Wade through that haystack of logs to find the proverbial needle.
If you’re logging almost every piece of information you can from all services and hosts on your network, no doubt you’re drowning in a sea of information. One way to keep abreast of the real issues affecting your systems is summarizing your logs. This easy with the logwatch tool (http://www.logwatch.org).
Logwatch analyzes your system logs over a given period of time and automatically generates reports, and it can easily be run from cron so that it can email you the results. Logwatch is available with most Red Hat Linux distributions. You can also download RPM packages from the project’s web site if you are using another RPM-based Linux distribution.
To compile logwatch from source, you can download the source code package. Since it is a script there is no need to compile anything. Thus installing it is as simple as copying the logwatch script to a directory.
You can install it by running commands similar to these:
# tar xfz logwatch-5.0.tar.gz
# cd logwatch-5.0
# mkdir /etc/log.d
# cp -R conf lib scripts /etc/log.d
You can also install the manpage and, for added convenience, create a link from the logwatch.pl script to /usr/sbin/logwatch:
# cp logwatch.8 /usr/share/man/man8
# (cd /usr/sbin && \
ln -s ../../etc/log.d/scripts/logwatch.pl logwatch)
Running the following command will give you a taste of the summaries logwatch creates:
# logwatch –print | less
################### LogWatch 4.3.1 (01/13/03) ####################
Processing Initiated: Sat Dec 27 21:12:26 2003
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: colossus
################################################################
——————— SSHD Begin ————————
Users logging in through sshd:
andrew logged in from kryten.nnc (192.168.0.60) using password: 2 Time(s)
———————- SSHD End ————————-
###################### LogWatch End #########################
If you have an /etc/cron.daily directory, you can simply make a symbolic link from the logwatch.pl script to /etc/cron.daily/logwatch.pl, and the script will be run daily. Alternatively, you can create an entry in root’s crontab, in which case you can also modify logwatch’s behavior by passing it command-line switches. For instance, you can change the email address that logwatch sends reports to by using the –mailto command-line option. They are sent to the local root account by default, which is probably not what you want.
Logwatch supports most standard log files without any additional configuration, but you can add support for any type of log file. To do this, you first need to create a logfile group configuration for the new file type in /etc/log.d/conf/logfiles. This file just needs to contain an entry pointing logwatch to the logfile for the service and another entry specifying a globbing pattern for any archived log files for that service.
For example, if you had a service called myservice, you could create /etc/log.d/conf/logfiles/myservice.conf with these contents:
LogFile = /var/log/myservice
Archive = /var/log/myservice.*
Next, you need to create a service definition file. This should be called /etc/log.d/conf/services/myservice.conf and should contain the following line:
LogFile = myservice
Finally, since logwatch is merely a framework for generating log file summaries, you’ll also need to create a script in /etc/log.d/scripts/services called myservice. When logwatch executes, it will strip all time entries from the logs and pass the rest of the log entry through standard input to the myservice script. Therefore, you must write your script to read from standard input, parse out the pertinent information, and then print it to standard out.
This just scratches the surface of how to get logwatch running on your system. There is a great deal of information in the HOWTO-Make-Filter, which is included with the logwatch distribution.