Monitor System Logs with Logwatch

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

Logwatch is a log parsing program that analyzes and generates daily reports on your system’s log activity. Logwatch does not provide real time alerts, but instead creates a digest organized by systems for ease of review. More advanced users can also pair Logwatch with custom analysis scripts to fine-tune their reports.

By default, Logwatch uses Sendmail to send digests.

Note
The steps required in this guide require root privileges. Be sure to run the steps below as root. If logged in as a superuser, it is recommended that you su into root. For more information on privileges see our Users and Groups guide.

Install Logwatch and Sendmail

Ubuntu

  1. Update your system:

    sudo apt update && sudo apt upgrade
    
  2. Install Logwatch and Sendmail:

    sudo apt install logwatch sendmail
    

Debian

  1. Update your system:

    sudo apt update && sudo apt upgrade
    
  2. Install Logwatch and Sendmail:

    sudo apt install logwatch sendmail-bin sendmail
    

CentOS Stream, AlmaLinux, Rocky Linux, and Fedora

  1. Update your system:

    sudo dnf update
    
  2. Install Logwatch and Sendmail:

    sudo dnf install logwatch sendmail
    
  3. Start Sendmail:

    sudo systemctl start sendmail
    

CentOS 7

  1. Update your system:

    sudo yum update
    
  2. Install Logwatch and Sendmail:

    sudo yum install logwatch sendmail
    
  3. Start Sendmail:

    sudo systemctl start sendmail
    

Arch Linux

  1. Update your system:

    pacman -Syu
    
  2. Install Logwatch and Postfix, to replace the default Sendmail, which is not in Arch’s repositories.

    pacman -S logwatch postfix
    

    Logwatch will prompt you to select which cron provider to use. Select the default, cronie.

    Note
    Other SMTP clients can also be used for delivering Logwatch messages.
  3. Edit the /etc/postfix/main.cf file to add your domain information, and allow for send-only mail, replacing hostname.example.com with your own hostname and domain:

    File: /etc/postfix/main.cf
    1
    2
    
    myhostname = hostname.example.com
    inet_interfaces = loopback-only
    Note
    Both A/AAAA, and MX records will need to be set for your domain.
  4. Edit /etc/postfix/aliases to uncomment root and alias it to root@hostname.example.com, replacing hostname.example.com with your own hostname and domain:

    File: /etc/postfix/aliases
    1
    
    root:           root@hostname.example.com
  5. Run newaliases after editing the aliases list.

  6. Start postfix:

    systemctl start postfix
    

Configure Logwatch

The default configuration file for Logwatch is located at /usr/share/logwatch/default.conf/logwatch.conf. This file contains information on which directories for Logwatch to track, how the digest is output, where the digest is sent to, and which services of which to keep track.

The following settings are the most comment configuration changes that will need to be made. Others can be found in the logwatch.conf file, explained in the comments.

Note
If Logwatch initially does not appear to run, within the logwatch.conf file, change the Details setting to Med.

Log Directories

By default, Logwatch digests will include all logs contained within /var/log. If any other directories contain logs, such as website directories, they can be added by including additional LogDir lines. For example:

File: /usr/share/logwatch/default.conf/logwatch.conf
1
2
LogDir = /var/log
LogDir = /var/www/example.com/logs

The default Logwatch configuration will output the digest to your Linode’s console. This is defined with the Output variable, which is set to stdout by default. This option is feasible if you are only planning on manually running Logwatch, but does not save or send the logs to you for later perusal.

Email Logwatch Digest

The Logwatch digest can be sent to local users or external email addresses, in plain text or HTML formats.

Note

Prior to sending mail externally or locally ensure you have Sendmail installed on the Linode. If you choose to use a different MTA client, change the mailer line in the Logwatch configuration file to contain the directory of your chosen MTA, or alias /usr/sbin/sendmail to your MTA.

If using Arch, and you followed the above install instructions, Sendmail is already aliased to msmtp.

  1. Change the Output value to mail. If you wish to receive the messages in HTML format change the Format value to html.

  2. Change the MailTo address to a valid email address, or local account user. For example, to send mail to the root user change the line to read:

    File: /usr/share/logwatch/default.conf/logwatch.conf
    1
    
    MailTo = root
  3. Change the MailFrom value to a valid email address, or to a local user. This can also be left as Logwatch.

Save Logwatch Digest to File

Logwatch digests can also be saved to a file on your system.

  1. Change the Output value to file.

  2. Find and uncomment (remove the hashmark [#]) the Filename value. Set the path and filename in which you wish to save your Logwatch digests.

Run Logwatch

Run Logwatch Manually

Logwatch can be run manually at any time by inputting the logwatch command to your console. This command can be appended with a number of options to change the default output to suit your needs:

  • --detail: Can be set to low, med, high, or any numerical values between 1 and 10. Defines how detailed the report will be.
  • --logdir: The directory containing the log files you wish to gain reports on.
  • --service: The service definition that you wish to report on.
  • --output: How you want the file to be sent: Standard output (stdout), mail, or file.
  • --format: Plain text or HTML.
  • --mailto: The local user or email address to send the report to.

Run Logwatch through Cron

Logwatch often works best when configured to run daily and send or save a report to view later. This can be achieved by setting Logwatch up to run as a cronjob.

  1. Open the crontab:

    crontab -e
    
  2. Add a line for Logwatch. The following code is configured to run at 00:30 each day:

    File: /etc/crontab
    1
    
    30 0  * * *          /usr/sbin/logwatch

    For more information on adjusting your crontab scheduling, reference our guide on Scheduling Tasks with Cron.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.