It's a good idea to check your server's logs fairly regularly, preferably daily, for signs of intrusion attempts or system failures. However, this can be a long-winded process, and it's easy to forget to do this every day. One way of simplifying checking your logs (and helping to remember to check them), is to use Logwatch.
Logwatch is a popular log monitoring system, that can be set to email you a daily summary of the logs. It's written in Perl and, if not already installed, can easily installed using your distro's package management system:
For Red Hat/CentOS systems: yum install logwatch
For Debian/Ubuntu systems: apt-get install logwatch
Once installed, open the main configuration file using a text editor (e.g. vim) and have a look at some of the options:
vim /usr/share/logwatch/default.conf/logwatch.conf
There are three main options you might initially want to change:
1) LogDir = /var/log
All log files parsed are assumed to be relative to the path listed here. Usually, this won't need changing, but if your log files aren't in /var/log, you will need edit this value and add the correct path.
2) MailTo = root
By default, Logwatch sends it's reports to the root mailbox. If you want it emailed to you, add your email address here, e.g.
MailTo = admin@example.com
3) Detail = Low
This sets the level of information included in the report. Low is the default, but it can also be set to medium or high, if you need more information.
If you want to check if the detail option selected provides enough (or too much) information, you can run Logwatch from the command line, and output the report to the screen, to check what the report will contain, using the --print option, e.g.
logwatch --detail high --print
This will display the report on screen, with a high level of information. If you don't use the --detail option, it will generate the report using whatever level of reporting is set in logwatch.conf.
The default configuration assumes all log files are stored in one location - /var/log. If you have logs that are stored elsewhere, usually web logs, you will need to create a custom logfile filter. These custom filters are usually located in:
/etc/logwatch/conf/logfiles/
For example, let's assume you have a cPanel server, where the web logs are stored inside the folder /usr/local/apache/domlogs/, and you want the logs for your site example.com to be parsed by Logwatch. You would create a new file using vim:
vim /etc/logwatch/conf/logfiles/http.conf
And define the new log file location by adding this to the file:
Logfile =/usr/local/apache/domlogs/example.com
Save the new file, and then when Logwatch is next run, it will also check the example.com log file.
Note: Multiple Logfiles can be defined in this way, so it doesn't matter where your log files are located; as long as they are setup in a file within the logfiles directory, they will be read by Logwatch.
Finally, add a cronjon to run Logwatch daily. If you've setup everything correctly in logwatch.conf, you can run it without any options:
0 1 * * * /usr/sbin/logwatch
This will run Logwatch at 1am every morning, using whatever values have been setup in logwatch.conf.
If you haven't altered the conf file, you can add options to the cronjob, e.g.
0 1 * * * /usr/sbin/logwatch --detail high --mailto admin@example.com
This will run Logwatch at 1am every morning, generate a report using a high level of detail, and then email it to admin@example.com.
This is just a basic setup, and there are many more things you can do with Logwatch, but hopefully it's enough to get you started.
For further reading go to:
http://sourceforge.net/projects/logwatch/
http://linuxcommand.org/man_pages/logwatch8.html
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment