Logwatch
Thu, Sep 13, 2018 · 3 minute readlinux
Logwatch is a customisable, pluggable log-monitoring system.
It will parse log files for a given period of time and report on defined areas.
Reports can easily be distributed daily via email.
Installation
Could not be much simpler, it’s packaged for most Linux OS’s.
Example for Debian or Ubuntu;
apt-get install logwatchInstallation should complete without any errors, then run a quick test,
Check all log files for ientries from yesterday and email the result.
By default logwatch will look in /var/log for files to process.
Configuration
The default configuration files are all under /usr/share/logwatch, e.g.
$ ls -l /usr/share/logwatch/
total 16
drwxr-xr-x 5 root root 4096 May 4 2017 default.conf
drwxr-xr-x 4 root root 4096 May 4 2017 dist.conf
drwxr-xr-x 2 root root 4096 May 4 2017 lib
drwxr-xr-x 5 root root 4096 May 4 2017 scriptsSome online guides would have you edit these configuration files.
Please don’t do that - your changes will likely get overwritten at the next upgrade.
When logwatch runs it first looks for configuration files in /etc/logwatch, if it can’t find anything there it will look in /usr/share/logwatch/.
The correct place for local configuration files is under /etc/logwatch.
$ ls -l /etc/logwatch
total 8
drwxr-xr-x 4 root root 4096 Sep 13 08:25 conf
drwxr-xr-x 3 root root 4096 May 4 2017 scriptsSo, copy the default.conf configuration to /etc/logwatch/conf and edit;
$ cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
$ vi /etc/logwatch/conf/logwatch.confChanges we generally make are as follows:
# send logwatch output to mail
Output = mail
# output mail addressed to
MailTo = logwatch@bespoke-it.solutions
# for completeness and to help prevent mail being treated as spam, include a from address
MailFrom = Logwatch@bits01.bespoke-it.solutions
# Process log entries from yesterday
Range = yesterday
# Medium level of detail
Detail = Med
# Process all services
Service = AllThat is enough to get started.
Assuming email is working on your server then you will get an email every day courtesy of a cron script in /etc/cron.daily/00logwatch created during the install.
$ ls -l /etc/cron.daily/00logwatch
-rwxr-xr-x 1 root root 268 Nov 3 2014 /etc/cron.daily/00logwatchTo test the configuration simply run logwatch, after a short wait you should receive a summary of the previous days log entries in your inbox.
Configuring logwatch for Caddy
We recommend a) using Caddy web server and b) configuring log and error output files.
Logwatch can be used to monitor Caddy log files simply.
# Copy the standard http script to /etc/logwatch and rename
# (this is the script that gets called to parse the log file)
$ cp /usr/share/logwatch/scripts/services/http /etc/logwatch/scripts/services/caddy
# Copy the http scripts and rename
# - services/*.conf defines the service to process
$ cp /usr/share/logwatch/default.conf/services/http.conf /etc/logwatch/conf/services/caddy.conf
# - logfiles/*.conf defines the actual logfiles to process
cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/caddy.confMake a couple of simple changes to the configuration files and you’e done.
$ vi /etc/logwatch/conf/logfiles/caddy.conf
# What actual file?
LogFile = /opt/caddy/log/access.log
# Expand the repeats (actually just removes them now)
*ExpandRepeats
# Keep only the lines in the proper date range...
*ApplyhttpDate
$ vi /etc/logwatch/conf/services/caddy.conf
###########################################################################
# Configuration file for caddy filter
###########################################################################
Title = "Caddy"
# Which logfile group...
LogFile = caddy