Logwatch is a simple log analysis tool provided with most Linux distributions. A daily scheduled cron job parses the various system logs and sends a log summary to the root user or a defined destination email address.
- Red Hat Enterprise Linux (RHEL) or Debian based distributions (CentOS, Fedora, Ubuntu, etc).
Logwatch, if not already available, can be installed on CentOS or RHEL using YUM.
yum -y install logwatch
Install on Ubuntu or Debian with
apt-get -y install logwatch
Note: Logwatch requires a functional mail system to deliver the log summary. The package management system will typically handle this dependency, but additional configuration may be necessary if the host is unable to send email.
The email report will be delivered to the local
root user by default. To specify an alternate email address, create a new file called
/etc/logwatch/conf/logwatch.conf and add the following line.
MailTo = [email protected]
The default log summary email will be in standard text format. The email format can be changed to HTML by setting the
Formatvalue in the same
Format = html
The email sender can be changed from Logwatch to another local user or email address by setting the
MailFrom = [email protected]
The summary includes a list of services that list can be found in the
/usr/share/logwatch/scripts/services/ directory. Those services can be excluded from the summary by prepending a hyphen to the
Service name value.
Service = All Service = "-ftpd-xferlog"
All value can also be replaced by a specific name if only that service log should be analyzed.
Additional customizations to
logwatch.conf can be found in the default global configuration file.
logwatch process can be run manually with a variety of parameters for testing purposes.
/usr/sbin/logwatch --mailto [email protected] --format html --service secure