1. Introduce
When maintaining a Linux server, it is often necessary to look at the logs of the various services in the system to check the running state of the server. such as login history, mail, software installation and other logs. It's very inconvenient for a system administrator to check it out, and most of the time it's a passive check that only when you find the system running an exception can you think of the log to get information about the exception. So how to actively, centralized analysis of these logs, and generate reports, regularly sent to the administrator will appear to be very important.
Logwatch is an open source Log parsing Analyzer written in Perl language. It can parse the original log file and convert it into a structured document, and customize the report based on your usage and requirements. The main purpose of Logwatch is to generate more Easy-to-use log digests, not for real-time processing and monitoring of logs. Because of this, Logwatch is usually set to schedule the time and frequency of the automatic timing task to dispatch the run or to have to log processing from the command line to run manually. Once the log report is generated, Logwatch can send it to you via email, which you can save as a file or display directly on the screen.
The level of detail of the Logwatch report and the coverage of the report are fully customizable. Logwatch's log processing engine is also extensible, and, in a sense, if you want to use the Logwatch feature in a new application, simply write a log-processing script (using the Perl language) for the application's log file, and then hook up to Logwatch On the line.
The Logwatch is that there is no detailed timestamp information in the report it generates, and the original log file exists. You can only know the specific events that have been recorded for a period of time, and if you want to know the exact point of time, you will have to check the original log file.
2. Installation and configuration instructions
2.1 Installation
The installation of Logwatch is very simple on both the Debian and Redhat systems:
# apt-get Install Logwatch//debian, ubuntu.etc
# yum Install logwatch-y//redhat, centos.etc
The following content is based on CentOS 6.x, and the rest of the system is small.
2.2 Configuration
2.2.1 Configuration file Description
Description of the directory file after installation:
/usr/share/logwatch
default.conf/# Configuration Directory
Logwatch.conf # Master profile, recipients, levels, etc.
Logfiles/# defines the log filegroup path for the service to be parsed, relative to/var/log (*.conf)
services/# Customize the Service directory (*.conf) for the log you want to analyze
scripts/# executable Script
logwatch.pl # Launch Analysis of the Perl script,/usr/sbin/logwatch Source link
Logfiles/# can contain more than one subdirectory of the Logwatch log file group, and when the corresponding log service runs, the script under the subdirectory is automatically invoked
services/# Logwatch Log service filtering scripts, corresponding
shared/# scripts that can be referenced by multiple Logwatch log Services
dist.conf/
logfiles/
services/
lib/
By default,/usr/share/logwatch/default.conf/logwatch.conf is used as the primary configuration file, but the/etc/logwatch/conf/ The presence configuration option in logwatch.conf overrides the previous one (logwatch.conf in/usr/share/logwatch or it works, such as the option not available in/etc/logwatch logwatch.conf). But the highest priority is the option specified in the execution command line.
A directory structure similar to/usr/share/logwatch exists under/etc/logwatch, where you can add custom monitoring log information.
From the above directory structure can probably understand the principle of Logwatch: Logwatch first to know which service, from this service to get the information needed to process the log file, and then the file to the filter script processing, then the processing of formatted information displayed. For internal details, see the 3rd article reference.
2.2.2 Edit Configuration
Detailed configuration instructions are available here in the/usr/share/doc/logwatch-7.3.6/howto-customize-logwatch file.
Individuals are still accustomed to managing profiles under/etc/logwatch/, but are less likely to have two profiles in effect at the same time, so for/usr/share/logwatch/default.conf/logwatch.conf backups, then soft links/etc/ Logwatch/conf/logwatch.conf:
Ln-s/usr/share/logwatch/default.conf/logwatch.conf/etc/logwatch/conf/logwatch.conf
Try to perform logwatch--service sshd--print Feel the results of the processing. Next, modify the default configuration of the/etc/logwatch/conf/logwatch.conf file to make some personalization settings.
Modify log Analysis Level
Detail = <low, Med, High, or a number>
The "Detail" configuration command controls the level of detail of the Logwatch report. It can be a positive integer, or it can be a high, Med, or low option representing 10, 5, and 0 numbers, respectively. This is set to high. (Is case-insensitive in the configuration file)
Specify report Recipients
MailTo = youremailaddress@yourdomain.com
Mailfrom = youremailaddress@yourdomain.com
Mailto Specify Logwatch Log report recipient, to send a report to multiple users, only to their e-mail address with a space or comma separated, but Logwatch think you have configured the local mail server (SendMail or postfix), And can be correctly passed to the user's mailbox.
Mailfrom, as the name suggests, specifies the sender. The e-mail address can be a full recipient address, or it can be a local user on the server such as root (some mail servers do not support displaying the sender alias).
