Any good systems administrator will tell you one of the best places to start troubleshooting is in the log files. This is true for everyday system issues or, more importantly, security issues. On Linux systems, these logs are found in /var/log and can be viewed with a terminal and any number of commands (less and cat, for example). That, of course, means you’d need to open a terminal, change into the /var/log directory, and view the log files one at a time. What if you could make use of a single application that would monitor that log directory and create an aggregate digest of entries that you could easily comb through? One file, many logs.
That’s where Logwatch comes into play. With this simple tool, logs are categorized by services running on a Linux system. You can configure which logs you want to include in the aggregate and even create custom analytics to meet special needs.
I want to walk you through the process of installing, configuring, and using Logwatch. I’ll be demonstrating on Ubuntu Server 16.04.
SEE: Securing Linux policy (Tech Pro Research)
Installation
Since Logwatch is found in the standard repositories, you can install the tool from the command line on nearly any distribution. Simple modify the command below to meet your particular distribution’s package manager.
To install on Ubuntu, open a terminal and issue the command:
sudo apt-get install logwatch
Depending on your current setup, you may be asked to configure Postfix, during the installation (Figure A).
Figure A
The reason you need to configure Postfix is for the delivery of the Logwatch email. Depending on how you want that email delivered, you will need to select from one of the available options. If you opt to go with Local Only, you can then install mailutils (sudo apt install mailutils) and then check for mail with the command sudo mail.
Once the installation is complete, you’re ready to configure.
Configuration
All Logwatch configuration is handled in a single file. Open a terminal and issue the command sudo nano /usr/share/logwatch/default.conf/logwatch.conf. The first option to be configured is to direct Logwatch where to send email. The option you’re looking for is MailTo =. How you set this up will depend upon how you configured the service. If you configured Logwatch for local only delivery, you’ll want to set MailTo = to the user you want reading the email. If you set Logwatch up for either Internet or Internet with Smarthost, you’ll want to set that option to the necessary email address that needs to view the Logwatch digest.
Scroll down a bit further, to the MailFrom = option. If you’re using Logwatch with either Internet or Internet with Smarthost, you need to set this to a legitimate email address (otherwise you could run into issue with remote delivery).
The next option is Range =. This allows you to set the email digest to the following options:
- All–since Logwatch was installed.
- Today–today’s logs.
- Yesterday–yesterday’s logs.
By default, Range is set to yesterday.
Scroll down just a few more lines to set the Detail option. This will determine how detailed your logs are. If you need more information, set Detail = High. For a moderate amount of information, set Detail = Med. For less information (the default), leave Detail = Low.
The next option is Service =. With this you can either set it for All services or list them out individually. So you can go with either the default (Service = All), or something like:
Service = http
​Service = sshd
​Service = sudo
If you’re not sure about this option, leave it at All and then configure as needed.
SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)
Usage
Now that you have Logwatch configured, it will start sending the digest on a daily basis. You can also run the tool manually, like so:
logwatch --detail Med --mailto ADDRESS --service all --range today
Where ADDRESS is either a remote email address or a local user. The report will be sent and you can then comb through the details (Figure B).
Figure B
You don’t have to worry about running the command daily, as Logwatch will automatically send the email that contains the results of the command (as per your logwatch.conf configuration).
Make time to read
By all means, you should make time to read. As long as you are including logs with your daily reading list (especially those generated by Logwatch), you should be good to go. Your Linux systems (and your company) will thank you for it.