Using Logwatch for Basic Security Monitoring on Linux

by

Linux systems write a lot of information to log files. Typically, each system service you install will have its own log file or set of log files. This is in addition to all of the default logs that get generated, such as those from dmesg, boot log, the package manager log, etc. Inside of these files, it is common to see thousands of entries over a very small span of time.

While all this event logging proves very helpful with gathering insight into what exactly is going on in your system (especially if a problem arises), the log files will often grow massive in size and become very difficult to glance through in any effective way. For example, there could be pertinent warnings buried somewhere in the log files, but good luck finding them among the hundreds of other entries. This would be a very manual and time consuming task.

Logwatch takes this burden off of the system administrator by monitoring the log files for you. It will keep watch over the log files that you specify, and then notify you via email whenever an entry occurs that may need your attention. Once we configure Logwatch to our liking, it will check for the events that we need to watch for, so we no longer need to do it manually. In this tutorial, we will go over the step by step instructions of installing and configuring Logwatch on a Linux system.

In this tutorial you will learn:

  • How to install Logwatch on all major Linux distros
  • How to configure Logwatch
  • How to run Logwatch manually with logwatch command
  • How to schedule regular Logwatch monitoring with cron
Using Logwatch for Basic Security Monitoring on Linux
Using Logwatch for Basic Security Monitoring on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux system
Software Logwatch
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to Install Logwatch


The first thing we will need to do is install Logwatch, since it does not come installed by default in Linux. Fortunately, it is available for installation via the default software repository of any major Linux distro.

You can use the appropriate command below to install Logwatch with your system’s package manager.

To install Logwatch on Ubuntu, Debian, and Linux Mint:

$ sudo apt update
$ sudo apt install logwatch

To install Logwatch on Fedora, CentOS, AlmaLinux, Rocky Linux, and Red Hat:

$ sudo dnf install logwatch

To install Logwatch on Arch Linux and Manjaro:

$ sudo pacman -S logwatch

You may be prompted to configure the email settings during initial installation of Logwatch. If so, select the type of mail server that you want to use, along with the appropriate setting such as destination email address for Logwatch to use:

Installation screen of Logwatch asking to configure email notifications
Installation screen of Logwatch asking to configure email notifications

How to Configure Logwatch


With Logwatch now installed on our system, let’s go over some basic configuration so we can get started with using it to monitor our log files.

  1. The default configuration file for Logwatch is located at /usr/share/logwatch/default.conf/logwatch.conf. Instead of making changes directly to this file, we will create a copy of it and apply our edits to the new file. This ensures that future updates will not overwrite any of our settings. Here is how to copy the file to the correct location: 
    $ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
  2. Next, use nano or your preferred text editor to open the file so we can begin making changes to it: 
    $ sudo nano /etc/logwatch/conf/logwatch.conf
  3. The first setting to consider is Output, and we can choose between stdout, mail, and file. This will control whether the output of Logwatch is sent to standard out, email, or to a file, respectively. The configuration would be applied as follows: 
    Output = stdout
OR
Output = mail
OR
Output = file

    Choose your preferred output method before moving on to the other settings.

  4. The mail configuration settings come next. You will only need to mess with these settings if you configured Output = mail in the above step. 
    MailTo = root
MailFrom = Logwatch
  5. If you chose to send the Logwatch output to a file in step 1 with the Output = file option, then you will need to set the Filename value to specify the path where Logwatch should save its output. 
    Filename = /tmp/logwatch
  6. The other setting we need to be sure to configure is LogDir. This setting tells Logwatch where the log files are stored that you want to monitor. We can use as many LogDir settings as we want, in case we have multiple directories that we need Logwatch to monitor for us. 
    LogDir = /var/log
LogDir = /some/other/log/path

Of course, many other settings are also present in this configuration file, but those mentioned above are some of the most important. Feel free to read through the configuration file yourself, look at the examples provided, and make necessary changes as you see fit.

Running Logwatch

Now that Logwatch has been configured, we can utilize it by executing the logwatch command. We also recommend including some options with the command such as --detail and --range to specify the level of detail we want to see in the output and the date range of logs to analyze, respectively.

$ sudo logwatch --detail Low --range today

Even with just running logwatch on our isolated test system, we get to see some interesting results. The screenshot below shows that three new software packages were recently installed, and also displays a list of user authentications, as well as failed login attempts.

Logwatch output showing package changes and user auth sessions
Logwatch output showing package changes and user auth sessions
NOTE
Logwatch is a simple implementation and ideal for medium sized servers and infrastructures that do not need a robust monitoring solution, but still want a way to notify staff on important events. If you need something more advanced, you may want to check out the ELK stack and additional monitoring techniques.

If we scroll down a bit further, we can see a list of commands that were run using administrator privileges:

Logwatch output showing which commands have been run as sudo
Logwatch output showing which commands have been run as sudo

Of course, on a production system with multiple users and constant traffic, you would likely get a lot more messages every day.

If you want to run logwatch on a scheduled basis, you can set up cron to do that:

$ sudo crontab -e

The following cron entry would run logwatch every day at midnight:

0 0 * * * logwatch --detail Low --range today

Then, check the configured directory where Logwatch output is stored in order to see what data was caught by Logwatch. Alternatively, if you configured the email option, you will receive the Logwatch report in your inbox each day.

Closing Thoughts

In this tutorial, we saw how to use Logwatch for basic security monitoring on a Linux system. This involved installing the Logwatch program, configuring it to our needs and pointing it to the log files we want to monitor, and finally the manual use of the logwatch command. We also learned how to set up logwatch inside of cron to make it run on a regular schedule. Logwatch saves administrators a lot of time and allows us to easily identify security problems that we would normally have to discover manually.

Related Linux Tutorials:

Comments and Discussions
Linux Forum