Print] [--mailto address ] [--archives] [--range range ] [--debug level ] [--save file-name ]

[--logdir directory ] [--hostname hostname ] [--help|--usage]

DESCRIPTION

LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems.

OPTIONS

--detail level

This is the detail level of the report. level can be high, med, low.

--logfile log-file-group

This will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, ...). LogWatch will there- fore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.

--service service-name

This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, ...). LogWatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.