logwatch is a utility that helps you track your system’s log files, and it can monitor them on a schedule and email you a daily summary of its findings. Like most security packages, logwatch itself isn’t a magic bullet, but it can be a useful component of a secure setup. If nothing else, it can greatly reduce the amount of time you spend troubleshooting problems.
Ubuntu 16 provides a recent version of logwatch:
root@ubuntu:/# apt-cache madison logwatch logwatch | 7.4.2-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages logwatch | 7.4.2-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages
If you don’t already have Postfix installed, running apt-get install logwatch will offer to install Postfix in order to be able to send outgoing emails. (When Postfix installs, typically you’d select “internet site” for your config.) If you’re running ufw, you probably don’t need to open 25/tcp: by default, ufw filters for ingress traffic, not egress.
After everything is installed, edit the main configuration file:
root@ubuntu:/# vi /usr/share/logwatch/default.conf/logwatch.conf
The man page describes the full list of options. Some that you may wish to change are:
# Location of your log files LogDir = /var/log # You can override the default temp directory (/tmp) here TmpDir = /var/cache/logwatch # Change this to your email address MailTo = root # Change this to something meaningful, like your name MailFrom = Me # How far back do you want to look? Possibilities are yesterday/today/all Range = yesterday # Detail level - determines thoroughness of the report Detail = Low # If you don't wish to receive the daily reports, uncomment this line # DailyRepoty = No # Services to monitor services = all
The individual services and their logfile locations are defined in /usr/share/logwatch/scripts/services:
root@ubuntu:/# ls -l /usr/share/logwatch/scripts/services total 1880 -rwxr-xr-x 1 root root 3978 Mar 26 2016 afpd -rwxr-xr-x 1 root root 180596 Feb 27 2016 amavis -rwxr-xr-x 1 root root 1512 Mar 26 2016 arpwatch -rwxr-xr-x 1 root root 16007 Mar 26 2016 audit -rwxr-xr-x 1 root root 5412 Mar 26 2016 automount -rwxr-xr-x 1 root root 2346 Mar 26 2016 autorpm -rwxr-xr-x 1 root root 12132 Mar 26 2016 barracuda [etc.]
To test your config, you can run logwatch from the command line:
root@ubuntu:/# logwatch --detail Low --mailto myemail@mydomain.com --service sshd --range today
Check your email. You should see a message from root@ubuntu with the subject “Logwatch for (hostname)” containing something like this:
################### Logwatch 7.4.2 (02/27/16) ####################
Processing Initiated: Fri Dec 9 13:48:11 2016
Date Range Processed: today
( 2016-Dec-09 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: myserver.com
##################################################################
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 6 Time(s)
Users logging in through sshd:
geoff:
192.168.0.1 (my_computer): 3 times
---------------------- SSHD End -------------------------
###################### Logwatch End #########################
If the email doesn’t work, you can examine /var/log/syslog to determine the fate of your outgoing message, assuming you haven’t told rsyslog to put your Postfix log entries somewhere else.
Logwatch Automation
If you installed everything with apt-get, you’ll have a startup script at /etc/cron.daily/00logwatch, called from the system crontab at /etc/crontab:
# m h dom mon dow user command 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
To see what’s included in the daily cron run, use run-parts:
root@ubuntu:/# run-parts --test /etc/cron.daily /etc/cron.daily/00logwatch /etc/cron.daily/apport /etc/cron.daily/apt-compat /etc/cron.daily/dpkg /etc/cron.daily/logrotate /etc/cron.daily/mdadm /etc/cron.daily/passwd /etc/cron.daily/update-notifier-common
To change the timing, remove 00logwatch from cron.daily and add it to a user crontab.
