Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to use logwatch to read logs in Linux system". In daily operation, I believe many people have doubts about how to use logwatch to read logs in Linux system. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the questions of "how to use logwatch to read logs in Linux system". Next, please follow the editor to study!

The Linux operating system and many applications create special files, often referred to as "logs", to record their running events. These system logs or specific application log files are essential tools when understanding the behavior of the operating system or third-party applications or troubleshooting. However, log files are not as readable as you call "clear" or "easy". Manually analyzing the original log files is a waste of time and tedious. For this reason, it will be of great benefit for system administrators to find any tool that can convert the original log file into a more humane summary of records.

Logwatch is an open source log parser written in the Perl language. It can parse the original log files and convert them into structured documents, and it can also customize reports according to your usage and needs. The main purpose of logwatch is to generate log summaries that are easier to use, not for real-time processing and monitoring of logs. Because of this, logwatch is usually scheduled to run automatically with time and frequency set or manually run from the command line when log processing is needed. Once the log report is generated, logwatch can email the report to you, and you can save it as a file or display it directly on the screen.

The level of detail and coverage of Logwatch reports are fully customizable. Logwatch's log processing engine is also extensible, and in a sense, if you want to use logwatch functionality in a new application, you just need to write a log processing script (using the Perl language) for the log file of that application and attach it to logwatch.

The downside of logwatch is that there is no detailed timestamp information in the report it generates, which is present in the original log file. You can only know specific events that are recorded for a period of time, and if you want to know the exact point-in-time information, you have to look at the original log file.

Install Logwatch

On Debian systems or systems derived from them:

The code is as follows:

# aptitude install logwatch

On Red Hat-based publishing systems:

The code is as follows:

# yum install logwatch

Configure Logwatch

During installation, the main configuration file (logwatch.conf) is placed in the / etc/logwatch/conf directory. The setting options defined by this file (empty by default) override the system-level settings defined in the / usr/share/logwatch/default.conf/logwatch.conf file.

On the command line, start logwatch, and if you don't take arguments, the options defined in the / etc/logwatch/conf/logwatch.conf file will be used. However, as soon as you specify parameters, they override any default / custom settings in the / etc/logwatch/conf/logwatch.conf file.

In this article, we will edit the / etc/logwatch/conf/logwatch.conf file to personalize some of the default settings.

The code is as follows:

Detail =

The "Detail" configuration instruction controls the level of detail of the logwatch report. It can be a positive integer or High, Med, and Low options that represent 10, 5, and 0 numbers, respectively.

The code is as follows:

MailTo = youremailaddress@yourdomain.com

If you ask to email you a logwatch report, use the "MailTo" configuration directive. To send a report to multiple users, simply open their email address in a space and configure it. However, you need to configure local mail transfer agents (MTA), such as sendmail, Postfix, and so on, on the server where logwatch is running for this configuration instruction to work.

The code is as follows:

Range =

The "Range" configuration directive defines the time period information for generating logwatch reports. The usually optional values for this instruction are Yesterday, Today, and All. When "Rang = All" is enabled, the "Archive = yes" directive must also be configured, so that all archived log files (such as / var/log/maillog, / var/log/maillog.X, or / var/log/maillog.X.gz files) will be processed.

In addition to these general range values, you can also use complex selection values, as follows:

The code is as follows:

Range = "2 hours ago for that hour"

Range = "- 5 days"

Range = "between-7 days and-3 days"

Range = "since September 15, 2014"

Range = "first Friday in October"

Range = "12:50:15 for that second on 2014-10-15"

To use the free-form range in the above example, you need to download the Date::Manip module that installs Perl from CPAN (note: Comprehensive Perl Archive Network).

The code is as follows:

Service =

Service =

. . .

The "Service" option specifies the service or services you want to monitor. The services listed in the / usr/share/logwatch/scripts/services directory can be monitored, they already cover important system services (such as pam,secure,iptables,syslogd, etc.), as well as some mainstream application services such as sudo, sshd, http, fail2ban, samba, etc. If you want to add a new service to the list, you need to write a corresponding log processing Perl script and put it in this directory.

If this option is to be used to select a specific service, you need to comment out the line "Service = All" in the / usr/share/logwatch/default.conf/logwatch.conf file.

Format =

The "Format" configuration directive defines the format of an logwatch report (such as text or HTML).

The code is as follows:

Output =

The "Output" configuration directive defines the destination for the generated logwatch report to be sent. It can be saved as a file (file), generated by email (mail), or displayed directly on the screen (stdout).

Use Logwatch to analyze log files

To figure out how to use logwatch to analyze log files, refer to the following logwatch.conf file example:

The code is as follows:

Detail = High

MailTo = youremailaddress@yourdomain.com

Range = Today

Service = http

Service = postfix

Service = zz-disk_space

Format = html

Output = mail

Using these settings, logwatch will process the logs generated by the three application services (http, postfix, and zz-disk_space) on the same day, generate a very detailed report in HTML format, and then email it to you.

If you don't want to personalize / etc/logwatch/conf/logwatch.conf, you can leave the file unmodified to default, and then run the command on the command line as shown below. You'll get the same output.

The code is as follows:

# logwatch-detail 10-mailto youremailaddress@yourdomain.com-range today-service http-service postfix-service zz-disk_space-format html-output mail

The report sent by email looks like this:

The email header contains a link to navigate to the details of the report, and a "return to the top" link for each selected service detail.

You may use the option of sending a report by email when there are few recipients. In other cases, you may want to generate a report in HTML format so that everyone who wants to see the report can see it on a web share. You only need to make some changes to the configuration in the example above:

The code is as follows:

Detail = High

Range = Today

Service = http

Service = postfix

Service = zz-disk_space

Format = html

Output = file

Filename = / var/www/html/logs/dev1.html

Similarly, you can run the following command on the command line.

The code is as follows:

# logwatch-detail 10-range today-service http-service postfix-service zz-disk_space-format html-output file-filename / var/www/html/logs/dev1.html

Finally, let's use cron to configure scheduled execution tasks for logwatch. In the following example, the logwatch scheduling task will be run at 12:15 in the afternoon of each working day.

The code is as follows:

# crontab-e

15 12 * * 1, 2, 3, 4, 5 / sbin/logwatch

At this point, the study on "how to use logwatch to read logs in the Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.