Linux

Use Logwatch to make log watching a little easier

The Logwatch utility is designed to make a sysadmin's job easier by doing some basic analyzing and display formatting for a wide range of logfile types.

As anyone who has had to serve as sysadmin for a busy server (and has made a real effort to do a competent job) can tell you, one of the challenges of the job is making use of logfiles to help keep abreast of potential problems. The major difficulty that arises is that logfiles serve purposes that demand two somewhat conflicting sets of requirements:

  1. Logs must be as comprehensive and detailed as possible, to help find very specific information about why and how something has happened and to avoid missing important events through overzealous filtering.
  2. Logs must be comprehensible and simple to facilitate the sysadmin's job of actually making sense of them in a timely manner.

The general solution to this conflict is pretty widely known:

Keep complete, comprehensive logs, and use filtering tools to minimize clutter when searching through logs for interesting information.

Filters provide temporary views of the contents of logfiles that exclude a lot of data, narrowing down what the viewer sees to a hopefully more relevant subset of the whole. Because the relevance of any particular piece of data is not certain at the time it is collected and logged, and because its relevance may change depending on circumstances and timing, the temporary view provided by filtering is the most reasonable approach for most sysadmins.

Unfortunately, good filtering tools and good filtering practices are not always obvious to the new sysadmin. Reading through system documentation and manuals will only get you so far, especially given that third-party tools are often among the most effective filtering and analysis tools available.

One of the most helpful tools for general-purpose logfile parsing and filtering on Unix-like systems is a package of Perl scripts known as Logwatch. In its most basic form, it uses a set of predefined configuration options to scan a wide range of log types on the system and presents it in a human-readable, simply analyzed, plain text format like this:

 ################### Logwatch 7.3.6 (05/19/07) ####################

Processing Initiated: Wed Feb 9 14:33:53 2011

Date Range Processed: yesterday

( 2011-Feb-08 )

Period is day.

Detail Level of Output: 0

Type of Output: unformatted

Logfiles for Host: host.example

##################################################################

--------------------- Disk Space Begin ------------------------

Filesystem 1K-blocks Used Avail Capacity Mounted on

/dev/ad0s1a 507630 466900 120 100% /

devfs 1 1 0 100% /dev

/dev/ad0s1e 507630 284336 182684 61% /tmp

/dev/ad0s1f 48709138 14977840 29834568 33% /usr

/dev/ad0s1d 3018382 191416 2585496 7% /var

linprocfs 4 4 0 100% /usr/compat/linux/proc

/dev/ad0s1a => 100% Used. Warning. Disk Filling up.

devfs => 100% Used. Warning. Disk Filling up.

linprocfs => 100% Used. Warning. Disk Filling up.

---------------------- Disk Space End -------------------------

--------------------- Fortune Begin ------------------------

Some of us are becoming the men we wanted to marry.

-- Gloria Steinem

---------------------- Fortune End -------------------------

###################### Logwatch End #########################

Default behavior for Logwatch is to send such information for the last day to an email address. In most cases, no email address will be defined by default, however; one can be specified with the --mailto option. To see output on the screen, use the --print option instead.

Varying levels of detail for the output can be specified, as can a date-range (using the --range option) including everything from "yesterday" up to "all". Particular groups of logfiles may be defined, and the sysadmin can use Logwatch to view output for only a specified logfile group if you desire. Output for a given run of the logwatch command can be saved to a file via the --save option, and specific services' logs may be specified as well so that all others are excluded.

The --help option, the logwatch manpage, and of course Google can help you find more information about effective use of Logwatch. Note that on some systems, such as FreeBSD, the command you need to execute may be logwatch.pl instead of logwatch.

Logwatch is free and open source software, distributed under the terms of a copyfree license: the MIT/X11 License. It is available in many open source Unix-like operating systems' default software management systems, or from the Logwatch download page at SourceForge.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

0 comments

Editor's Picks