Introduction:
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and makes a report in the areas that you wish, with the detail that you wish. It's relatively easy to use and for its basic configuration works right out of the package on many systems.
Logwatch is very configurable and there are quite a lot of ways that you can customize its power. However, here we only go through the basic configuration options to demonstrate how it works in general.
Installation:
On a CentOS system you can use yum to install the package like this:
yum install logwatch
Basic Setup:
The main configuration file that you need to modify is this:
/etc/logwatch/conf/logwatch.conf
This file is empty by default, but you can add these basic options to the file to start using Logwatch right away:
LogDir = /var/log
LogDir = /usr/local/cpanel/logs
TmpDir = /var/cache/logwatch
Output = mail
Format = html
Encode = none
MailTo = user@remote-server.tld
MailFrom = cpanel@local-server.tld
Range = yesterday
Detail = Low
Service = All
mailer = "/usr/sbin/exim -t"
I will try to explain some of these lines. The "LogDir"
option specifies the location of your log files. On a cPanel server, the most important log files are usually located in /var/log/message and /usr/local/cpanel/logs.
For the "Output"
line you have a few options, like "stdout"
, "mail"
and a few others, but since here we want to mail the reports to a specific email address so we need to choose "mail" as the output.
For the "Format"
line, although there are more than two options, you can either chose "html"
or "text"
. It's up to you how readable you want your emails to be. Here I have chosen "html" for maximum readability.
The "MailTo"
and "MailFrom"
lines are of course obvious. Just make sure that the sender and receiver are verified accounts. This functionality is naturally subject to the usual email deliverability issues, so you need to make sure that emails are sent from your server and successfully received at the destination email.
The "Range"
line specifies the range of the report that Logwatch will send you, so here since I want to review my logs on a daily basis, I have chosen "yesterday"
for my range to limit the reports to only those changes that have happened in the past 24 hours.
The "Service"
line needs a little explanation. The best approach to modify that line is to choose the "All"
option, which by default checks the log files for all available services on the system and if you wish to exclude any specific service from the report then you can add a separate "Service" line to the configuration file to exclude that service. The syntax of the new "Service" line would be like this: (The - inside the double-quote is mandatory)
Service = "-$SERVICE_NAME"
This tells Logwatch to exclude the log files associated with the $SERVICE_NAME
. For a complete list of services and their names you can run this command:
for ser in `ls /usr/share/logwatch/scripts/services/`; do printf 'Service = "-%s"\n' $ser;done
You can use each line from the output of the above command and add it to the config file. For example, if we want to exclude any ClamAV-related logs from your reports, you simply add these three lines to the main configuration file:
Service = "-clamav"
Service = "-clamav-milter"
Service = "-clam-update
The last line, the "mailer"
line, is of course self-explanatory. Here we are using Exim to send emails. Although, it's possible to use other options, it's usually recommended to use Exim as the default mailer for cPanel environments.
Running Logwatch:
There are at least two options to run Logwatch. You can run it right from the command line interactively by calling the binary file:
/usr/sbin/logwatch
Or you can create a cronjob to run the command at specific intervals, for instance, every day at 8 A.M: (This is the recommended method)
0 8 * * * /usr/sbin/logwatch
Output:
Here is a sample Logwatch output for demonstration with a very basic configuration where only a few services are monitored:
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Fri Oct 30 13:49:43 2020
Date Range Processed: yesterday
( 2020-Oct-29 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: local-server.tld
##################################################################
--------------------- sendmail-largeboxes (large mail spool files) Begin ------------------------
Can't find spool directory
---------------------- sendmail-largeboxes (large mail spool files) End -------------------------
--------------------- SpamAssassin Begin ------------------------
Child-related errors
spamd: cannot send SIGINT to child process [___]: No such process: 2 Time(s)
prefork: killed child ___: 2 Time(s)
prefork: killing failed child ___ fd=___ at /usr/local/cpanel/___rdparty/perl/___/lib/perl___/cpanel_lib/Mail/SpamAssassin/SpamdForkScaling.pm line ___.: 2 Time(s)
---------------------- SpamAssassin End -------------------------
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
root:
10.3.17.233: 3 times
10.3.17.228: 1 time
Received disconnect:
11: disconnected by user : 2 Time(s)
---------------------- SSHD End -------------------------
--------------------- yum Begin ------------------------
Packages Updated:
ea-apache24-config-runtime-1.0-165.165.5.cpanel.noarch
ea-php71-php-mysqlnd-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_proxy_fcgi-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-iconv-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-common-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-dba-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-mbstring-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-2.4.46-2.4.1.cpanel.x86_64
ea-apache24-config-1.0-165.165.5.cpanel.noarch
ea-apache24-mod_brotli-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-fpm-7.1.33-8.8.7.cpanel.x86_64
1:ea-nginx-1.19.3-3.3.3.cpanel.x86_64
ea-apache24-mod_deflate-2.4.46-2.4.1.cpanel.x86_64
ea-apache24-mod_unique_id-2.4.46-2.4.1.cpanel.x86_64
ea-ruby24-ruby-wrapper-6.0.6-2.2.13.cpanel.x86_64
ea-ruby24-rubygem-passenger-6.0.6-2.2.13.cpanel.x86_64
ea-apache24-tools-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-calendar-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-posix-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_cgi-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-odbc-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_mpm_prefork-2.4.46-2.4.1.cpanel.x86_64
ea-apache24-mod_ruid2-0.9.8-19.19.10.cpanel.x86_64
ea-apache24-mod_ssl-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-mcrypt-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-bcmath-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_wsgi-4.6.5-2.2.17.cpanel.x86_64
ea-php71-php-litespeed-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-devel-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-zip-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_bwlimited-1.4-47.49.17.cpanel.x86_64
ea-apache24-mod_proxy_ajp-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-pdo-7.1.33-8.8.7.cpanel.x86_64
ea-libcurl-7.73.0-1.1.1.cpanel.x86_64
ea-apache24-mod_headers-2.4.46-2.4.1.cpanel.x86_64
ea-apache24-mod_expires-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-xml-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-imap-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-ftp-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-sockets-7.1.33-8.8.7.cpanel.x86_64
ea-php71-php-cli-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_proxy_wstunnel-2.4.46-2.4.1.cpanel.x86_64
ea-php71-php-curl-7.1.33-8.8.7.cpanel.x86_64
ea-php71-pear-1.10.7-4.6.10.cpanel.noarch
ea-php71-php-gd-7.1.33-8.8.7.cpanel.x86_64
ea-apache24-mod_proxy-2.4.46-2.4.1.cpanel.x86_64
ea-apache24-mod_security2-2.9.3-7.7.7.cpanel.x86_64
ea-apache24-mod_proxy_http-2.4.46-2.4.1.cpanel.x86_64
ea-ruby24-mod_passenger-6.0.6-2.2.13.cpanel.x86_64
---------------------- yum End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
devtmpfs 992M 0 992M 0% /dev
/dev/vda1 40G 14G 27G 35% /
/dev/loop0 1.6G 2.7M 1.5G 1% /tmp
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
With Logwatch the possibilities to customize the volume and the format of the data that you receive are of course virtually endless.