Use logwatch to monitor log files in Linux

Use logwatch to monitor log files in Linux

Linux operating systems and many applications create special files to record their running events. These files are often called "logs ". These system logs or specific application log files are essential tools for understanding the behavior of operating systems or third-party applications or troubleshooting. However, log files are not as readable as they are "clear" or "easy. Analyzing original log files manually is a waste of time and tedious. For this reason, the system administrator may find that any tool that can convert the original log file into a more user-friendly record summary will benefit a lot.

Logwatch is an open-source log parsing analyzer written in Perl. It can parse the original log files and convert them into structured documents. It can also customize reports based on your usage and needs. The main purpose of logwatch is to generate a log digest that is easier to use. It is not used to process and monitor logs in real time. Because of this, logwatch is usually configured with automatic scheduled tasks of Time and Frequency to schedule running or manually run from the command line when log processing is required. Once a log report is generated, logwatch can send it to you by email. You can save it as a file or directly display it on the screen.

The details and coverage of Logwatch reports are completely customizable. Logwatch's log processing engine is also scalable. In a sense, if you want to use the logwatch function in a new application, you only need to write a log processing script for the log file of this application using the Perl language), and then mount it to logwatch.

One bad thing about logwatch is that there is no detailed timestamp information in the report generated by logwatch, which exists in the original log file. You can only know the specific events recorded within a period of time. If you want to know the precise time point information, you have to view the original log file.

Install Logwatch

In the Debian system or its derived system:

 
 

  
  
# aptitude install logwatch 
 
 

On the Red Hat-based release system:

 
 

  
  
# yum install logwatch 
 
 

Configure Logwatch

During installation, the main configuration file logwatch. conf is put/Etc/logwatch/confDirectory. This file is empty by default.) The definition setting option overwrites the system-level settings defined in the/usr/share/logwatch/default. conf/logwatch. conf file.

Start logwatch in the command line. If the parameter is not included, the options defined in the/etc/logwatch/conf/logwatch. conf file will be used. However, if you specify parameters, they will overwrite any default/custom settings in the/etc/logwatch/conf/logwatch. conf file.

In this article, we will edit the/etc/logwatch/conf/logwatch. conf file to customize some default settings.

 
 

  
  
Detail = <Low, Med, High, or number>
 
 

The "Detail" configuration command controls the details of the logwatch report. It can be a positive integer, or a High, Med, or Low number representing 10, 5, and 0 respectively.

 
 

  
  
MailTo = youremailaddress@yourdomain.com
 
 

If you want to mail a logwatch report to you, use the "MailTo" configuration command. To send a report to multiple users, you only need to open their email addresses in an empty box and configure them. However, you must configure the local email transmission proxy MTA on the server where logwatch runs, such as sendmail and Postfix.

 
 

  
  
Range = <Yesterday|Today|All>
 
 

The "Range" configuration command defines the time period for generating a logwatch report. The optional values of this command are Yesterday, Today, and All. When "Rang = All" is applied, the "Archive = yes" command item must also be configured. All archived log files (for example, /var/log/maillog,/var/log/maillog. X or/var/log/maillog.X.gz files) will be processed.

In addition to these general range values, you can also select values for complex points, as shown below:

• Range = "2 hours ago for that hour"
• Range = "-5 days"
• Range = "between-7 days and-3 days"
• Range = "since September 15,201 4"
• Range = "first Friday in October"
• Range = "2014/10/15 12:50:15 for that second"

To use the free range in the preceding example, You need to download and install the Perl Date: Manip module from CPAN Note: Comprehensive Perl Archive Network. For more information about installing the CPAN module, see this post.

 
 

  
  
Service = <service-name-1>
  
  
Service = <service-name-2>
  
  
. . .
 
 

The "Service" option specifies one or more services to be monitored. All services listed in the/usr/share/logwatch/scripts/services Directory can be monitored. They already cover important system services such as pam, secure, iptables, and syslogd ), it also covers some mainstream application services such as sudo, sshd, http, fail2ban, and samba. If you want to add a new service to the list, you must write a corresponding log processing Perl script and put it in this directory.

If this option is used to select a specific Service, You Need To comment out the "Service = All" line in the/usr/share/logwatch/default. conf/logwatch. conf file.

 
 

  
  
Format = <text|html>
 
 

The "Format" configuration command defines the Format of a logwatch report, such as text or HTML ).

 
 

  
  
Output = <file|mail|stdout>
 
 

The "Output" configuration command defines the destination of the generated logwatch report to be sent. It can be saved as a file) to generate an email) or display stdout directly on the screen ).

Use Logwatch to analyze log files

To understand how to use logwatch to analyze log files, refer to the following logwatch. conf file example:

 
 

  
  
Detail = High
  
  
MailTo = youremailaddress@yourdomain.com
  
  
Range = Today
  
  
Service = http
  
  
Service = postfix
  
  
Service = zz-disk_space
  
  
Format = html
  
  
Output = mail
 
 

With these settings, logwatch will process the logs generated on the day of the three application services http, postfix, and zz-disk_space, generate a very detailed HTML format report, and then mail it to you.

If you do not want to personalize/etc/logwatch/conf/logwatch. conf, do not modify this file to make it default, and then run the following command in the command line. The same output is also obtained.

 
 

  
  
# logwatch --detail 10 --mailto youremailaddress@yourdomain.com --range today --service http --service postfix --service zz-disk_space --format html --output mail 
 
 

The report sent by email is as follows:

This email header contains a link pointing to the details of the report. The "Back to Top" link is also available for each selected service details.

You may use this option to send reports by email when few recipients are received. In other cases, you may generate an HTML report, so that everyone who wants to see the report can see it through network sharing. You only need to make some modifications to the configuration in the above example:

 
 

  
  
Detail = High
  
  
Range = Today
  
  
Service = http
  
  
Service = postfix
  
  
Service = zz-disk_space
  
  
Format = html
  
  
Output = file
  
  
Filename = /var/www/html/logs/dev1.html
 
 

Similarly, you can run the following command in the command line.

 
 

  
  
# logwatch --detail 10 --range today --service http --service postfix --service zz-disk_space --format html --output file --filename /var/www/html/logs/dev1.html 
 
 

Finally, let's use cron to configure the regular execution task of logwatch. In the example below, the logwatch scheduling task will be run at pm every working day.

 
 

  
  
# crontab -e 
 
 

 
 

  
  
15 12 * * 1,2,3,4,5 /sbin/logwatch
 
 

I hope this will be helpful. Welcome to comments in the community or share your experiences and experiences!

Via: http://xmodulo.com/monitor-log-file-linux-logwatch.html

Author: Gabriel cánepa Translator: runningwater Proofreader: wxy