Recipe 9.36 Summarizing Your Logs with logwatch

Previous page
Table of content
Next page

9.36.1 Problem

You want to scan your system log files for reports of problems.

9.36.2 Solution

Use logwatch, from http://www.logwatch.org. For example:

# logwatch --range all --archives --detail High --print | less

to see all the useful data logwatch can display, or:

# logwatch --print | less

to see only yesterday's entries.

9.36.3 Discussion

logwatch is a handy utility to scan system log files and display unexpected entries. Red Hat includes it but SuSE does not. If you need it, download the binary RPM from http://www.logwatch.org,[13] and install it, as root:

[13] Actually, there are no binaries: logwatch is a collection of Perl scripts. Therefore, you don't need to worry about which RPM is right for your system's architecture.

# rpm -Uhv logwatch-*.noarch.rpm

The easiest way to see what logwatch does is to run it:

$ logwatch --range all --print | less ################### LogWatch 4.2.1 (10/27/02) ####################         Processing Initiated: Sun Nov 10 20:53:49 2002         Date Range Processed: all         Detail Level of Output: 0         Logfiles for Host: myhost   ###############################################################  --------------------- Connections (secure-log) Begin ------------------------ Unauthorized sudo commands attempted (1): smith:         /usr/bin/tail -30 /var/log/maillog ---------------------- Connections (secure-log) End -------------------------  --------------------- SSHD Begin ------------------------ SSHD Killed: 2 Time(s) SSHD Started: 1 Time(s) Users logging in through sshd:         smith logged in from foo.example.com (128.91.0.3) using publickey: 1 Time(s) Refused incoming connections:         200.23.18.56: 1 Time(s) ---------------------- SSHD End ------------------------- ...

Once installed, logwatch is often run daily by cron, emailing its results to root. This is not necessarily the most secure way to do things: if your system is compromised, then you cannot trust email or logwatch itself. Like tripwire (Chapter 1), logwatch is best run on a remote machine, or from a secure medium like CD-ROM or write-protected floppy disk.

logwatch processes most but not all common log files. For the rest, you can define your own logwatch filters to parse and summarize them. [Recipe 9.37]

If logwatch seems to do nothing when you run it, be aware of the print option. By default, logwatch does not write its results on standard output: it sends them by email. Specify print to see the results on screen. Also be aware that the default range is "yesterday," which might not be what you want.

9.36.4 See Also

See logwatch(8) for full usage information or run:

$ logwatch --help

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Programming Microsoft ASP.NET 3.5
Special Edition Using Crystal Reports 10
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
.NET System Management Services
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy