How To Monitor Linux System Logs with Logwatch

Time Efficiency: Manually reviewing system logs can be a time-consuming task, especially when dealing with large log files or multiple servers. Logwatch automates this process by parsing and summarizing log data, providing concise and organized reports that highlight important events and trends. This saves administrators valuable time and allows them to focus on critical issues.

Centralized Log Analysis: Logwatch consolidates log data from various sources, such as system logs, application logs, and security logs, into a unified report. This centralized approach simplifies log analysis, making it easier to identify patterns, anomalies, and potential security threats across the system.

Quick Issue Identification: Logwatch provides a clear and concise summary of log events, highlighting any warnings, errors, or critical issues that require attention. By regularly reviewing Logwatch reports, administrators can promptly identify and address system problems, ensuring optimal performance and minimizing downtime.

Security Monitoring: System logs contain valuable information for detecting security incidents and unauthorized access attempts. Logwatch helps in monitoring and analyzing security logs, providing insights into potential security breaches, failed login attempts, suspicious activities, and other security-related events. This enables administrators to take proactive measures to enhance system security.

Customization and Flexibility: Logwatch offers a range of customization options to tailor the log monitoring process to specific requirements. Administrators can configure which log files to analyze, set alert thresholds, define report formats, and apply filters to focus on relevant log entries. This flexibility allows for fine-tuning the monitoring process and adapting it to the unique needs of the system.

Historical Analysis and Trend Identification: By maintaining a history of log reports, Logwatch enables administrators to analyze system performance trends over time. This helps in identifying recurring issues, monitoring resource usage patterns, and making informed decisions regarding system optimization and capacity planning.

Before the installation, log into the server as the root user, input the password as prompted, and then update your system.

sudo -i
apt update && apt upgrade

Then, install Logwatch and Sendmail.

apt install logwatch sendmail

Sendmail is a server application that gives businesses a way to send email using the Simple Mail Transfer Protocol (SMTP). It’s typically installed on an email server on a dedicated machine that accepts outgoing email messages and then sends these messages to the defined recipient. This application will help send reports or digests to your email if it's well configured.

The default configuration file for Logwatch is located at "/usr/share/logwatch/default.conf/logwatch.conf". Use any text editor to modify the content. Here, we will use the nano text editor.

nano /usr/share/logwatch/default.conf/logwatch.conf

2.1 Log Directories

LogDir defines directories containing log files that you want Logwatch to analyze. By default, Logwatch goes through all the logs located within the /var/log directory and generates reports on your system's log activity. However, if you have logs in other directories, such as custom application logs or website logs that need to be reported, you can add them to Logwatch by including additional "LogDir" lines as below.

TmpDir specifies the directory where Logwatch stores temporary files and working files during its execution. Although this can be any directory you want, we will keep the default value /var/cache/logwatch. You’ll have to manually create this directory when we finish editing this file.

2.2 Output and Format Configuration

Output and Format determines the destination or method for delivering Logwatch reports. There are several options available for the "Output" setting:

-stdout: Logwatch reports are displayed on the standard output (console) when Logwatch is executed. This is the default option, and it's useful for immediate viewing of reports on demand or for capturing the output for further processing or redirection.
-mail: Logwatch reports are sent via email to the address specified in the Logwatch configuration. This option allows you to receive Logwatch reports directly in your email inbox. To use this feature, make sure that your system has a working mail transfer agent (MTA) configured, such as Sendmail or Postfix, to handle outgoing emails.
-file: Logwatch reports are saved to a file. You can specify the file path and name using the File option in the Logwatch configuration. This option is useful if you want to store the reports for later reference or for automated processing.
-text: Logwatch generates reports in a simple, text-based format that is easy to read and parse. This format is suitable for viewing reports in a console or terminal window, storing them as plain text files, or integrating them with other text-based tools or systems.
-html: Logwatch reports are generated in HTML format. This is suitable for viewing reports in a web browser or embedding them in web pages.
-html-noencode: Similar to the html option, but it doesn't encode special characters in the HTML output. This option might be necessary for compatibility with certain systems or applications.

Output = mail
Format = html #Choose the format (html or text) you prefer. In this case, we choose html.
MailTo = your email address #Can be a valid email address or local account user. If using a local account use, you can specify the MailTo = root
MailFrom = Logwatch #Change the MailFrom value to a valid email address, or to a local user, such as the hostname(You can get the hostname by issuing "hostname" in the terminal.). This can also be left as Logwatch.

Output = file
Format = text #Choose the format (html or text) you prefer. In this case, we choose text.
Filename = /tmp/logwatch Find and uncomment (remove the hashmark [#]) the Filename value. Set the path and filename in which you wish to save your Logwatch digests. In this case, we keep the default value.

2.3 Service Configuration

Service and Format are used to specify the system services or log files that Logwatch should analyze and include in its reports.

ls -l /usr/share/logwatch/scripts/services

2.4 Range and Detail Configurations

Range determines the time range for which Logwatch generates reports.
Detail determines the level of detail in the generated Logwatch reports. It allows you to specify the amount of information and verbosity in the reports. The available options for the "Detail" setting include:

-Low: Generates concise reports with minimal details.
-Medium: Provides a balanced level of detail in the reports.
-High: Generates comprehensive reports with maximum details and verbosity.

When you finish the configuration, press "Ctrl" and "x", then enter "y", followed by hitting the "Enter" key to save the changes.

mkdir /var/cache/logwatch

Run Logwatch Manually

logwatch
sudo /usr/sbin/logwatch #Run this if you have not su into root account.

logwatch  [--detail  level  ] [--logfile log-file-group ] [--service service-name ] [--print]  [--mailto address ] [--archives] [--range range  ]  [--debug  level  ]  [--save  file-name  ]  [--logdir  directory ] [--hostname hostname ] [--splithosts] [--multiemail] [--output output-type ] [--numeric] [--no-oldfiles-log] [--version] [--help|--usage]

logwatch --detail Low --mailto email@address --service http --range today

Run Logwatch Automatically

nano /etc/crontab

35 6 * * *  root   /usr/spin/logwatch 

Output = mail

Output = stdout

logwatch

Output = file

logwatch
nano /tmp/logwatch

That's it! You should now be able to set up log monitoring with Logwatch and Sendmail.