Recipe 9.36 Summarizing Your Logs with logwatch

9.36.1 Problem

You want to scan your system log files for reports of problems.

9.36.2 Solution

Use logwatch, from http://www.logwatch.org. For example:

# logwatch --range all --archives --detail High --print | less

to see all the useful data logwatch can display, or:

# logwatch --print | less

to see only yesterday's entries.

9.36.3 Discussion

logwatch is a handy utility to scan system log files and display unexpected entries. Red Hat includes it but SuSE does not. If you need it, download the binary RPM from http://www.logwatch.org,^[13] and install it, as root:

^[13] Actually, there are no binaries: logwatch is a collection of Perl scripts. Therefore, you don't need to worry about which RPM is right for your system's architecture.

# rpm -Uhv logwatch-*.noarch.rpm

The easiest way to see what logwatch does is to run it:

$ logwatch --range all --print | less
################### LogWatch 4.2.1 (10/27/02) ####################
        Processing Initiated: Sun Nov 10 20:53:49 2002
        Date Range Processed: all
        Detail Level of Output: 0
        Logfiles for Host: myhost  
###############################################################
 --------------------- Connections (secure-log) Begin ------------------------
Unauthorized sudo commands attempted (1):
smith:
        /usr/bin/tail -30 /var/log/maillog
---------------------- Connections (secure-log) End -------------------------

 --------------------- SSHD Begin ------------------------
SSHD Killed: 2 Time(s)
SSHD Started: 1 Time(s)
Users logging in through sshd:
        smith logged in from foo.example.com (128.91.0.3) using publickey: 1 Time(s)
Refused incoming connections:
        200.23.18.56: 1 Time(s)
---------------------- SSHD End -------------------------
...

Once installed, logwatch is often run daily by cron, emailing its results to root. This is not necessarily the most secure way to do things: if your system is compromised, then you cannot trust email or logwatch itself. Like tripwire (Chapter 1), logwatch is best run on a remote machine, or from a secure medium like CD-ROM or write-protected floppy disk.

logwatch processes most but not all common log files. For the rest, you can define your own logwatch filters to parse and summarize them. [Recipe 9.37]

If logwatch seems to do nothing when you run it, be aware of the —print option. By default, logwatch does not write its results on standard output: it sends them by email. Specify —print to see the results on screen. Also be aware that the default range is "yesterday," which might not be what you want.

9.36.4 See Also

See logwatch(8) for full usage information or run:

$ logwatch --help