Monitoring system logs is a critical task for any system administrator. It helps you identify issues, track system performance, and detect security threats before they escalate. One of the most efficient tools to help you stay on top of your logs is Logwatch. It is a log analyzer and reporting system that summarizes logs and sends detailed reports via email.

What Is Logwatch?

Logwatch is a customizable log analysis tool for Linux systems. It parses through system log files, filters out irrelevant data, and sends summarized reports of notable system events. It’s particularly useful for identifying:

  • Failed login attempts
  • Sudo activity
  • SSH access logs
  • Service errors and warnings
  • Cron job failures

Step 1: Installing Logwatch

Installation is straightforward. Follow the commands below. In this example, we use an Ubuntu 22.04 server.

sudo apt update
sudo apt install logwatch

Step 2: Running Logwatch Manually

Before configuring Logwatch for automatic reporting, you can test its functionality manually.

sudo logwatch --detail High --mailto [email protected] --range yesterday --service all

The parameters in this command are:

  • –detail High: Level of detail (Low, Med, High)
  • –mailto: The recipient email address
  • –range: Timeframe (yesterday, today, last 7 days, etc.)
  • –service: Specific services (ssh, http, all, etc.)

Step 3: Configuring Logwatch

Logwatch’s default configuration is located in:

/usr/share/logwatch/default.conf/

To make changes without affecting the default settings, override them in:

/etc/logwatch/conf/

Basic configuration file locations:

  • General settings: /etc/logwatch/conf/logwatch.conf
  • Services: /etc/logwatch/conf/services/
  • Ignore list and scripts: /etc/logwatch/scripts/

You can customize:

  • Output format (e.g., email or stdout)
  • Report range and detail level
  • Which services to include or exclude

Example override configuration (/etc/logwatch/conf/logwatch.conf):

MailTo = [email protected]
Detail = Med
Range = Yesterday
Format = html

Step 4: Automating with Cron

Logwatch is usually set to run daily via a cron job.

  • On Debian-based systems: Found under /etc/cron.daily/00logwatch
  • On RHEL-based systems: Managed via logrotate and cron.daily

You can edit the cron script or create your own in /etc/cron.daily/, or use crontab -e for fine control.

Example crontab entry to run Logwatch daily at midnight:

0 0 * * * /usr/sbin/logwatch --output mail --mailto [email protected] --detail high

Example Use Cases

1. Detecting SSH Brute-Force Attempts

Logwatch can summarize all failed SSH logins in the last 24 hours, making it useful for detecting brute-force attempts.

2. Monitoring Web Server Errors

If you’re running Apache or Nginx, Logwatch will notify you of 4xx/5xx error spikes, helping you troubleshoot faster.

3. Tracking Cron Failures

Cron job errors are often buried in logs. Logwatch extracts these and highlights failed executions, reducing time-to-fix.

Conclusion

Logwatch is a powerful yet easy-to-use tool for system log monitoring. With minimal setup, it gives you daily reports that help you maintain the health and security of your systems. Whether you’re managing a single server or a fleet, Logwatch adds valuable visibility into your infrastructure’s behavior.

Server Hosting Solutions by RackNerd:

Shared Hosting
cPanel Web Hosting in US, Europe, and Asia datacenters
Logo
Reseller Hosting
Create your new income stream today with a reseller account
Logo
VPS (Virtual Private Server)
Fast and Affordable VPS services - Instantly Deployed
Logo
Dedicated Servers
Bare-metal servers, ideal for the performance-demanding use case.
Logo

Leave a comment

Your email address will not be published. Required fields are marked *