|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
|
The value of logs is proportionate to the amount of review they get, so the
more often they are reviewed, the more likely it is that critical security events
will be noticed. But no one can review logs for very long without their eyes
glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch. Scott Sidel in Logwatch Taking the pain out of log analysis |
Logwatch is a customizable log analyzer written in Perl. Logwatch parses syslog logs for a given period of time and creates a report for specified daemons or applications.
The current version (as of Jan 2015) is 7.4.2 (Logwatch branches). Logwatch is not a single script, but a set of Perl scripts and filters. RPM packages are available for both RHEL and SLES, but they are not installed by default.
The architecture is somewhat similar to /etc/inet.d and uses the idea "one script per service" to pickup relevant messages from a particular service. Relevant script is specified in invocation, for example
logwatch --service kernel
Filtering logic is directly encoded in each Perl script (one script per daemon) . Which is not a bad idea for those who know Perl really well. No so great for everybody else: for them the program is by-and-large a blackbox.
Scripts for each service are stored in /usr/share/logwatch/scripts/services directory. In the current version there are about hundred of them (91 in RHEL 6.5, 92 in SLES 11, SP3). That creates a real maintenance problem as some of them were never updated from 2007 and now are definitely outdated.
In loading "service script" logwatch first tries /etc/logwatch tree (the tree for locally customized scripts) and then /usr/share/logwatch tree (the default tree that comes with the distribution). So you can copy and modify any service script to /etc/logwatch without destroying the "default" version stored in /usr/share/logwatch tree.
In loading "service script" logwatch first tries /etc/logwatch tree (the tree for locally customized scripts) and then /usr/share/logwatch tree (the default tree that comes with the distribution). So you can copy and modify any service script to /etc/logwatch without destroying the "default" version stored in /usr/share/logwatch tree. |
The program is abandonware and most scripts are outdated. Maintenance efforts are very limited as you can see from SourceForge logs. For example, the critical /usr/share/logwatch/scripts/services/kernel script was last updated in 2006 or seven years ago (this page was written in March 2013):
3 # $Id: kernel,v 1.33 2006/01/16 18:40:31 kirk Exp $
Documentation is so-so, although this is a standard level for most software packages ;-). At least it does exist.
Logwatch can either be used at the command-line to generate on-the-fly reports, or via cron to regularly create and possibly mail to you custom reports. You can specify, how much details are written in the report.
|
You basically tell logwatch for which service, time span and to which detail level to generate a report.
The first parameter to specify is service. If you want all services specify. For example:
logwatch --service All
If it is not specified the the value form active configuration file is used (All is default value)
For example to get a detailed report on all kernel messages from yesterday you can run the following command:
logwatch --service kernel --detail High --range Yesterday --print
The most difficult part is specifying timespan, which should be given as a parameter to the option --range . In the example above it is simply Yesterday . Other options are pretty transparent:
--range range This option is the most complex and provides timespan specification (see below). The most common values are Yesterday, Today and All.
Timespan specification is pretty complex. The default is "for that day". At the beginning you can limit yourself to three typical cases:
Non-standard, but well-supported Perl module Date::Manip is used. It provides pretty flexible means of specifying dates including two common keywords:
yesterday today
All date specified in logwatch time specification like between should have values that can be parsed by Perl Date::Manip module. The latter was written by Sullivan Beck and is documented on Cspan.
The format of the range option is:
--range "date_range [period]"Both parameter date_range and optional period must be enclosed in quotes if it is more than one word. The default for date_range is "yesterday" but it can be changes in configuration file. Here are examples of valid date_range specifications:
all between date1 and date2 since date1
Valid instances of the optional parameter period have one of the following formats:
for (that|this) (year|month|day|hour|minute|second) for those (years|months|days|hours|minutes|seconds)
More examples:
--range today --range yesterday --range '4 hours ago for that hour' --range '-3 days' --range 'since 2 hours ago for those hours' --range 'between -10 days and -2 days' --range 'Apr 15, 2005' --range 'first Monday in May' --range 'between 4/23/2005 and 4/30/2005' --range '2005/05/03 10:24:17 for that second'(The last entry might be used by someone debugging a log or filter.)
A caution about efficiency: a range of "yesterday for those hours" will search for log entries for the last 24 hours, and is inefficient because it searches for individual matches for each hour. A range of "yesterday" will search for log entries for the previous day, and it searches for a single date match.
logwatch --service kernel --detail High --range Yesterday --print
logwatch --service kernel --detail High --range 'since March 1, 2013' --print
logwatch --service sshd --detail Low --range All --archives --print
logwatch --service smartd --range 'between 5/3/2013 and 5/3/2013' \ --mailto root@localhost --print
The --range option has got a complex syntaxsee logwatch --range help for details. A list of all services that can be queried is available with the following command:
ls /usr/share/logwatch/default.conf/services/ | sed 's/\.conf//g'
As this is a log analyzer and logs are pretty idiosyncratic and depend not only on flavor of Linux (REHEL/SLES/Debian, etc) but also on set of installed applications, logwatch can and should be customized. The configuration files for logwatch on RHEL/CentOS/SLES are stored at the directory /etc/logwatch. By default the following three files are present
./conf/override.conf ./conf/logwatch.conf ./conf/ignore.conf
You can also create as many custom configuration as you wish in /etc/logwatch/conf/ using the default configuration file as a template.
A detailed HOWTO on customizing logwatch is available at HOWTO-Customize-LogWatch.
The most important configuration file is logwatch.conf which is the main configuration file. The default version is extensively commented. It can be configured to email the generated report and actually have several settings specifically designed for central loghost environment (multimail, etc). That suggests that the initial design goal was to simplify working with a large central loghost.
Each configuration option can be overwritten from the command line. If you change the file itself please make a backup. Please understand that you need to have a backup copy of your custom files as they can be overwritten with the update to a new version of logwatch
There are several additional directories too:
The directory /usr/share/*/logwatch contains several files with additional documentation: HOWTO-Customize-LogWatch Documents the directory structure of Logwatch configuration and executable files, and describes how to customize Logwatch by overriding these default files. |
This section describes the subdirectories and files shipped with the Logwatch distribution, using the names and locations used by default.
The directory /usr/share/logwatch contains both the configuration and (perl) executable files. The contents of this directory are the following subdirectories:default.conf: Contains the default configuration files shipped with the Logwatch distribution dist.conf: Contains the configuration files shipped with your specific Operating Systems distribution. lib: Contains perl library files. scripts: Contains the perl executables.The /etc/logwatch directory contains the localization subdirectories:
The three directories /usr/share/logwatch/default.conf, /usr/share/logwatch/dist.conf, and /etc/logwatch/conf, all have the same structure:
The /etc/logwatch/conf directory may also contain the file 'override.conf', which is described in section 4, "Customizing the Configuration."
During installation Logwatch modify the default configuration according tot he distribution it encounter, if it knows it. Therefore, you generally can start using Logwatch "as is".
You can customize the output of logwatch by modifying variables in the /etc/logwatch/conf directory.
Default values are specified in the /usr/share/logwatch/default.conf directory. Your distribution may have set additional defaults in the /usr/share/logwatch/dist.conf directory. All the variables available are declared in the files under these directories. You can change the default values to modify how or what is displayed with logwatch. One variable available to all services, and which by default is not specified, is the 'Detail' variable (note that it is not preceded by a '$' symbol). Specifying a Detail value will override the global Detail level, for that service only.
There are two mechanisms for customizing the variables:
For example, if file /etc/logwatch/conf/services/sendmail.conf has the single entry:
$sendmail_unknownusersthreshold = 5then the threshold for unknown users is set to five instead of the default of one. All other parameters are not modified.
The configuration files have four different types of declarations, determined by the first character in each line:
'#': Rest of line is a comment, and is ignored. '$': Rest of first field is a variable '*': Denotes the name of an executable scriptOther than blank lines, the only other declarations are reserved variable names, such as LogFile, Archive, etc.
In general, setting a variable overrides any value previously set. However, the following variables are cumulative:
If an executable script is declared in an /etc/logwatch/conf file, all of the executable script declarations in the corresponding file in /usr/share/logwatch/default.conf or /usr/share/logwatch/dist.conf are ignored.
Because of the way variables and executable scripts are declared, the files in /etc/logwatch/conf/ can be created in one of two ways:
logwatch: Detail = Highthen the default detail level for all services will be set to High.
And, in file override.conf, the following declaration:
logfiles/messages: LogFile = syslogwill analyze the syslog file (in addition to the default messages file) for certain services. But the following two declarations combined:
logfiles/messages: LogFile = logfiles/messages: LogFile = syslog
will cause the messages file to be ignored for those same services, and only the syslog file will be used.
To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:
/etc/logwatch/conf/logwatch.conf
and add the following to the end of it to pevent log analysis of sendmail:
Service = "-sendmail"
or postfix:
Service = "-postfix"
The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:
/etc/cron.daily/0logwatch
Similarly to the way you can customize the configuration, as specified in section 4, you can override the default executable scripts.
This is accomplished by placing an executable file with the same name and relative path (with respect to /usr/share/logwatch/scripts) under the /etc/logwatch/scripts directory. If such a file is found in the /etc/logwatch/scripts directory, the corresponding file under /usr/share/logwatch/scripts will be ignored.
New services may be created by creating new configuration and executable files, described above, and placing them in the /etc/logwatch directory. This section provides additional details and examples for creating new service filters, but it might be easier to base the new files on the existing configuration and script files under the /usr/share/logwatch directory.
# This will be the logfile named 'messages' in the default logfile # directory (probably /var/log). LogFile = messages# You can also give this command with an absolute path, like this: LogFile = /var/log/messages
You can have as many LogFile entries as you wish. All the files specified will be merged into one input stream for any filters that use this logfile group. You can also use standard wildcards when you specify the filename.
Another command that is optional is called 'Archive'. You can specify a file to also include in the data stream if the '--archives' option is used. If these files do not exist it is okay. For example:
# These 2 'Archive' entries will allow users of most Red Hat Linux # systems to access their archives of the 'messages' logfile: Archive = messages.? # If they configure Compression to be on in /etc/logrotate.conf: Archive = messages.?.gz # It is best just to include both of these so that the logfile group # will work for most systems.Now, the general theory is that the LogFile Group should apply the date range requested. If the logfile is in the standard syslog format, you can use the shared script 'ApplyStdDate' to filter out only the appropriate log entries. The way to call shared scripts (located under /usr/share/logwatch/scripts/shared) is:
*ApplyStdDate =Anything following the equal sign will be passed to the program as arguments (the equal sign can be eliminated if no arguments are needed). You should look at the current logfile group config files for examples.
Finally, if the directory /usr/share/logwatch/scripts/logfiles exists, any scripts in that directory will be executed. All of these scripts take the contents of all the specified logfiles in through STDIN and output the modified logfile trought STDOUT.
Once you have defined one or more logfile groups (or decided on one or more existing logfile groups), you need to define your service filter.
This file needs to be in /etc/logwatch/conf/services/ and it needs to be named service_name.conf, where service_name is the name of the service. You should probably copy an existing config for another service to create a new one.
There is only one required line. This is the command 'LogFile'. The LogFile command allows you to specify one or more *LogFile Groups* (as described above) that this filter will process. Remember, any filter can process any number of LogFile Groups, and any LogFile Group may contain the data from any number of logfiles (and archives).For a service filter that needs messages from /var/log/messages you would add this line:
LogFile =NOTE: This is *not* because the name of the logfile is 'messages', but it is because the name of the LogFile Group that has been defined is 'messages'. You can have commands in the form of:
*SharedScriptName = Argumentsthat will execute a script found in the
/usr/share/logwatch/scripts/shared/directory named 'SharedScriptName' with arguments 'Arguments'. This filter will modify the input to the service's filter.
You can also have commands in the form:
$EnvironmentVariable = ValueThis command will set the 'EnvironmentVariable' environment variable to the value 'Value'. This environment variable will be accessible by your filter program.
You will also usually want to specify a title for your script (new in Logwatch 4.0). If specified, then a start and stop delimiter will be added by Logwatch for your specific service (with your script's output between those delimiters). This will *only* happen if you produce output. If you produce no output, the headers will not be created. Here is how you define your title:
Title = "My Service Title"
Once everything above has been done, you are ready to actually write your filter. This can be done in any language as all it does is:
###################### Cut Here ######################### #!/bin/bash # This is as nice script that will show you the lines you will # be processing and reporting on. It will first display the # standard environment variables and then it takes STDIN and # dump it right back out to STDOUT. # These are the standard environment variables. You can define # more in your service config file (see above). echo "Date Range: $LOGWATCH_DATE_RANGE" echo "Detail Level: $LOGWATCH_DETAIL_LEVEL" echo "Temp Dir: $LOGWATCH_TEMP_DIR" echo "Debug Level: $LOGWATCH_DEBUG" # Now take STDIN and dump it to STDOUT cat ###################### Cut Here #########################If you temporarily replace a script such as 'pam' with the above, you will notice that much has been cut out of /var/log/messages before it gets to this filter.
The value of the environment variable LOGWATCH_DETAIL_LEVEL can be any integer. In reality, it is usually 0 (for low), 5 (for medium), and 10 (for high).
Your script should only produce output as appropriate. If there are no relevant log entries, no output should be produced. Likewise, if you are reporting two things, such as "Good Logins" and "Bad Logins", you should only produce even the headers when appropriate. For example:
Bad Logins: amber (2 time(s)) kirk (3 time(s)) Good Logins: amber (5 time(s)) kirk (10 time(s)) But, if no failed logins occur, you should only output: Good Logins: amber (5 time(s)) kirk (10 time(s))Note that there is no "Bad Logins:" header as there were no bad logins. You should also use the detail environment variable when deciding what to output. Bad logins might always be displayed, but good logins might only be displayed at higher detail levels. Here is a guide on how you should use the detail setting:
0 (Low): Display only errors and security-related issues 5 (Med): Display anything that a typical administator would be interested in 10 (High): Display anything that a paranoid administrator would want to seeIn some cases, you can use a security setting higher than 10. This would be reserved for information so trivial that it would not even interest the US Government.
In most cases (RHEL/CentOS/SLES) logwatch is not installed by default, but RPM package is available from DVD and repositories. This is a pretty big package that supplied a set of "default configurations" in the directory /usr/share/logwatch/default.conf from which you can create your own:
[0]root@UNDER_CONSTRUCTION: # rpm -ql logwatch /etc/cron.d/dmeventd /etc/cron.daily/0logwatch /etc/logwatch /etc/logwatch/conf /etc/logwatch/conf/ignore.conf /etc/logwatch/conf/logfiles /etc/logwatch/conf/logwatch.conf /etc/logwatch/conf/override.conf /etc/logwatch/conf/services /etc/logwatch/scripts /usr/sbin/logwatch /usr/share/doc/packages/logwatch /usr/share/doc/packages/logwatch/CHANGES /usr/share/doc/packages/logwatch/HOWTO-Customize-LogWatch /usr/share/doc/packages/logwatch/License /usr/share/doc/packages/logwatch/README /usr/share/doc/packages/logwatch/USEDFORBUILD.bz2 /usr/share/logwatch /usr/share/logwatch/default.conf /usr/share/logwatch/default.conf/html /usr/share/logwatch/default.conf/html/footer.html /usr/share/logwatch/default.conf/html/header.html /usr/share/logwatch/default.conf/ignore.conf /usr/share/logwatch/default.conf/logfiles /usr/share/logwatch/default.conf/logfiles/autorpm.conf /usr/share/logwatch/default.conf/logfiles/bfd.conf /usr/share/logwatch/default.conf/logfiles/cisco.conf /usr/share/logwatch/default.conf/logfiles/clam-update.conf /usr/share/logwatch/default.conf/logfiles/cron.conf /usr/share/logwatch/default.conf/logfiles/daemon.conf /usr/share/logwatch/default.conf/logfiles/denyhosts.conf /usr/share/logwatch/default.conf/logfiles/dnssec.conf /usr/share/logwatch/default.conf/logfiles/dpkg.conf /usr/share/logwatch/default.conf/logfiles/emerge.conf /usr/share/logwatch/default.conf/logfiles/eventlog.conf /usr/share/logwatch/default.conf/logfiles/exim.conf /usr/share/logwatch/default.conf/logfiles/extreme-networks.conf /usr/share/logwatch/default.conf/logfiles/fail2ban.conf /usr/share/logwatch/default.conf/logfiles/http.conf /usr/share/logwatch/default.conf/logfiles/iptables.conf /usr/share/logwatch/default.conf/logfiles/kernel.conf /usr/share/logwatch/default.conf/logfiles/maillog.conf /usr/share/logwatch/default.conf/logfiles/messages.conf /usr/share/logwatch/default.conf/logfiles/netopia.conf /usr/share/logwatch/default.conf/logfiles/netscreen.conf /usr/share/logwatch/default.conf/logfiles/php.conf /usr/share/logwatch/default.conf/logfiles/pix.conf /usr/share/logwatch/default.conf/logfiles/pureftp.conf /usr/share/logwatch/default.conf/logfiles/qmail-pop3d-current.conf /usr/share/logwatch/default.conf/logfiles/qmail-pop3ds-current.conf /usr/share/logwatch/default.conf/logfiles/qmail-send-current.conf /usr/share/logwatch/default.conf/logfiles/qmail-smtpd-current.conf /usr/share/logwatch/default.conf/logfiles/resolver.conf /usr/share/logwatch/default.conf/logfiles/rt314.conf /usr/share/logwatch/default.conf/logfiles/samba.conf /usr/share/logwatch/default.conf/logfiles/secure.conf /usr/share/logwatch/default.conf/logfiles/sonicwall.conf /usr/share/logwatch/default.conf/logfiles/syslog.conf /usr/share/logwatch/default.conf/logfiles/tac_acc.conf /usr/share/logwatch/default.conf/logfiles/up2date.conf /usr/share/logwatch/default.conf/logfiles/vsftpd.conf /usr/share/logwatch/default.conf/logfiles/windows.conf /usr/share/logwatch/default.conf/logfiles/xferlog.conf /usr/share/logwatch/default.conf/logfiles/yum.conf /usr/share/logwatch/default.conf/logwatch.conf /usr/share/logwatch/default.conf/services /usr/share/logwatch/default.conf/services/afpd.conf /usr/share/logwatch/default.conf/services/amavis.conf /usr/share/logwatch/default.conf/services/arpwatch.conf /usr/share/logwatch/default.conf/services/audit.conf /usr/share/logwatch/default.conf/services/automount.conf /usr/share/logwatch/default.conf/services/autorpm.conf /usr/share/logwatch/default.conf/services/bfd.conf /usr/share/logwatch/default.conf/services/cisco.conf /usr/share/logwatch/default.conf/services/clam-update.conf /usr/share/logwatch/default.conf/services/clamav-milter.conf /usr/share/logwatch/default.conf/services/clamav.conf /usr/share/logwatch/default.conf/services/courier.conf /usr/share/logwatch/default.conf/services/cron.conf /usr/share/logwatch/default.conf/services/denyhosts.conf /usr/share/logwatch/default.conf/services/dhcpd.conf /usr/share/logwatch/default.conf/services/dmeventd.conf /usr/share/logwatch/default.conf/services/dnssec.conf /usr/share/logwatch/default.conf/services/dovecot.conf /usr/share/logwatch/default.conf/services/dpkg.conf /usr/share/logwatch/default.conf/services/emerge.conf /usr/share/logwatch/default.conf/services/evtapplication.conf /usr/share/logwatch/default.conf/services/evtsecurity.conf /usr/share/logwatch/default.conf/services/evtsystem.conf /usr/share/logwatch/default.conf/services/exim.conf /usr/share/logwatch/default.conf/services/eximstats.conf /usr/share/logwatch/default.conf/services/extreme-networks.conf /usr/share/logwatch/default.conf/services/fail2ban.conf /usr/share/logwatch/default.conf/services/ftpd-messages.conf /usr/share/logwatch/default.conf/services/ftpd-xferlog.conf /usr/share/logwatch/default.conf/services/http.conf /usr/share/logwatch/default.conf/services/identd.conf /usr/share/logwatch/default.conf/services/imapd.conf /usr/share/logwatch/default.conf/services/in.qpopper.conf /usr/share/logwatch/default.conf/services/init.conf /usr/share/logwatch/default.conf/services/ipop3d.conf /usr/share/logwatch/default.conf/services/iptables.conf /usr/share/logwatch/default.conf/services/kernel.conf /usr/share/logwatch/default.conf/services/mailscanner.conf /usr/share/logwatch/default.conf/services/modprobe.conf /usr/share/logwatch/default.conf/services/mountd.conf /usr/share/logwatch/default.conf/services/named.conf /usr/share/logwatch/default.conf/services/netopia.conf /usr/share/logwatch/default.conf/services/netscreen.conf /usr/share/logwatch/default.conf/services/oidentd.conf /usr/share/logwatch/default.conf/services/openvpn.conf /usr/share/logwatch/default.conf/services/pam.conf /usr/share/logwatch/default.conf/services/pam_pwdb.conf /usr/share/logwatch/default.conf/services/pam_unix.conf /usr/share/logwatch/default.conf/services/php.conf /usr/share/logwatch/default.conf/services/pix.conf /usr/share/logwatch/default.conf/services/pluto.conf /usr/share/logwatch/default.conf/services/pop3.conf /usr/share/logwatch/default.conf/services/portsentry.conf /usr/share/logwatch/default.conf/services/postfix.conf /usr/share/logwatch/default.conf/services/pound.conf /usr/share/logwatch/default.conf/services/proftpd-messages.conf /usr/share/logwatch/default.conf/services/pureftpd.conf /usr/share/logwatch/default.conf/services/qmail-pop3d.conf /usr/share/logwatch/default.conf/services/qmail-pop3ds.conf /usr/share/logwatch/default.conf/services/qmail-send.conf /usr/share/logwatch/default.conf/services/qmail-smtpd.conf /usr/share/logwatch/default.conf/services/qmail.conf /usr/share/logwatch/default.conf/services/raid.conf /usr/share/logwatch/default.conf/services/resolver.conf /usr/share/logwatch/default.conf/services/rt314.conf /usr/share/logwatch/default.conf/services/samba.conf /usr/share/logwatch/default.conf/services/saslauthd.conf /usr/share/logwatch/default.conf/services/scsi.conf /usr/share/logwatch/default.conf/services/secure.conf /usr/share/logwatch/default.conf/services/sendmail-largeboxes.conf /usr/share/logwatch/default.conf/services/sendmail.conf /usr/share/logwatch/default.conf/services/shaperd.conf /usr/share/logwatch/default.conf/services/slon.conf /usr/share/logwatch/default.conf/services/smartd.conf /usr/share/logwatch/default.conf/services/sonicwall.conf /usr/share/logwatch/default.conf/services/sshd.conf /usr/share/logwatch/default.conf/services/sshd2.conf /usr/share/logwatch/default.conf/services/stunnel.conf /usr/share/logwatch/default.conf/services/sudo.conf /usr/share/logwatch/default.conf/services/syslogd.conf /usr/share/logwatch/default.conf/services/tac_acc.conf /usr/share/logwatch/default.conf/services/up2date.conf /usr/share/logwatch/default.conf/services/vpopmail.conf /usr/share/logwatch/default.conf/services/vsftpd.conf /usr/share/logwatch/default.conf/services/windows.conf /usr/share/logwatch/default.conf/services/xntpd.conf /usr/share/logwatch/default.conf/services/yum.conf /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/zz-fortune.conf /usr/share/logwatch/default.conf/services/zz-network.conf /usr/share/logwatch/default.conf/services/zz-runtime.conf /usr/share/logwatch/default.conf/services/zz-sys.conf /usr/share/logwatch/dist.conf /usr/share/logwatch/dist.conf/logfiles /usr/share/logwatch/dist.conf/services /usr/share/logwatch/lib /usr/share/logwatch/lib/Logwatch.pm /usr/share/logwatch/scripts /usr/share/logwatch/scripts/logfiles /usr/share/logwatch/scripts/logfiles/autorpm /usr/share/logwatch/scripts/logfiles/autorpm/applydate /usr/share/logwatch/scripts/logfiles/cron /usr/share/logwatch/scripts/logfiles/cron/applydate /usr/share/logwatch/scripts/logfiles/emerge /usr/share/logwatch/scripts/logfiles/emerge/applydate /usr/share/logwatch/scripts/logfiles/samba /usr/share/logwatch/scripts/logfiles/samba/applydate /usr/share/logwatch/scripts/logfiles/samba/removeheaders /usr/share/logwatch/scripts/logfiles/up2date /usr/share/logwatch/scripts/logfiles/up2date/applydate /usr/share/logwatch/scripts/logfiles/up2date/removeheaders /usr/share/logwatch/scripts/logfiles/xferlog /usr/share/logwatch/scripts/logfiles/xferlog/applydate /usr/share/logwatch/scripts/logfiles/xferlog/removeheaders /usr/share/logwatch/scripts/logfiles/yum /usr/share/logwatch/scripts/logfiles/yum/applydate /usr/share/logwatch/scripts/logwatch.pl /usr/share/logwatch/scripts/services /usr/share/logwatch/scripts/services/afpd /usr/share/logwatch/scripts/services/amavis /usr/share/logwatch/scripts/services/arpwatch /usr/share/logwatch/scripts/services/audit /usr/share/logwatch/scripts/services/automount /usr/share/logwatch/scripts/services/autorpm /usr/share/logwatch/scripts/services/bfd /usr/share/logwatch/scripts/services/cisco /usr/share/logwatch/scripts/services/clam-update /usr/share/logwatch/scripts/services/clamav /usr/share/logwatch/scripts/services/clamav-milter /usr/share/logwatch/scripts/services/courier /usr/share/logwatch/scripts/services/cron /usr/share/logwatch/scripts/services/denyhosts /usr/share/logwatch/scripts/services/dhcpd /usr/share/logwatch/scripts/services/dmeventd /usr/share/logwatch/scripts/services/dnssec /usr/share/logwatch/scripts/services/dovecot /usr/share/logwatch/scripts/services/dpkg /usr/share/logwatch/scripts/services/emerge /usr/share/logwatch/scripts/services/evtapplication /usr/share/logwatch/scripts/services/evtsecurity /usr/share/logwatch/scripts/services/evtsystem /usr/share/logwatch/scripts/services/exim /usr/share/logwatch/scripts/services/eximstats /usr/share/logwatch/scripts/services/extreme-networks /usr/share/logwatch/scripts/services/fail2ban /usr/share/logwatch/scripts/services/ftpd-messages /usr/share/logwatch/scripts/services/ftpd-xferlog /usr/share/logwatch/scripts/services/http /usr/share/logwatch/scripts/services/identd /usr/share/logwatch/scripts/services/imapd /usr/share/logwatch/scripts/services/in.qpopper /usr/share/logwatch/scripts/services/init /usr/share/logwatch/scripts/services/ipop3d /usr/share/logwatch/scripts/services/iptables /usr/share/logwatch/scripts/services/kernel /usr/share/logwatch/scripts/services/mailscanner /usr/share/logwatch/scripts/services/modprobe /usr/share/logwatch/scripts/services/mountd /usr/share/logwatch/scripts/services/named /usr/share/logwatch/scripts/services/netopia /usr/share/logwatch/scripts/services/netscreen /usr/share/logwatch/scripts/services/oidentd /usr/share/logwatch/scripts/services/openvpn /usr/share/logwatch/scripts/services/pam /usr/share/logwatch/scripts/services/pam_pwdb /usr/share/logwatch/scripts/services/pam_unix /usr/share/logwatch/scripts/services/php /usr/share/logwatch/scripts/services/pix /usr/share/logwatch/scripts/services/pluto /usr/share/logwatch/scripts/services/pop3 /usr/share/logwatch/scripts/services/portsentry /usr/share/logwatch/scripts/services/postfix /usr/share/logwatch/scripts/services/pound /usr/share/logwatch/scripts/services/proftpd-messages /usr/share/logwatch/scripts/services/pureftpd /usr/share/logwatch/scripts/services/qmail /usr/share/logwatch/scripts/services/qmail-pop3d /usr/share/logwatch/scripts/services/qmail-pop3ds /usr/share/logwatch/scripts/services/qmail-send /usr/share/logwatch/scripts/services/qmail-smtpd /usr/share/logwatch/scripts/services/raid /usr/share/logwatch/scripts/services/resolver /usr/share/logwatch/scripts/services/rt314 /usr/share/logwatch/scripts/services/samba /usr/share/logwatch/scripts/services/saslauthd /usr/share/logwatch/scripts/services/scsi /usr/share/logwatch/scripts/services/secure /usr/share/logwatch/scripts/services/sendmail /usr/share/logwatch/scripts/services/sendmail-largeboxes /usr/share/logwatch/scripts/services/shaperd /usr/share/logwatch/scripts/services/slon /usr/share/logwatch/scripts/services/smartd /usr/share/logwatch/scripts/services/sonicwall /usr/share/logwatch/scripts/services/sshd /usr/share/logwatch/scripts/services/sshd2 /usr/share/logwatch/scripts/services/stunnel /usr/share/logwatch/scripts/services/sudo /usr/share/logwatch/scripts/services/syslogd /usr/share/logwatch/scripts/services/tac_acc /usr/share/logwatch/scripts/services/up2date /usr/share/logwatch/scripts/services/vpopmail /usr/share/logwatch/scripts/services/vsftpd /usr/share/logwatch/scripts/services/windows /usr/share/logwatch/scripts/services/xntpd /usr/share/logwatch/scripts/services/yum /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/zz-fortune /usr/share/logwatch/scripts/services/zz-network /usr/share/logwatch/scripts/services/zz-runtime /usr/share/logwatch/scripts/services/zz-sys /usr/share/logwatch/scripts/shared /usr/share/logwatch/scripts/shared/applybinddate /usr/share/logwatch/scripts/shared/applyeurodate /usr/share/logwatch/scripts/shared/applyhttpdate /usr/share/logwatch/scripts/shared/applystddate /usr/share/logwatch/scripts/shared/applytaidate /usr/share/logwatch/scripts/shared/applyusdate /usr/share/logwatch/scripts/shared/eventlogonlyservice /usr/share/logwatch/scripts/shared/eventlogremoveservice /usr/share/logwatch/scripts/shared/expandrepeats /usr/share/logwatch/scripts/shared/hosthash /usr/share/logwatch/scripts/shared/hostlist /usr/share/logwatch/scripts/shared/multiservice /usr/share/logwatch/scripts/shared/onlycontains /usr/share/logwatch/scripts/shared/onlyhost /usr/share/logwatch/scripts/shared/onlyservice /usr/share/logwatch/scripts/shared/remove /usr/share/logwatch/scripts/shared/removeheaders /usr/share/logwatch/scripts/shared/removeservice /usr/share/man/man8/logwatch.8.gz /var/cache/logwatch /var/cache/logwatch/timestamp.txt
Logwatch does not match system daemons with the chkconfig --list output. Thaqt leas to excessive and generally unnesessary processing for "fake" or not active daemons. For some reason cron include dmeventd in the standard package specifies invocation of logwatch each minute:
*/1 * * * * root /usr/sbin/logwatch --service dmeventd
This service is controlled by config file /usr/share/logwatch/default.conf/services/dmeventd.conf
Title = "Dmeventd Errors" LogFile = messages *OnlyService = dmeventd
Per minute invocation pollutes /var/log/messages among other things. I think this cron include should better be deleted from /etc/cron.d. Your mileage may vary.
The module itself (/usr/share/logwatch/scripts/services/dmeventd) is pretty primitive:
[0]root@basfimgw: # cat /usr/share/logwatch/scripts/services/dmeventd ######################################################################## # Copyright (C) 2007-2008, Intel Corp. All rights reserved. # # # This program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ######################################################################## ######################################################## # dmeventd ######################################################## ######################################################## # This was written and is maintained by: # Brian Wood# # Please send all comments, suggestions, bug reports, # etc, to . ######################################################## # Set the location of the folder to store last time stamp # (This is used to record the last log sent out so repeats # are not mailed in error.) $Storage_file = "/var/cache/logwatch/timestamp.txt"; $count = 0; $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; if (-e $Storage_file) { open(FD, "+<", "$Storage_file") or die $!; seek(FD, 0, 0); read(FD, $prev_time, 8); } else { open(FD, ">", "$Storage_file") or die $!; $prev_time = ""; } while (defined($ThisLine = )) { #SAMPLE LOG DATA: Oct 15 01:14:33 dmraid-devhost dmeventd[24857]: Processing device "isw_febiihjha_Volume0" for events # All of the elements of the 'split()' aren't used, but could be if custom formating is desired. ($month, $day, $time, $hostname, $program, $message) = split(' ',$ThisLine, 6); chop($program); # Chop off the colon if ($prev_time eq "" || $time gt $prev_time) { # If this is the first run or the time is newer than that stored print log entry #print "$ThisLine"; if($ThisLine =~ /Processing Raid|End of|Monitoring device|No longer/ ) { $entries{$count} = "$month $day $time: $message"; } else { $entries{$count} = "$month $day $time: $message"; } $count++; #Keep a count of the number of new logs } } if ($count != 0) { print ("There were a total of $count new log entries\n\n"); print ("Date Message\n"); print ("------------------------\n"); $num = 0; while ($num < $count) { print ("$entries{$num}"); $num++; } } seek(FD, 0, 0); printf FD $time; close(FD); exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et
Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details.
# logwatch --service kernel --detail Low --range 'since March 1, 2013' --print ################### Logwatch 7.3.6 (05/19/07) #################### Processing Initiated: Mon Apr 1 15:40:44 2013 Date Range Processed: since march 1, 2013 ( 2013-Feb-28 / 2013-Apr-01 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: mailserver ################################################################## --------------------- Kernel Begin ------------------------ WARNING: Kernel Errors Present [3029872.072498] ACPI Error: SMBus or IPMI w ...: 2 Time(s) [3029872.072504] ACPI Error (psparse-0537): ...: 2 Time(s) [3029876.331261] ACPI Error: SMBus or IPMI w ...: 2 Time(s) [3029876.331266] ACPI Error (psparse-0537): ...: 2 Time(s) ---------------------- Kernel End -------------------------
|
Switchboard | ||||
Latest | |||||
Past week | |||||
Past month |
This is what you are supposed to see in the config file. Find out the following in it:
MailTo = root change it to MailTo = [email protected]
Editing the second line is optional. It is used when you want a notification at mutiple mails.
The third line is to state that you will be receiving the mail from logwatch. After completing the above you would like to check the report range or the time in which you will receive reports.
Range = All
You might want to change it to Yesterday for reports of yesterday, Today for today's report of All for everyday report. The report that are available since the beginning will be sent.
The next options is the level of report you would like to send Low, Medium or High. After this you can also go ahead and add particular services you would like to have in your reports. By default all the services are sent in the reports but user can specify all those services by himself:
You can check the synopsis of logwatch:
logwatch [--detail level ] [--logfile log-file-group ] [--service serâ vice-name ] [--mailto address ] [--archives] [--range range ] [--debug level ] [--filename file-name ] [--logdir directory ] [--hostname hostâ name ] [--hostformat host based options ] [--output output-type ] [--format report format ] [--encode encoding to use ] [--numeric] [--version] [--help|--usage]
You can use this to use logwatch manually and skip all the above config.
logwatch --detail High --service http --mailto [email protected] --range all --logdirectory /var/cache/logwatch
The above is a custom command by a user for his own needs you my go ahead and check, what suits your needs.
Additional logwatch options
Usage information about Logwatch can be obtained through the man page:
man logwatch
The section titled "MORE INFORMATION" in the man page lists additional documentation files available with the distribution.
A summary of the command-line switches described in the man page can be obtained with the '--help' option:
logwatch --help
Linux Magazine
... ... ...
You can run logwatch with a specific date range. For example, if you want to see information about today's SSHD activity, you can run this command:
# logwatch --service sshd --range=TodayCheck root's mail to see the details of the report. Shown is the SSHD section of the report.
--------------------- SSHD Begin ------------------------ Illegal users from: 192.168.1.83: 12 times **Unmatched Entries** pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3 time(s) pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s) PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83 : 4 time(s) pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s) ---------------------- SSHD End -------------------------This is your default "Low" detail logwatch output report. For a more detailed report, try using detail=Medium. Check root's mail for the report.
# logwatch --service sshd --range=Today --detail=Medium --------------------- SSHD Begin ------------------------ Illegal users from: 192.168.1.83: 12 times bob/password: 6 times george/password: 3 times raphael/password: 3 times **Unmatched Entries** pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s) pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s) PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83 : 4 time(s) pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s) ---------------------- SSHD End -------------------------You can see that there's more detail in this report. You can try using the High parameter to squeeze more detail from logs.
# logwatch --service sshd --range=Today --detail=High --------------------- SSHD Begin ------------------------ Illegal users from: 192.168.1.83: 12 times bob/password: 6 times george/password: 3 times raphael/password: 3 times **Unmatched Entries** pam_succeed_if(sshd:auth): error retrieving information about user raphael : 3time(s) pam_succeed_if(sshd:auth): error retrieving information about user bob : 6 time(s) PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.83 : 4 time(s) pam_succeed_if(sshd:auth): error retrieving information about user george : 3 time(s) ---------------------- SSHD End -------------------------As you can see, the detail didn't change from Medium to High for SSHD. Alternatively, you can specify the detail level using numeric values using 0, 5 or 10, where 10 is the highest level of detail. Please note that you won't receive more detail than what's supplied in the logs.
For those of you, like me, who don't love command line mail, you can tell logwatch to save its report to a file.
# logwatch --service sshd --range=Today --detail=High --save=logwatch.todayIf you need other command line tweaks, a quick man logwatch (Yes, the developers wrote a manual page for Logwatch) will give you what you need.
Logwatch Paranoid Configuration
As shown in the previous section, you can use logwatch at the command line when needed. Those command line options supercede any configured parameters hard-coded in the configuration file located in /usr/share/logwatch/default.conf.
For those of you who are paranoid, or need to be, there are some settings in the configuration file worth noting.
The defaults settings are
Range = yesterday
Detail = Low
Archives = No.
You should change these to:Range = All
Detail = High
Archives = Yes.
The Archives setting grabs data from your recent logs as well. If you remember from the first post in this series, they're located under the /var/log directory and have a .X filename to designate their rotation number.
These settings will process all logs for all services and provide the highest level of reporting. The command line equivalent is shown below.
# logwatch --detail=High --range=All --archivesCustomizing Output
Here's a little bonus for those of you who enjoy reading HTML pages more than catting a text file or reading command line email. You can publish your logwatch reports in HTML. It only takes a minor bit of tweaking to create professional-looking automated HTML reports complete with formatting.
The command line version is shown below.
# logwatch --service sshd --detail=High --range=Today --output=html --save=/var/www/html/logwatch/logwatch.htmlThe equivalent settings in the configuration file are:
Save = /var/www/html/logwatch.html
Output = html
The SSHD section from the HTML report is shown in Figure 1.
Figure 1: SSHD Section from the Logwatch HTML Report
Logwatch is a useful script for system administrators who don't have the time or the patience to grep and page through logfiles. The work has been done for you by Kirk Bauer who develops and maintains logwatch. Logwatch should be one of your standard system administrator tools that's installed on every system you manage.
Next week, you'll take a look at some real-time log monitoring with swatch.
May 15th, 2004 | Linux Magazine
Configuring Logwatch
First you need to make sure you server is able to send the mails outside you can do this using postfix with SMTP server configuration
Now you need to edit logwatch.conf file
sudo nano /usr/share/logwatch/default.conf/logwatch.conf
Change the following information
Output = mail
Format = html
MailTo = [email protected]Save and exit the file
If you want to know more available options check logcheck manpage using the following command from your terminal
man logcheck
Now edit the 00logwatch file
sudo nano /etc/cron.daily/00logwatch
add the following line
/usr/sbin/logwatch --mailto [email protected]
Save and exit the file
This tool is very useful give it a try
You can check more configuration from here
Each month, the editor of our downloads section recommends the security freeware that he finds most valuable. This month, Scott Sidel reviews the benefits of Logwatch.
If you've been searching for a tool to help simplify your security log analysis process consider, Logwatch. This powerful tool specifies which events are important to you, and then scans the log files and reports on those key events. It can parse through systems and application log files, and its output is easily customizable by modifying variables in the /etc/logwatch/conf directory. Additionally, Logwatch comes with many pre-written log parsing PERL scripts.
Logwatch ships as a standard part of several Linux systems and is also downloadable as a binary RPM or as source. While it runs on Unix/Linux, it can analyze logs from nearly any system. Simply create a log repository via syslog (exported Windows logs can be read and examined too) and Logwatch can read logs originating from multiple appliances and systems.
Why it's a cool tool
The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.
Additionally, Logwatch can help fill in the information gap if you can't afford an expensive security event management correlation engine. For example, Logwatch can email a report on brute force login attempts, like this:
anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)
This beats looking through systems logs manually to discover how many failed login attempts are occurring.
About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.
May 3, 2008 | www.electrictoolbox.com
logwatch is a system log analyzer and reporter which emails daily reports about information in the system log files in /log. On CentOS and Red Hat Enterprise Linux this is usually configured by default to email the root user on a daily basis with the results from the log analysis. This post looks at how to stop logwatch from reporting on a particular service, for example sendmail and postfix.
The configuration files for logwatch on CentOS are stored at /etc/logwatch. The subdirectories and configuration files at this location are empty to start with and override the default settings, so you can safely add your own settings to these files without causing issues to the defaults. Simply remove your changes from these files at a later stage and you will restore the default behaviour.
To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:
/etc/logwatch/conf/logwatch.confand add the following to the end of it to pevent log analysis of sendmail:
Service = "-sendmail"or postfix:
Service = "-postfix"The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:
/etc/cron.daily/0logwatchYou do not need to restart any services for your configuration changes to take effect; they will be used the next time logwatch is run.
... ... ...
Logwatch Installation in Debian
#apt-get install logwatch
That's it installation done. Now you need to configure the logwatch
Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf
Default Logwatch configuration file as below and you need to change this file options
# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log
# You can override the default temp directory (/tmp) here
TmpDir = /tmp
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = root
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No
# Leave this to 'Yes' if you have the mktemp program and it supports
# the '-d' option. Some older version of mktemp on pre-RH7.X did not
# support this option, so set this to no in that case and Logwatch will
# use internal temp directory creation that is (hopefully) just as secure
UseMkTemp = Yes
#
# Some systems have mktemp in a different place
#
MkTemp = /bin/mktemp
# if set, the results will be saved in <filename> instead of mailed
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Med
# The 'Service' option expects either the name of a filter
# (in /etc/log.d/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
#Service = -zz-fortune
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...
#
# some systems have different locations for mailers
#
mailer = /usr/bin/mail
#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes
Email Notifications With Logwatch
Logwatch is a slick Perl script that bundles up logfile reports and emails them to you. Debian users can install it by running apt-get install logwatch. Debian puts the configuration files in /etc/logwatch. The RPM puts them in /etc/log.d. Of course you may also install from sources. Be sure to consult the README for installation.
To make it go, first find logwatch.conf. You'll need to make a few tweaks. Set the "MailTo" directive to your desired email address, or local account. For local mail, most Linux systems still come with venerable old "mail", which works just fine:
MailTo = carla
mailer = /usr/bin/mailOf course you may use any mailer you wish.
To make Logwatch send you daily reports, set the time range to "Today":
Range = Today
Other choices are "All" and "Yesterday." Now set your desired detail level for your reports:
Detail = High
Save your changes, and run Logwatch to send you a report:
# logwatch
The whole idea is to have Logwatch work without you having to exert yourself, so now you have to edit /etc/crontab to run Logwatch at your desired intervals. This runs it daily at 1am:
# m h dom mon dow user command
0 1 * * * root /usr/sbin/logwatch
May 3, 2008 | www.electrictoolbox.com
logwatch is a system log analyzer and reporter which emails daily reports about information in the system log files in /log. On CentOS and Red Hat Enterprise Linux this is usually configured by default to email the root user on a daily basis with the results from the log analysis. This post looks at how to stop logwatch from reporting on a particular service, for example sendmail and postfix.
The configuration files for logwatch on CentOS are stored at /etc/logwatch. The subdirectories and configuration files at this location are empty to start with and override the default settings, so you can safely add your own settings to these files without causing issues to the defaults. Simply remove your changes from these files at a later stage and you will restore the default behaviour.
To prevent logwatch from reporting on a particular service, for example sendmail or postfix, open up the following configuration file:
/etc/logwatch/conf/logwatch.confand add the following to the end of it to pevent log analysis of sendmail:
Service = "-sendmail"or postfix:
Service = "-postfix"The next time logwatch is run it will no longer report on the services with a "-" entry. You can do a test run of logwatch at any time by running the following on a CentOS or RHEL machine:
/etc/cron.daily/0logwatchYou do not need to restart any services for your configuration changes to take effect; they will be used the next time logwatch is run.
login attempts, like this:anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)
This beats looking through systems logs manually to discover how many failed login attempts are occurring.
About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to SearchSecurity.com.
Google matched content |
logwatch - system log analyzer and reporter
SYNOPSIS
logwatch [--detail level ] [--logfile log-file-group ] [--service service-name ]
[--Print] [--mailto address ] [--archives] [--range range ] [--debug level ] [--save file-name ]
[--logdir directory ] [--hostname hostname ] [--help|--usage]
DESCRIPTION
LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems.
OPTIONS
--detail level
This is the detail level of the report. level can be high, med, low.
--logfile log-file-group
This will force LogWatch to process only the set of logfiles defined by log-file-group (i.e. messages, xferlog, ...). LogWatch will there- fore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups.
--service service-name
This will force LogWatch to process only the service specified in service-name (i.e. login, pam, identd, ...). LogWatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed.
Print the results to stdout (i.e. the screen).
Mail the results to the email address or user specified in address.
Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz).
This option will make LogWatch search through the archives in addition to the regular logfiles. The entries must still be in the proper date range (see below) to be processed, however.
You can specify a date-range to process. This option is currently limited to only Yesterday, Today and All.
For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don't want to use this.
Save the output to file-name instead of displaying or mailing it.
Look in directory for source syslog files instead of the default directory.
Use hostname for the reports instead of this system's hostname. In addition, if HostLimit is set in /etc/log.d/logwatch.conf, then only logs from this hostname will be processed (where appropriate).
Displays usage information
FILES
/etc/log.d/logwatch.conf
Really a symlink to /etc/log.d/conf/logwatch.conf. This file sets the default values of all the above options. These defaults are used when LogWatch is called without any parameters (i.e. from cron.daily). The file is well-documented, but the explanations above also apply to this config file.
/etc/log.d/conf/services/*
Configuration files for the various services whose log entries LogWatch can process.
/etc/log.d/conf/logfiles/*
Configuration files for the various logfiles that the above service's log entries are stored in.
/etc/log.d/scripts/shared/*
Filters common to many services and/or logfiles.
/etc/log.d/scripts/logfiles/*
Filters specific to just particular logfiles.
/etc/log.d/scripts/services/*
Actual filter programs for the various services.
EXAMPLES
logwatch --service ftpd-xferlog --range all --detail high --print --archives
This will print out all FTP transfers that are stored in all current and archived xferlogs.
logwatch --service pam_pwdb --range yesterday --detail high --print
This will print out login information for the previous day...
MORE INFORMATION
For information on adding your own filter, please see the file HOWTO-Make-Filter which should have been included with Logwatch. If you installed from an RPM, it is probably under /usr/share/doc/logwatch-XXX.
BUGS
The --range option is very weak... this will be fixed in the future.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haters Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: January 09, 2020