logwatch

Customizable and pluggable log monitoring system

Supplementary instructions

logwatch command is a customizable and pluggable log monitoring system that generates log reports by traversing system log files within a given time range. Logwatch is executed once a day by default and can be seen from /etc/cron.daily.

grammar

logwatch(option)

Options

--detail <report detail level>: Specify the detail level of the log report;
--logfile<log file>: only process the specified log file;
--service<service name>: only process log files of the specified service;
--print: print results to standard output;
--mailto<email address>: Send the results to the specified mailbox;
--range<date range>: Specify the date range for processing logs;
--archives: Process archived log files;
--debug<debug level>: debug mode;
--save <file name>: Save the results to the specified file without displaying or sending them to the specified mailbox;
--logdir<directory>: Specify the directory to search for log files instead of using the default log directory;
--hostname <hostname>: Specify the hostname used in log reports, do not use the system default hostname;
--numeric: Display IP addresses instead of hostnames in reports;
--help: Display help information for the command.

Example

Check whether Logwatch already exists on your host (Redhat has Logwatch installed by default, but the version is older):

rpm -qa logwatch

If there is no logwatch on the host, execute:

rpm -Ivh logwatch***.rpm

If there is an old version of logwatch, execute:

rpm -Uvh logwatch***.rpm

After installation is complete, start configuration:

You can modify and add its logfiles, services and other configurations, but there are already many scripts by default. Just set Detail = High in 1).

• New configurations can be added to /etc/logwatch/conf/logwatch.conf
• You can also modify /usr/share/logwatch/default.conf/logwatch.conf

/etc/logwatch/conf/ will automatically overwrite the file with the same name under /usr/share/logwatch/default.conf/.

It doesn't matter if logwatch.conf is not set, you can set it directly on the command line.

logwatch --detail High --Service All --range All --print can basically display all log conditions.
logwatch --service sshd --detail High only looks at the log status of sshd