logwatch on Ubuntu 16

logwatch is a utility that helps you track your system’s log files, and it can monitor them on a schedule and email you a daily summary of its findings. Like most security packages, logwatch itself isn’t a magic bullet, but it can be a useful component of a secure setup. If nothing else, it can greatly reduce the amount of time you spend troubleshooting problems.

Ubuntu 16 provides a recent version of logwatch:

root@ubuntu:/# apt-cache madison logwatch
  logwatch | 7.4.2-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  logwatch | 7.4.2-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages

If you don’t already have Postfix installed, running apt-get install logwatch will offer to install Postfix in order to be able to send outgoing emails. (When Postfix installs, typically you’d select “internet site” for your config.) If you’re running ufw, you probably don’t need to open 25/tcp: by default, ufw filters for ingress traffic, not egress.

After everything is installed, edit the main configuration file:

root@ubuntu:/# vi /usr/share/logwatch/default.conf/logwatch.conf

The man page describes the full list of options. Some that you may wish to change are:

# Location of your log files
LogDir = /var/log

# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch

# Change this to your email address
MailTo = root

# Change this to something meaningful, like your name
MailFrom = Me

# How far back do you want to look? Possibilities are yesterday/today/all
Range = yesterday

# Detail level - determines thoroughness of the report
Detail = Low

# If you don't wish to receive the daily reports, uncomment this line
# DailyRepoty = No

# Services to monitor
services = all

The individual services and their logfile locations are defined in /usr/share/logwatch/scripts/services:

root@ubuntu:/# ls -l /usr/share/logwatch/scripts/services
total 1880
-rwxr-xr-x 1 root root   3978 Mar 26  2016 afpd
-rwxr-xr-x 1 root root 180596 Feb 27  2016 amavis
-rwxr-xr-x 1 root root   1512 Mar 26  2016 arpwatch
-rwxr-xr-x 1 root root  16007 Mar 26  2016 audit
-rwxr-xr-x 1 root root   5412 Mar 26  2016 automount
-rwxr-xr-x 1 root root   2346 Mar 26  2016 autorpm
-rwxr-xr-x 1 root root  12132 Mar 26  2016 barracuda
[etc.]

To test your config, you can run logwatch from the command line:

root@ubuntu:/# logwatch --detail Low --mailto myemail@mydomain.com --service sshd --range today

Check your email. You should see a message from root@ubuntu with the subject “Logwatch for (hostname)” containing something like this:

################### Logwatch 7.4.2 (02/27/16) ####################
        Processing Initiated: Fri Dec  9 13:48:11 2016
        Date Range Processed: today
                              ( 2016-Dec-09 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: myserver.com
##################################################################
--------------------- SSHD Begin ------------------------

SSHD Killed: 1 Time(s)
SSHD Started: 6 Time(s)
Users logging in through sshd:
    geoff:
       192.168.0.1 (my_computer): 3 times
---------------------- SSHD End -------------------------

###################### Logwatch End #########################

If the email doesn’t work, you can examine /var/log/syslog to determine the fate of your outgoing message, assuming you haven’t told rsyslog to put your Postfix log entries somewhere else.

Logwatch Automation

If you installed everything with apt-get, you’ll have a startup script at /etc/cron.daily/00logwatch, called from the system crontab at /etc/crontab:

# m h dom mon dow user  command
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

To see what’s included in the daily cron run, use run-parts:

root@ubuntu:/# run-parts --test /etc/cron.daily
/etc/cron.daily/00logwatch
/etc/cron.daily/apport
/etc/cron.daily/apt-compat
/etc/cron.daily/dpkg
/etc/cron.daily/logrotate
/etc/cron.daily/mdadm
/etc/cron.daily/passwd
/etc/cron.daily/update-notifier-common

To change the timing, remove 00logwatch from cron.daily and add it to a user crontab.

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *