How to Monitor System Logs with Logwatch
Monitoring system logs is a critical task for any system administrator. It helps you identify issues, track system performance, and detect security threats before they escalate. One of the most efficient tools to help you stay on top of your logs is Logwatch. It is a log analyzer and reporting system that summarizes logs and sends detailed reports via email.

What Is Logwatch?
Logwatch is a customizable log analysis tool for Linux systems. It parses through system log files, filters out irrelevant data, and sends summarized reports of notable system events. It’s particularly useful for identifying:
- Failed login attempts
- Sudo activity
- SSH access logs
- Service errors and warnings
- Cron job failures
Step 1: Installing Logwatch
Installation is straightforward. Follow the commands below. In this example, we use an Ubuntu 22.04 server.
sudo apt update
sudo apt install logwatch
Step 2: Running Logwatch Manually
Before configuring Logwatch for automatic reporting, you can test its functionality manually.
sudo logwatch --detail High --mailto [email protected] --range yesterday --service all
The parameters in this command are:
- –detail High: Level of detail (Low, Med, High)
- –mailto: The recipient email address
- –range: Timeframe (yesterday, today, last 7 days, etc.)
- –service: Specific services (ssh, http, all, etc.)
Step 3: Configuring Logwatch
Logwatch’s default configuration is located in:
/usr/share/logwatch/default.conf/
To make changes without affecting the default settings, override them in:
/etc/logwatch/conf/
Basic configuration file locations:
- General settings:
/etc/logwatch/conf/logwatch.conf - Services:
/etc/logwatch/conf/services/ - Ignore list and scripts:
/etc/logwatch/scripts/
You can customize:
- Output format (e.g., email or stdout)
- Report range and detail level
- Which services to include or exclude
Example override configuration (/etc/logwatch/conf/logwatch.conf):
MailTo = [email protected]
Detail = Med
Range = Yesterday
Format = html
Step 4: Automating with Cron
Logwatch is usually set to run daily via a cron job.
- On Debian-based systems: Found under
/etc/cron.daily/00logwatch - On RHEL-based systems: Managed via
logrotateandcron.daily
You can edit the cron script or create your own in /etc/cron.daily/, or use crontab -e for fine control.
Example crontab entry to run Logwatch daily at midnight:
0 0 * * * /usr/sbin/logwatch --output mail --mailto [email protected] --detail high
Example Use Cases
1. Detecting SSH Brute-Force Attempts
Logwatch can summarize all failed SSH logins in the last 24 hours, making it useful for detecting brute-force attempts.
2. Monitoring Web Server Errors
If you’re running Apache or Nginx, Logwatch will notify you of 4xx/5xx error spikes, helping you troubleshoot faster.
3. Tracking Cron Failures
Cron job errors are often buried in logs. Logwatch extracts these and highlights failed executions, reducing time-to-fix.
Conclusion
Logwatch is a powerful yet easy-to-use tool for system log monitoring. With minimal setup, it gives you daily reports that help you maintain the health and security of your systems. Whether you’re managing a single server or a fleet, Logwatch adds valuable visibility into your infrastructure’s behavior.