Monitor Your Box with Logwatch

Let’s face it: monitoring system logs is a major pain in the tuchas. Logs tell us everything we need to know about our systems and more, but browsing through those logs for signs of danger or intrusion gets really old really fast. Fortunately there’s a tool out there to make it a little easier: Logwatch.

Now in version 5.2.2, Logwatch makes monitoring system logs a part of something that’s already a major part of our daily routines: reading email. This configurable Perl script parses through your logs, extracts the important information, and drops it into a nice email. Some distros, such as Red Hat, ship with Logwatch preinstalled.

Downloads come in two flavors: binary RPM packages and source tarballs. When downloading from source, there’s really no configuration or compiling to deal with; you can simply copy the configure files and scripts into a directory, tweak the global config file, and create a cron job to run the script regularly.

The configuration is very flexible, allowing you to select all your logs (default) or just a few. Reporting details are on a scale from 1 to 10, so if you decide you’re still receiving too much information you can cut back a bit. And because it’s all delivered via email, sysadmins running multiple boxes can have them all delivered to one main email address, simplifying things even further.

If you’re a home user not in the habit of checking root’s mail, log in as or su to root and run Pine from the command line. If you see several logwatch entries, then you’re already set; just find the logwatch.conf file (typically /etc/log.d/conf/logwatch.conf) and tweak it to your needs. The configure file is well commented and contains several examples. If you’re installing from the binary, you can also try man logwatch to learn more.