Your logs are an invaluable source of information about what’s going on inside your system and can alert you to security issues, service issues, and hardware problems. But you are only aware of what they’re trying to tell you if you actually read them. It would be a burdensome chore to login to each system every day and manually view the logs. Fortunately, you can automate this task with the logwatch tool, which is a customizable, pluggable log monitoring system.
Read more to continue…
To install logwatch on Debian-based systems:
apt-get install logwatchOn CentOS-based systems:
yum -y install logwatch Just running logwatch out of the box gives us some great info:
$ logwatch ################### Logwatch 7.4.0 (03/01/11) #################### Processing Initiated: Tue Apr 7 22:30:28 2020 Date Range Processed: yesterday ( 2020-Apr-06 ) Period is day. Detail Level of Output: 0 Type of Output/Format: stdout / text Logfiles for Host: myserver.example.com ################################################################## --------------------- SSHD Begin ------------------------ Illegal users from: undef: 62 times 51.91.140.218: 5 times 76.72.169.18 (egh4.com): 3 times 88.146.200.8: 6 times 92.63.194.7: 2 times 92.63.194.104: 1 time 92.63.194.105: 2 times 92.63.194.106: 1 time 92.63.194.107: 1 time 92.63.194.108: 2 times 93.174.93.10 (storedatatips.com): 2 times 93.235.99.248 (p5DEB63F8.dip0.t-ipconnect.de): 2 times 144.217.207.15 (ip15.ip-144-217-207.net): 1 time 176.37.60.16 (host-176-37-60-16.la.net.ua): 2 times 177.161.47.151 (177-161-47-151.user.vivozap.com.br): 35 times 179.106.64.134 (179-106-64-134.hnnet.com.br): 1 time 185.234.218.68: 1 time 193.142.146.21: 64 times 195.231.8.141 (host141-8-231-195.serverdedicati.aruba.it): 4 times 203.185.4.41 (mail.belfry.com.hk): 13 times 205.185.120.163 (.): 5 times 212.85.80.247 (h-80-247.A165.priv.bahnhof.se): 2 times Received disconnect: 11: Bye Bye [preauth] : 435 Time(s) 11: Normal Shutdown, Thank you for playing [preauth] : 22 Time(s) ---------------------- SSHD End ------------------------- --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on devtmpfs 486M 0 486M 0% /dev /dev/vda1 25G 1.6G 22G 7% / ---------------------- Disk Space End ------------------------- ###################### Logwatch End #########################
Here we can see numerous attempted logins (probably because ssh was still running on port 22) as well as the status of our disk space. This is an example of detail on the ‘Low’ setting. If we turned on the ‘High’ output of detail, we’d be able to see exactly which user tried to login.
One of the nice things about logwatch is that as you add services (email, httpd, etc.) logwatch will detect this and add sections to your reports with pertinent information.
It’s easy to configure logwatch to mail reports to you daily, which allows a quick review.
Modify /etc/logwatch/conf/logwatch.conf and add the following line:
MailTo = <your email> Output = email Detail = High
By default, both Debian and CentOS create cron jobs to run logwatch nightly (in /etc/cron.daily) so you should begin receiving reports nightly.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
Leave a Reply