Logwatch

Written by Robert -

Logwatch is a very nice tool to get periodic information of your system. It can generate a nice output with information like commands ran, kernel errors, smb access, ssh logins etc.

For this to work, you need to use the installation commands of your distro to install logwatch.

After installation, you can alter the configuration using your favorite editor:

vim /usr/share/logwatch/default.conf/logwatch.conf

Here is an output of a simplified logwatch.conf:

# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log

# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch

# Default person to mail reports to.  
MailTo = email@address.com
# Default person to mail reports from.  
MailFrom = Logwatch_servername

# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print =

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Med

# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network"     # Prevents execution of zz-network service, which
                            # prints useful network configuration info.
Service = "-zz-sys"         # Prevents execution of zz-sys service, which
                            # prints useful system configuration info.
Service = "-eximstats"      # Prevents execution of eximstats service, which
                            # is a wrapper for the eximstats program.

# By default we assume that all Unix systems have sendmail or a sendmail-like system.
# The mailer code Prints a header with To: From: and Subject:.
mailer = "sendmail -t"



After setting this up, you will get daily e-mails from logwatch. Here is an example of a logwatch generated e-mail using the config above.

 ################### Logwatch 7.3.6 (05/19/07) #################### 
        Processing Initiated: Sat Mar  3 07:40:03 2018
        Date Range Processed: yesterday
                              ( 2018-Mar-02 )
                              Period is day.
      Detail Level of Output: 5
              Type of Output: unformatted
           Logfiles for Host: servername
  ################################################################## 
 --------------------- Cron Begin ------------------------ 
 Commands Run:
    User root:
       /usr/local/bin/backup: 1 Time(s)
 ---------------------- Cron End ------------------------- 
 --------------------- Kernel Begin ------------------------ 
 ---------------------- Kernel End ------------------------- 
 --------------------- pam_unix Begin ------------------------ 
 sshd:
    Sessions Opened:
       robert: 3 Time(s)
 ---------------------- pam_unix End ------------------------- 
 --------------------- samba Begin ------------------------ 
 Opened Sessions:
    Service data as user:
       asdf       from host 1234 (192.168.1.2)  : 
                1 Time(s)
 ---------------------- samba End ------------------------- 
 --------------------- SSHD Begin ------------------------ 
 Users logging in through sshd:
    robert:
       192.168.1.2: 2 times
 ---------------------- SSHD End ------------------------- 
 --------------------- Sudo (secure-log) Begin ------------------------ 
 ==============================================================================
 robert => root
 ------------
 /bin/bash - 3 Times.
 ---------------------- Sudo (secure-log) End ------------------------- 
 --------------------- Disk Space Begin ------------------------ 
 Filesystem      Size  Used Avail Use% Mounted on
 /dev/sda3       530G   13G  491G   3% /
 /dev/sda1       976M  145M  781M  16% /boot
 ---------------------- Disk Space End ------------------------- 
 ###################### Logwatch End ######################### 

Comments