How to Monitor System Log Files in CentOS using LogWatch

How to Monitor System Logs in CentOS using LogWatch

LogWatch is a Perl-based log management tool that analyses a server’s log files and generates a daily report which summarises and reports on your system’s log activity. It does not provide real-time alerts but instead is most often used to send a short daily digest of server’s log activity to a system administrator.

The LogWatch tool provides an effective and transparent way for you to parses through your system’s logs and displays pre-filtered messages to monitor your system. LogWatch can monitor your remaining disk space, report faulty logins attempts to security-relevant services or simply to see the status of the last installed or modified packages in the package management and more. It is fully customisable and you can change the monitored services or log files very easily.

In this guide, we will show you how to monitor your system’s log files by installing LogWatch and its required dependencies on CentOS 7 and CentOS 8. Additionally, we will also show you how to configure LogWatch to change the monitored log directories, change the daily digest receive to sent via email or directly to file, edit the range and level of detail used in the daily digest, configure additional service monitoring and set up LogWatch via crontab to automatically run at a predetermined time.

TIP Logwatch is a harmless, light weight application which should not interfere with your current services or workload. However, as always, we would recommended that you test it on a new system and make sure to take backups.

Install LogWatch on CentOS 7

Firstly, before installing LogWatch you’ll need to ensure that your CentOS 7 system is up to date. You can check for any system or software updates and install them using the following commands.

yum check-update
yum update -y

The Logwatch tool consists of various Perl scripts and required related dependencies and we will be installing Logwatch on CentOS 7 using the yum package manager. The yum package manager will ensure that the required packages and dependencies are automatically installed. At the time of writing the latest version of LogWatch is v7.5.3 and can be installed using the following command.

yum install -y logwatch

That’s it. You have now successfully installed Logwatch and its required dependencies on CentOS 7. Now you can move onto the Configure Logwatch section.

Install LogWatch on CentOS 8

Firstly, before installing LogWatch you’ll need to ensure that your CentOS 8 system is up to date. You can check for any system or software updates and install them using the following commands.

yum check-update
yum update -y

The Logwatch tool consists of various Perl scripts and required related dependencies and we will be installing Logwatch on CentOS 8 using the dnf package manager. The dnf package manager will ensure that the required packages and dependencies are automatically installed. At the time of writing the latest version of LogWatch is v7.5.3 and can be installed using the following command.

dnf install -y logwatch

That’s it. You have now successfully installed Logwatch and its required dependencies on CentOS 8. Now you can move onto the Configure Logwatch section.

Configure LogWatch on CentOS

The default configuration file for LogWatch is located in the /usr/share/logwatch/default.conf/ folder. The config file contains all the information required by LogWatch such as which directories to track, how the daily digest should be look, where the daily digest should be sent and which services it should monitor.

The following settings are the most common configuration changes that most user will need to make. To edit the LogWatch configuration file settings you will need to use your preferred text editor. In our example we will be using the nano text editor.

nano /usr/share/logwatch/default.conf/logwatch.conf

Edit the Monitored Log Directories

By default, the daily Logwatch digests will include all logs files in the /var/log folder. If you want to monitor any other directories which contain log files, such as website directories, you can monitor them by adding the log location to the LogDir line.

LogDir = /var/log
LogDir = /var/www/example.com/logs

Edit the Email LogWatch Digest

The daily Logwatch digest can be sent to local users or external email addresses in plain text or HTML formats. To set the Logwatch digest output to be emailed you will need to change the Output value to mail. If you want to receive the emails in a HTML format you will need to change Format value to html.

#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
#Output = stdout
Output = mail
#To make Html the default formatting Format = html
#Format = text
Format = html

You can change where the daily Logwatch digest output is emailed by changing the MailTo value to to a valid email address, or to a local user. Example: MailTo = sysadmin@mydomain.com. If you want to change the email address where the Logwatch digest output is sent you will need to change the MailFrom value to a valid email address, or to a local user. Example: MailFrom = sysadmin@mydomain.com.

TIP The default settings for the MailTo and MailFrom values, root and Logwatch respectively can be left as the default values to use the system default email address.
# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = root
# When using option --multiemail, it is possible to specify a different
# email recipient per host processed.  For example, to send the report
# for hostname host1 to user@example.com, use:
#Mailto_host1 = user@example.com
# Multiple recipients can be specified by separating them with a space.

# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = Logwatch

Save the Daily LogWatch Digest to File

Alternatively, you may want to have the Daily LogWatch Digest saved as a file on your server. To set the Logwatch digest output to be saved as file you will need to change the Output value to file.

#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
#Output = stdout
Output = file

Now you will need to set your filename for the Daily LogWatch Digest. You will need to find and uncomment the Filename value and then set the path and your desired filename to save your Logwatch digests.

# if set, the results will be saved in <filename> instead of mailed
# or displayed. Be sure to set Output = file also.
#Filename = /tmp/logwatch
Filename = /tmp/mylogwatchfile

Edit LogWatch Digest Range and Report Detail

You can customise the range that LogWatch will parse log file from. The default Range setting is yesterday. However, you can change the options to All (all available since the beginning), Today (just today) or Yesterday (just yesterday).

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday

You can customise the level of detail included in the daily LogWatch report. The higher the setting the longer and more detailed the output will be. The default Detail setting is Low. However, you can change the options to High, Med or Low.

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Med

LogWatch Monitored Services

By default, Logwatch covers a wide range of different services that it monitors. The configuration files for monitored services are located in the /usr/share/logwatch/scripts/services directory. If you would like to see a full list of monitored services, you can query the contents of the directory using the following command.

ls -l /usr/share/logwatch/scripts/services

As you can see the directory consists of vast amount of configured services to be monitored such as SSHD, HTTP, disk and network usage, etc. You can use these configuration files for each service to change the service that LogWatch will analyse and report on.

The default Service setting is All, meaning it analyses all available services. However, you can change the options to add or remove different services in the LogWatch configuration file.

nano /usr/share/logwatch/default.conf/logwatch.conf

Now you will need to remove the default Service setting by commenting out (add #) that line and then add the services you want to analyse and report on.

# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on.  This should be left as All for
# most people.
#Service = All
Service = sendmail
Service = http
Service = identd
Service = sshd2
Service = sudo

Configure Home Directory, Disk Usage and Mail Monitoring

We can configure LogWatch to monitor additional services such as the size of the server home directory, amount of disk space used and mail spool size using the monitored services options. To add additional monitoring for home directory, amount of disk space used and mail spool size you will need to edit the following file.

nano /usr/share/logwatch/default.conf/services/zz-disk_space.conf

Now you will need to uncomment (remove the #) to enable monitoring and save the file.

# disk report options
# Uncomment this to show the home directory sizes
$show_home_dir_sizes = 1
$home_dir = "/home"
 
# Uncomment this to show the mail spool size
$show_mail_dir_sizes = 1
$mail_dir = "/var/spool/mail"
 
# Uncomment this to show the system directory sizes /opt /usr/ /var/log
$show_disk_usage = 1

Run LogWatch Manually

Logwatch can be run manually at any time by using the logwatch command. This command can be appended with a number of options to change the default output to suit your needs, below are the available options. Unless you specify an option when using the logwatch command, it use the settings from the configuration file.

logwatch  [--detail  level  ] [--logfile log-file-group ] [--service service-name ] [—print] [--mailto address ] [--archives] [--range range  ]  [--debug  level  ]  [--save  file-name  ] [--logdir  directory ] [--hostname hostname ] [--splithosts] [--multiemail] [--output output-type ] [--numeric] [--no-oldfiles-log] [--version] [—help|--usage]

Below is a quick explanation of some of the options available and their use when used in the example logwatch --detail Low --mailto email@address.com --format html --service http --range today.

  • Detail: Defines how detailed the report will be.
  • Mailto: The local user or email address to send the report to.
  • Format: Report email format either plain text or HTML.
  • Service: The service or services that you wish to report on.
  • Range: Defines the timeframe to be used in the report.

Run LogWatch Automatically

Logwatch runs automatically via a daily cron entry in /etc/cron.daily directory. The cron will query all running services and associated log files. The log files are then processed and a report is sent to root. If you want the LogWatch tool to run at a certain time, you can remove the script file 00logwatch from the /etc/cron.daily directory. Now we can set LogWatch to run at a pre-determined time by creating a cronjob in the crontab file using the following commands.

crontab -e

Now you will need to add a cronjob for LogWatch. In the example below we have configured the cron to execute at 04:15 each day,

15 4  * * * /usr/sbin/logwatch

That’s it. You have now successfully installed Logwatch to monitor your system’s log files and its required dependencies on CentOS. Additionally, you have configured LogWatch settings to change the monitored log directories, changed the daily digest received to be sent via email or directly to file, edited the range and level of detail used in the digest, configured additional service monitoring and set up LogWatch to run automatically.

VPSBasics

VPSBasics

This guide was written by the VPS Basics editorial team, led by Gilberto Van Roosen. They are a unique blend of people who are dedicated to providing highly detailed, comprehensive and easy to follow tutorials, written in plain English. They specialise in tutorials for managing Linux servers, its software and WordPress.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CONNECT
Close

Connect

About

VPS Basics

The VPS Basics team are a unique blend of people who are dedicated to providing highly detailed, comprehensive and easy to follow tutorials, written in plain English. They specialise in tutorials for managing Linux servers, its software and WordPress.

Newsletter