How To Monitor Linux System Logs with Logwatch


System logs contain valuable information about the activities and events occurring on your Linux server. However, manually reviewing these logs can be time-consuming and overwhelming. That's where Logwatch comes in. Logwatch is a powerful log analysis and monitoring tool that automates the process of parsing and summarizing system logs, making it easier for system administrators to identify potential issues, security threats, and system performance trends. In this blog, we will explore the benefits of using Logwatch, its installation process, and how to customize its configuration to suit your monitoring needs. By the end, you'll have a solid understanding of how Logwatch can help you gain insights into your system's log data and keep your Linux server running smoothly.

Benefits of Using Logwatch

Using Logwatch offers several benefits for monitoring system logs.

Time Efficiency: Manually reviewing system logs can be a time-consuming task, especially when dealing with large log files or multiple servers. Logwatch automates this process by parsing and summarizing log data, providing concise and organized reports that highlight important events and trends. This saves administrators valuable time and allows them to focus on critical issues.

Centralized Log Analysis: Logwatch consolidates log data from various sources, such as system logs, application logs, and security logs, into a unified report. This centralized approach simplifies log analysis, making it easier to identify patterns, anomalies, and potential security threats across the system.

Quick Issue Identification: Logwatch provides a clear and concise summary of log events, highlighting any warnings, errors, or critical issues that require attention. By regularly reviewing Logwatch reports, administrators can promptly identify and address system problems, ensuring optimal performance and minimizing downtime.

Security Monitoring: System logs contain valuable information for detecting security incidents and unauthorized access attempts. Logwatch helps in monitoring and analyzing security logs, providing insights into potential security breaches, failed login attempts, suspicious activities, and other security-related events. This enables administrators to take proactive measures to enhance system security.

Customization and Flexibility: Logwatch offers a range of customization options to tailor the log monitoring process to specific requirements. Administrators can configure which log files to analyze, set alert thresholds, define report formats, and apply filters to focus on relevant log entries. This flexibility allows for fine-tuning the monitoring process and adapting it to the unique needs of the system.

Historical Analysis and Trend Identification: By maintaining a history of log reports, Logwatch enables administrators to analyze system performance trends over time. This helps in identifying recurring issues, monitoring resource usage patterns, and making informed decisions regarding system optimization and capacity planning.

Monitor Linux System Logs with Logwatch

In this tutorial, we will use Ubuntu system for demostration.

1. Install Logwatch and Sendmail

Before the installation, log into the server as the root user, input the password as prompted, and then update your system.

sudo -i
apt update && apt upgrade

Then, install Logwatch and Sendmail.

apt install logwatch sendmail

Sendmail is a server application that gives businesses a way to send email using the Simple Mail Transfer Protocol (SMTP). It’s typically installed on an email server on a dedicated machine that accepts outgoing email messages and then sends these messages to the defined recipient. This application will help send reports or digests to your email if it's well configured.

2. Configure Logwatch

The default configuration file for Logwatch is located at "/usr/share/logwatch/default.conf/logwatch.conf". Use any text editor to modify the content. Here, we will use the nano text editor.

nano /usr/share/logwatch/default.conf/logwatch.conf

2.1 Log Directories

LogDir defines directories containing log files that you want Logwatch to analyze. By default, Logwatch goes through all the logs located within the /var/log directory and generates reports on your system's log activity. However, if you have logs in other directories, such as custom application logs or website logs that need to be reported, you can add them to Logwatch by including additional "LogDir" lines as below.

TmpDir specifies the directory where Logwatch stores temporary files and working files during its execution. Although this can be any directory you want, we will keep the default value /var/cache/logwatch. You’ll have to manually create this directory when we finish editing this file.

Open the sshd configure file

2.2 Output and Format Configuration

Output and Format determines the destination or method for delivering Logwatch reports. There are several options available for the "Output" setting:

-stdout: Logwatch reports are displayed on the standard output (console) when Logwatch is executed. This is the default option, and it's useful for immediate viewing of reports on demand or for capturing the output for further processing or redirection.
-mail: Logwatch reports are sent via email to the address specified in the Logwatch configuration. This option allows you to receive Logwatch reports directly in your email inbox. To use this feature, make sure that your system has a working mail transfer agent (MTA) configured, such as Sendmail or Postfix, to handle outgoing emails.
-file: Logwatch reports are saved to a file. You can specify the file path and name using the File option in the Logwatch configuration. This option is useful if you want to store the reports for later reference or for automated processing.
-text: Logwatch generates reports in a simple, text-based format that is easy to read and parse. This format is suitable for viewing reports in a console or terminal window, storing them as plain text files, or integrating them with other text-based tools or systems.
-html: Logwatch reports are generated in HTML format. This is suitable for viewing reports in a web browser or embedding them in web pages.
-html-noencode: Similar to the html option, but it doesn't encode special characters in the HTML output. This option might be necessary for compatibility with certain systems or applications.