Specify the client that sends the message
Mailer = "Sendmail-t"
The default is SendMail (not a sendmail server), and generally there is nothing wrong with it. In my environment a little bit special, the mail server must pass the SMTP authentication to send mail, does not support anonymous and other local MTA delivery of mail, and sendmail I have not found the settings for SMTP user and password authentication (know to tell), so I switched to Mailer = " Mailx-t, and then set the From, SMTP, Smtp-auth-user, Smtp-auth-password, Smtp-auth parameters in/etc/mail.rc. However, the problem with MAILX is that when you set the message report format to HTML, you cannot set header information so that Foxmail cannot parse the HTML body. Try SendEmail also not very good solution.
Most people may not be so complicated, in fact, is a sender of the function of the client, online learned that there are mutt combined msmtp can solve the problem:
# yum Install-y Mutt//mutt can not actually install
# tar JXVF msmtp-1.4.16.tar.bz2 && CD msmtp-1.4.16
#./configure && make && make install
# VI ~/.MSMTPRC
Account Default
Host Your.smtp-server.com
From username@smtp-server.com
Auth Login
User username
Password your_auth_pwd
LogFile ~/msmtp.log
# If you use Mutt to send, you also need to set ~/.MUTTRC
Change the mailer into mailer = "msmtp-t".
Output format
Output = <mail, html or unformatted>
The default does not specify the output format (plain text), the system administrator through the mail client (such as Foxmail) see the message content is text form, simpler, save bandwidth; can be specified as HTML, at this time see is clickable link friendly page.
When save =/tmp/logwatch is set, the mail report is not sent and will be saved to a save file according to the format specified in output.
In addition, in some articles specify the format option, after my trial in the 7.3.6 version of the invalid.
The scope of the collection log
Range = <yesterday| today| All>
The range Configuration directive defines the time period information that generates Logwatch reports. The usually optional value for this instruction is yesterday, today, all. When the Rang = All is in effect, the Archive = yes must also be configured so that all archived log files (for example,/var/log/maillog,/var/log/maillog-20150111) are processed.
If we collect every day through crontab, we can report only yesterday or today's log.
Log of which services are collected
Service = <service-name-1>
Service = <service-name-2>
. . .
The service option specifies one or more services that you want to monitor. Services listed under the/usr/share/logwatch/scripts/services directory can be monitored, they already cover important system services (e.g., PAM,SECURE,IPTABLES,SYSLOGD, etc.), and also cover a number of things like sudo , sshd, HTTP, Fail2ban, Samba and other mainstream application services. If you want to add a new service to the list, write a corresponding log to process the Perl script and put it in this directory.
For a comprehensive log analysis tool, Logwatch recommends that most people use service = "All", and then go away from those logs that are not monitored by continuing to add service = "-service_name". Of course, on the server, not all the script services are started, and some do not have logs.
Command line specifies the Logwatch option
If you do not want to personalize/etc/logwatch/conf/logwatch.conf, you can make it default without modifying the file, and then run the following command on the command line:
# logwatch--detail--mailto youremailaddress@yourdomain.com--range today \
>--service sshd--service postfix--service zz-disk_space--service-zz-network \
>--output Mail
Logwatch.conf Complete Example
LogDir =/var/log
Tmpdir =/var/cache/logwatch
Print = No
Range = Yesterday
Detail = high
MailTo = Zhouxiao@tp-link.net
Mailfrom = Itsection@tp-link.net
Mailer = "Msmtp-t"
Output = html
Service = All
Service = "-zz-network"
Service = "-zz-sys"
Service = "-eximstats"
3. Extended
3.1 Cron Daily
We can see the presence of/etc/cron.daily/0logwatch in the Crontab timed task directory:
#!/bin/bash
Dailyreport= ' Grep-e "^[[:space:]]*dailyreport[[:space:]]*=[[:space:]]*"/usr/share/logwatch/default.conf/ logwatch.conf | head-n1 | Sed-e "s|^\s*dailyreport\s*=\s*| |" `
If ["$DailyReport"!= "no"] && ["$DailyReport"!= "no"]
Then
Logwatch
Fi
If the option Dailyreport = No is explicitly set in logwatch.conf, the Logwatch Daily task is canceled. If you want to modify the execution time of the cron.daily, you can delete the 0logwatch and add it to the/etc/crontab, or modify the/etc/anacrontab start_hours_range.
So Logwatch's job is not to monitor log abnormalities after timely alarm tool, because the default it is a daily consolidated mail, not timely (Install Perl CPAN module can be more precise control logwatch time, see the first reference).
3.2 Customizing the log you want to monitor
Use a simple example to describe the configuration method for a custom logwatch.
First create the Logwatch log file group
/etc/logwatch/conf/logfiles/test.conf:
LogFile =/path/to/your/logfile
LogFile =/path/to/your/second/logfile
Then create the Logwatch service configuration file
/etc/logwatch/conf/services/test.conf:
title = caption in Test title # log file
LogFile = test # Logwatch The name of the log filegroup, usually the file name portion of the corresponding configuration file
Create Logwatch Service Filter script
/etc/logwatch/scripts/services/test:
#!/bin/bash
Grep-i ERROR
The script above will filter out the line containing the error from the log file. Finally, add execute permissions for the newly created script:
chmod +x/etc/logwatch/scripts/services/test