Logwatch is the classic log file email utility that emails a daily status of activity from Linux logs. On CentOS, the default install of logwatch does not have many fancy features enabled. I’ll show you how to configure logwatch!
Install logwatch:
$ yum install logwatch
Next, navigate to the logwatch services directory which is located as follows:
$ cd /usr/share/logwatch/defaults.conf/services
Here edit the following files:
$ sudo nano zz-disk_space.conf
Uncomment the lines as shown:
#New disk report options #Uncomment this to show the home directory sizes $show_home_dir_sizes = 1 $home_dir = "/home" #Uncomment this to show the mail spool size $show_mail_dir_sizes = 1 $mail_dir = "/var/spool/mail" #Uncomment this to show the system directory sizes /opt /usr/ /var/log $show_disk_usage = 1
Next, edit the following file:
$ nano http.conf
Set the following to 1
# Set flag to 1 to enable ignore # or set to 0 to disable $HTTP_IGNORE_ERROR_HACKS = 1
Next, you may want to edit the email address that logwatch emails the report.
$ cd /usr/share/logwatch/defaults.conf/
$ nano logwatch.conf
Change MailTo = to an email address as desired:
# Default person to mail reports to. Can be a local account or a # complete email address. Variable Print should be set to No to # enable mail feature. #MailTo = root MailTo = linuxadmins@mycompany.com
It is common practice to send root mail from all servers to a mailing list that all admins subscribe to.
Once complete, you may run logwatch manually at the command line with no options to test:
$ sudo logwatch
Logwatch by default runs with daily cron jobs in /etc/cron.daily.
Below is an example logwatch output:
################### Logwatch 7.3.6 (05/19/07) #################### Processing Initiated: Mon Mar 11 06:25:04 2013 Date Range Processed: yesterday ( 2013-Mar-10 ) Period is day. Detail Level of Output: 0 Type of Output/Format: mail / text Logfiles for Host: li166-66 ################################################################## --------------------- Denyhosts Begin ------------------------ new denied hosts: 198.101.155.224 ---------------------- Denyhosts End ------------------------- --------------------- fail2ban-messages Begin ------------------------ Banned services with Fail2Ban: Bans:Unbans ssh: [ 10:10 ] ---------------------- fail2ban-messages End ------------------------- --------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /: 1 Time(s) /2011/12/28/check-site-for-malware-with-google-safe-browsing: 1 Time(s) /wp-content/gallery/centos6_netinstall/02_ ... _netinstall.png: 1 Time(s) /wp-login.php: 3 Time(s) 404 Not Found /2012/05/22/install-nmap-6-on-debian-or-ub ... /icon_smile.gif: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 00ad59cfbe0d0e6: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 0428a5432cddd7a: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 100bbfd2fb6f814: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 29e2974b4e7a6d9: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 46e8cf0ecfe2950: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 93ac2279ce4b930: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... 9588a7ccfccc633: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... a4920cc0865dfcb: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... a8bb27807d8787c: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... crumb-arrow.png: 1 Time(s) /2012/05/22/install-nmap-6-on-debian-or-ub ... ee9627dfa9953af: 1 Time(s) /admin/config.php: 1 Time(s) /index.php?do=register: 1 Time(s) /tag/button/feed/www.gimp.org: 1 Time(s) http://37.28.156.211/sprawdza.php: 1 Time(s) http://server5.cyberpods.net/azenv.php: 1 Time(s) 408 Request Timeout null: 605 Time(s) 500 Internal Server Error /wp-comments-post.php: 3 Time(s) 501 Not Implemented null: 2 Time(s) ---------------------- httpd End ------------------------- --------------------- iptables firewall Begin ------------------------ Listed by source hosts: Logged 610 packets on interface eth0 From 1.34.254.8 - 1 packet to tcp(23) From 2.28.22.209 - 11 packets to tcp(443) From 2.50.172.58 - 3 packets to tcp(3389) From 5.34.242.184 - 3 packets to tcp(3128) From 15.219.201.68 - 18 packets to tcp(80) From 38.81.66.114 - 18 packets to tcp(4242) From 41.137.24.82 - 3 packets to tcp(80) From 42.96.156.107 - 2 packets to tcp(3389) From 46.20.35.92 - 1 packet to udp(6060) From 49.88.119.47 - 9 packets to tcp(3899,4899,4900) From 59.165.88.171 - 1 packet to tcp(23) From 60.191.170.125 - 2 packets to tcp(135) From 60.218.122.219 - 1 packet to tcp(1433) From 61.147.103.188 - 1 packet to tcp(1433) From 61.155.106.212 - 1 packet to tcp(1433) From 61.174.50.67 - 1 packet to tcp(135) From 66.207.200.146 - 3 packets to tcp(1433,3306,8080) From 69.155.10.189 - 1 packet to tcp(23) From 69.172.200.161 - 8 packets to tcp(12623) From 69.175.126.170 - 1 packet to udp(5353) From 72.223.99.33 - 1 packet to udp(56423) From 77.232.135.244 - 1 packet to tcp(5900) From 78.43.232.88 - 22 packets to tcp(80) From 78.69.210.213 - 31 packets to tcp(80) ---------------------- iptables firewall End ------------------------- --------------------- Postfix Begin ------------------------ 6.561K Bytes accepted 6,718 6.561K Bytes sent via SMTP 6,718 ======== ================================================== 6 Accepted 75.00% 2 Rejected 25.00% -------- -------------------------------------------------- 8 Total 100.00% ======== ================================================== 2 5xx Reject relay denied 100.00% -------- -------------------------------------------------- 2 Total 5xx Rejects 100.00% ======== ================================================== 3 4xx Reject unknown client host 100.00% -------- -------------------------------------------------- 3 Total 4xx Rejects 100.00% ======== ================================================== 9 Connections 6 Connections lost (inbound) 9 Disconnections 6 Removed from queue 6 Sent via SMTP 1 SMTP dialog errors 1 Hostname verification errors ---------------------- Postfix End ------------------------- --------------------- SSHD Begin ------------------------ Illegal users from: 198.101.155.224: 8 times Refused incoming connections: 198.101.155.224 (198.101.155.224): 2 Time(s) **Unmatched Entries** reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.147.229] failed - POSSIBLE BREAK-IN ATTEMPT! : 25 time(s) ---------------------- SSHD End ------------------------- --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/xvda 47G 15G 32G 32% / /dev 502M 112K 502M 1% /dev ------------- Directory Sizes --------------- Size Location (GB) 818M /var/log 1.4G /usr ------------- Directory Sizes --------------- ------------- Home Directory Sizes --------------- Size Location (MB) 3.9G /home/asdfas ------------- Home Directory Sizes --------------- ------------- Mail Directory Sizes --------------- Size Location (MB 176K /var/spool/mail/root ------------- Mail Directory Sizes --------------- ---------------------- Disk Space End ------------------------- ###################### Logwatch End #########################
How to configure logwatch to trap with other particular applications ?