2.2.1 If you need to immediately view reports in a console or terminal window, choose the stdout and text options.
Choose stdout as output option
2.2.2 If you would like Logwatch to send the report to a specific email, configure the following fields.

Output = mail
Format = html #Choose the format (html or text) you prefer. In this case, we choose html.
MailTo = your email address #Can be a valid email address or local account user. If using a local account use, you can specify the MailTo = root
MailFrom = Logwatch #Change the MailFrom value to a valid email address, or to a local user, such as the hostname(You can get the hostname by issuing "hostname" in the terminal.). This can also be left as Logwatch.

Choose mail as output option
2.2.3 If you would like to save the Logwatch reports to a file. You can specify the file path and name using the File option in the Logwatch configuration.

Output = file
Format = text #Choose the format (html or text) you prefer. In this case, we choose text.
Filename = /tmp/logwatch Find and uncomment (remove the hashmark [#]) the Filename value. Set the path and filename in which you wish to save your Logwatch digests. In this case, we keep the default value.

Choose file as output option

2.3 Service Configuration

Service and Format are used to specify the system services or log files that Logwatch should analyze and include in its reports.

2.3.1 You can include all services by setting Service = All. If you need to exclude one or some of the services, please add additional "Service" lines as the format Service = "-servicename"
Choose all services
2.3.2 If you only need to include some of the services, you can add a service line for each service as below.
Choose multiple services
To see a full list of services, you can run the following command.
ls -l /usr/share/logwatch/scripts/services
List services

2.4 Range and Detail Configurations

Range determines the time range for which Logwatch generates reports.
Detail determines the level of detail in the generated Logwatch reports. It allows you to specify the amount of information and verbosity in the reports. The available options for the "Detail" setting include:

-Low: Generates concise reports with minimal details.
-Medium: Provides a balanced level of detail in the reports.
-High: Generates comprehensive reports with maximum details and verbosity.

Set the range and detail you need.
Specify Range and detail

When you finish the configuration, press "Ctrl" and "x", then enter "y", followed by hitting the "Enter" key to save the changes.

After we save the file, there is one more step that needs to be done. That is to create that Temp directory for Logwatch since it won’t do that itself. Run the following command.
Specify Range and detail
mkdir /var/cache/logwatch

3. Run Logwatch

You can choose to either manually run this program or automatically run it with a cron job.

Run Logwatch Manually

As you already configure the Logwatch file, you can simply run this command to run Logwatch with the configurations you set in the previous step.
sudo /usr/sbin/logwatch #Run this if you have not su into root account.
If you would like to test different parameters, you can specify those on the command line to override your default settings. Here are the available options from the configuration file.
logwatch  [--detail  level  ] [--logfile log-file-group ] [--service service-name ] [--print]  [--mailto address ] [--archives] [--range range  ]  [--debug  level  ]  [--save  file-name  ]  [--logdir  directory ] [--hostname hostname ] [--splithosts] [--multiemail] [--output output-type ] [--numeric] [--no-oldfiles-log] [--version] [--help|--usage]
For example, if you would like to get the http service with low details during yesterday by email, run the following command. Feel free to replace any of the parameters with the ones you'd like to test.
logwatch --detail Low --mailto email@address --service http --range today

Run Logwatch Automatically

You can also set up a cron job to run the service automatically at a regular frequency. For example, we configured to run it at 6:35 a.m. each day. First, we use the nano text editor to open the file.
nano /etc/crontab
Then enter the settings into the configuration file. After that, press "Ctrl" and "x", then enter "y", followed by hitting the "Enter" key to save the changes.
35 6 * * *  root   /usr/spin/logwatch 
Set up Logwatch cron job

4. View Reports

When you run Logwatch, you should be able to receive or view reports.

Output = mail

If you choose mail as output, the configured email address should receive the report at the time Logwatch runs. It happens that the email could go directly to the Junk Email folder. If you don't see the email in your inbox, make sure to check the Junk Email folder.
Logwatch report

Output = stdout

With this stdout output option, you should see the report immediately as you run Logwatch manually.
Logwatch report

Output = file

If the value of Output is set to file, then you can open the filename as set in the configuration file using any text editor. Here, we use the default filename.
nano /tmp/logwatch
运行logwatch, 用编辑器打开文件

That's it! You should now be able to set up log monitoring with Logwatch and Sendmail.


Logwatch provides a reliable and efficient solution for monitoring system logs, enabling system administrators to stay informed about the health, security, and performance of their Linux systems. By automating the log analysis process and generating comprehensive reports, Logwatch simplifies the task of identifying and troubleshooting of potential issues, allowing for proactive and timely responses. Whether you are a small business owner or a seasoned system administrator, integrating Logwatch into your monitoring toolkit can greatly enhance your ability to maintain a stable and secure system environment. So, take the time to set up Logwatch, explore its customizable options, and gain valuable insights into your system logs, ensuring the optimal functioning of your Linux infrastructure.