Linux systems write a lot of information to log files. Typically, each system service you install will have its own log file or set of log files. This is in addition to all of the default logs that get generated, such as those from dmesg, boot log, the package manager log, etc. Inside of these files, it is common to see thousands of entries over a very small span of time.
While all this event logging proves very helpful with gathering insight into what exactly is going on in your system (especially if a problem arises), the log files will often grow massive in size and become very difficult to glance through in any effective way. For example, there could be pertinent warnings buried somewhere in the log files, but good luck finding them among the hundreds of other entries. This would be a very manual and time consuming task.
Logwatch takes this burden off of the system administrator by monitoring the log files for you. It will keep watch over the log files that you specify, and then notify you via email whenever an entry occurs that may need your attention. Once we configure Logwatch to our liking, it will check for the events that we need to watch for, so we no longer need to do it manually. In this tutorial, we will go over the step by step instructions of installing and configuring Logwatch on a Linux system.
In this tutorial you will learn:
- How to install Logwatch on all major Linux distros
- How to configure Logwatch
- How to run Logwatch manually with
logwatch
command - How to schedule regular Logwatch monitoring with cron
Category | Requirements, Conventions or Software Version Used |
---|---|
System | Any Linux system |
Software | Logwatch |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to Install Logwatch
The first thing we will need to do is install Logwatch, since it does not come installed by default in Linux. Fortunately, it is available for installation via the default software repository of any major Linux distro.
You can use the appropriate command below to install Logwatch with your system’s package manager.
To install Logwatch on Ubuntu, Debian, and Linux Mint:
$ sudo apt update $ sudo apt install logwatch
To install Logwatch on Fedora, CentOS, AlmaLinux, Rocky Linux, and Red Hat:
$ sudo dnf install logwatch
To install Logwatch on Arch Linux and Manjaro:
$ sudo pacman -S logwatch
You may be prompted to configure the email settings during initial installation of Logwatch. If so, select the type of mail server that you want to use, along with the appropriate setting such as destination email address for Logwatch to use:
How to Configure Logwatch
With Logwatch now installed on our system, let’s go over some basic configuration so we can get started with using it to monitor our log files.
- The default configuration file for Logwatch is located at
/usr/share/logwatch/default.conf/logwatch.conf
. Instead of making changes directly to this file, we will create a copy of it and apply our edits to the new file. This ensures that future updates will not overwrite any of our settings. Here is how to copy the file to the correct location:$ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
- Next, use nano or your preferred text editor to open the file so we can begin making changes to it:
$ sudo nano /etc/logwatch/conf/logwatch.conf
- The first setting to consider is
Output
, and we can choose betweenstdout
,mail
, andfile
. This will control whether the output of Logwatch is sent to standard out, email, or to a file, respectively. The configuration would be applied as follows:Output = stdout OR Output = mail OR Output = file
Choose your preferred output method before moving on to the other settings.
- The mail configuration settings come next. You will only need to mess with these settings if you configured
Output = mail
in the above step.MailTo = root MailFrom = Logwatch
- If you chose to send the Logwatch output to a file in step 1 with the
Output = file
option, then you will need to set theFilename
value to specify the path where Logwatch should save its output.Filename = /tmp/logwatch
- The other setting we need to be sure to configure is
LogDir
. This setting tells Logwatch where the log files are stored that you want to monitor. We can use as manyLogDir
settings as we want, in case we have multiple directories that we need Logwatch to monitor for us.LogDir = /var/log LogDir = /some/other/log/path
Of course, many other settings are also present in this configuration file, but those mentioned above are some of the most important. Feel free to read through the configuration file yourself, look at the examples provided, and make necessary changes as you see fit.
Running Logwatch
Now that Logwatch has been configured, we can utilize it by executing the logwatch
command. We also recommend including some options with the command such as --detail
and --range
to specify the level of detail we want to see in the output and the date range of logs to analyze, respectively.
$ sudo logwatch --detail Low --range today
Even with just running logwatch
on our isolated test system, we get to see some interesting results. The screenshot below shows that three new software packages were recently installed, and also displays a list of user authentications, as well as failed login attempts.
Logwatch is a simple implementation and ideal for medium sized servers and infrastructures that do not need a robust monitoring solution, but still want a way to notify staff on important events. If you need something more advanced, you may want to check out the ELK stack and additional monitoring techniques.
If we scroll down a bit further, we can see a list of commands that were run using administrator privileges:
Of course, on a production system with multiple users and constant traffic, you would likely get a lot more messages every day.
If you want to run logwatch
on a scheduled basis, you can set up cron to do that:
$ sudo crontab -e
The following cron entry would run logwatch
every day at midnight:
0 0 * * * logwatch --detail Low --range today
Then, check the configured directory where Logwatch output is stored in order to see what data was caught by Logwatch. Alternatively, if you configured the email option, you will receive the Logwatch report in your inbox each day.
Closing Thoughts
In this tutorial, we saw how to use Logwatch for basic security monitoring on a Linux system. This involved installing the Logwatch program, configuring it to our needs and pointing it to the log files we want to monitor, and finally the manual use of the logwatch
command. We also learned how to set up logwatch
inside of cron to make it run on a regular schedule. Logwatch saves administrators a lot of time and allows us to easily identify security problems that we would normally have to discover manually.