LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Keeping A (log)Watchful Eye on Your VPS With logwatch

Tags: , , , Date/Time: October 27, 2020 @ 1:00 am, by raindog308

Your logs are an invaluable source of information about what’s going on inside your system and can alert you to security issues, service issues, and hardware problems.  But you are only aware of what they’re trying to tell you if you actually read them.  It would be a burdensome chore to login to each system every day and manually view the logs.  Fortunately, you can automate this task with the logwatch tool, which is a customizable, pluggable log monitoring system.

Read more to continue…

To install logwatch on Debian-based systems:

    apt-get install logwatch

On CentOS-based systems:

   yum -y install logwatch 

Just running logwatch out of the box gives us some great info:

    $ logwatch
 ################### Logwatch 7.4.0 (03/01/11) #################### 
        Processing Initiated: Tue Apr  7 22:30:28 2020
        Date Range Processed: yesterday
                              ( 2020-Apr-06 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: stdout / text
        Logfiles for Host: myserver.example.com
 ################################################################## 
 --------------------- SSHD Begin ------------------------ 
 Illegal users from:
    undef: 62 times
    51.91.140.218: 5 times
    76.72.169.18 (egh4.com): 3 times
    88.146.200.8: 6 times
    92.63.194.7: 2 times
    92.63.194.104: 1 time
    92.63.194.105: 2 times
    92.63.194.106: 1 time
    92.63.194.107: 1 time
    92.63.194.108: 2 times
    93.174.93.10 (storedatatips.com): 2 times
    93.235.99.248 (p5DEB63F8.dip0.t-ipconnect.de): 2 times
    144.217.207.15 (ip15.ip-144-217-207.net): 1 time
    176.37.60.16 (host-176-37-60-16.la.net.ua): 2 times
    177.161.47.151 (177-161-47-151.user.vivozap.com.br): 35 times
    179.106.64.134 (179-106-64-134.hnnet.com.br): 1 time
    185.234.218.68: 1 time
    193.142.146.21: 64 times
    195.231.8.141 (host141-8-231-195.serverdedicati.aruba.it): 4 times
    203.185.4.41 (mail.belfry.com.hk): 13 times
    205.185.120.163 (.): 5 times
    212.85.80.247 (h-80-247.A165.priv.bahnhof.se): 2 times

 Received disconnect:
    11: Bye Bye [preauth] : 435 Time(s)
    11: Normal Shutdown, Thank you for playing [preauth] : 22 Time(s)
 ---------------------- SSHD End ------------------------- 

 --------------------- Disk Space Begin ------------------------ 
 Filesystem      Size  Used Avail Use% Mounted on
 devtmpfs        486M     0  486M   0% /dev
 /dev/vda1        25G  1.6G   22G   7% /
 ---------------------- Disk Space End ------------------------- 

 ###################### Logwatch End ######################### 

Here we can see numerous attempted logins (probably because ssh was still running on port 22) as well as the status of our disk space.  This is an example of detail on the ‘Low’ setting.  If we turned on the ‘High’ output of detail, we’d be able to see exactly which user tried to login.

One of the nice things about logwatch is that as you add services (email, httpd, etc.) logwatch will detect this and add sections to your reports with pertinent information.

It’s easy to configure logwatch to mail reports to you daily, which allows a quick review.

Modify /etc/logwatch/conf/logwatch.conf and add the following line:

    MailTo = <your email>
    Output = email
    Detail = High

By default, both Debian and CentOS create cron jobs to run logwatch nightly (in /etc/cron.daily) so you should begin receiving reports nightly.

 

I'm Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *