Getting more out of logwatch
May 11, 2010,
Watching your logs is a must for every administrator, but if there are vast amounts of information at once it can be easy to miss things. Serving the information into tiny bite size pieces makes it easier to spot the right things.
Here at Loco we keep an eye on our servers like they are small children playing near a pool of crocodiles. We have reporting systems running that will scream when we are bitten, but we also want to be informed when there has been a light nibble, but having a report about that once a day is enough for us.
Things we want to know only once per day are the non-urgent things. One example are HTTP logs so we can spot when customers have registered new domain names, but forgot to tell us. Other things we want to know are the amounts of spams we blocked, diskspace statistics and other things.
The standard program on many Linux systems for doing exactly this is called logwatch.
logwatch comes with a lot of standard plugin scripts for chewing through logfiles and reporting the results. You can tell logwatch to report at various levels of detail. For a quick overview the minimum detail level is enough, but sometimes we like to zoom in on some services in more detail. We do that by running logwatch for a certain service at a higher detail level, preferably from cron:
/usr/sbin/logwatch --service sshd --detail medium --output=unformatted
This will scan the sshd logs and report at medium level. The output is sent with minimal markup. Another output format that you might prefer is HTML, although in our opinion the unformatted output is usually a lot more readable.