How to configure logwatch on a system

# yum install logwatch / rpm -ivh / tar -xvf package

and need to configure the logwatch

Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf

Default Logwatch configuration file as below and you need to change this file options

# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of = . Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.

LogDir = /var/log

# You can override the default temp directory (/tmp) here

TmpDir = /tmp

# Default person to mail reports to. Can be a local account or a
# complete email address.

MailTo = root

# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.

Print = No

# Leave this to 'Yes' if you have the mktemp program and it supports
# the '-d' option. Some older version of mktemp on pre-RH7.X did not
# support this option, so set this to no in that case and Logwatch will
# use internal temp directory creation that is (hopefully) just as secure

UseMkTemp = Yes

#
# Some systems have mktemp in a different place
#

MkTemp = /bin/mktemp

# if set, the results will be saved in instead of mailed
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...

# The current choices are All, Today, Yesterday

Range = yesterday

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5

# High = 10
Detail = Med

# The 'Service' option expects either the name of a filter
# (in /etc/log.d/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.

Service = All

# You can also disable certain services (when specifying all)
#Service = -zz-fortune
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyize all Log Files
# anyways...
#
# some systems have different locations for mailers
#

mailer = /usr/bin/mail

#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes

Email Notifications With Logwatch
Logwatch is a slick Perl script that bundles up logfile reports and emails them to you. Debian users can install it by running apt-get install logwatch. Debian puts the configuration files in /etc/logwatch. The RPM puts them in /etc/log.d. Of course you may also install from sources. Be sure to consult the README for installation.

To make it go, first find logwatch.conf. You'll need to make a few tweaks. Set the "MailTo" directive to your desired email address, or local account. For local mail, most Linux systems still come with venerable old "mail", which works just fine:

MailTo = ctechz
mailer = /usr/bin/mail

you may use any mailer you wish.

To make Logwatch send you daily reports, set the time range to "Today":

Range = Today

Other choices are "All" and "Yesterday." Now set your desired detail level for your reports:

Detail = High

Save your changes, and run Logwatch to send you a report:

# logwatch

The whole idea is to have Logwatch work without you having to exert yourself, so now you have to edit /etc/crontab to run Logwatch at your desired intervals. This runs it daily at 1am:

# m h dom mon dow user command
0 6 * * * root /usr/sbin/logwatch

How to configure logwatch on a central log server

Linux Configure Logwatch on the Central Log Server:-
   
Step #1: Configuration Logwatch On The Central Log Server
 
Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf

You need to edit the /etc/logwatch/conf/logwatch.conf file on the central log server. Edit the file using vi text editor, enter:

# vi /etc/logwatch/conf/logwatch.conf

Update / add settings as follows:

SplitHosts = yes
HostLimit = no
MultiEmail = no
Step # 2: Disable Logwatch On Other Servers

Now you've a central logserver which has been configured to report on logs received from all systems. You need to disable logwatch cron job on on all other boxes:

# mv /etc/cron.daily/0logwatch /path/to/backup

Alternatively, you can simply remove the logwatch package:
# rpm -e logwatch

How to rotate log files

Problem: You want to control and organize your ever-growing log files

Solution:  Use logrotate, a program to compress and/or delete log files automatically when they are sufficiently old,

Add entries to /etc/logrotate.d/syslog


eg:   /etc/logrotate.d/syslog:
     /var/log/local0 /var/log/local1 ...others... {
      sharedscripts
       postrotate
         /bin/kill -HUP `cat /var/run/syslogd.pid`
        endscript
     }

You need use tool called logrotate, It allows automatic rotation, compression, removal, and mailing of log files.

Each log file may be handled daily, weekly, monthly, or when it grows too large. With this tool you keep logs longer with less disk space.

 The default configuration file is /etc/logrotate.conf:

# see "man logrotate" for details
# rotate log files weekly
weekly
 
# keep 4 weeks worth of backlogs
rotate 4
 
# create new (empty) log files after rotating old ones
create
 
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
 
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

Service or server specific configurations stored in /etc/logrotate.d directory, for example here is sample apache logrotate configuration file:

# cat /etc/logrotate.d/httpd
Output:

/var/log/httpd/*.log {
 weekly
 rotate 52
 compress
  missingok
  notifempty
  sharedscripts
  postrotate
      /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true    endscript
}

weekly : Log files are rotated if the current weekday is less then the weekday of the last rotation or if more then a week has passed since the last rotation.

rotate 52 : Log files are rotated 52 times before being removed or mailed to the address specified in a mail directive. If count is 0, old versions are removed rather then rotated.

compress : Old versions of log files are compressed with gzip to save disk space.

missingok : If the log file is missing, go on to the next one without issuing an error message.

notifempty : Do not rotate the log if it is empty

sharedscripts : Normally, prerotate and postrotate scripts are run for each log which is rotated, meaning that a single script may be run multiple times for log file entries which match multiple files. If sharedscript is specified, the scripts are only run once, no matter how many logs match the wildcarded pattern. However, if none of the logs in the pattern require rotating, the scripts will not be run at all.

postrotate /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true

endscript : The lines between postrotate and endscript (both of which must appear on lines by themselves) are executed after the log file is rotated. These directives may only appear inside a log file definition.

Apache log rotate

# vim /etc/logrotate.d/apache
/usr/local/apache2/logs/access_log /usr/local/apache2/logs/error_log {
    size 100M
    compress
    dateext
    maxage 30
    postrotate
      /usr/bin/killall -HUP httpd
      ls -ltr /usr/local/apache2/logs | mail -s "$HOSTNAME: Apache restarted and log files rotated" ctechz@ctechz.com
    endscript
}

How to setup Logging Remotely (on a remote machine)

Problem: You want system logger messages saved on a remote machine rather than locally
 
Solution: Configure /etc/syslog.conf for remote logging, using the "@" syntax:

/etc/syslog.conf
# send all messages to remote system "loghost"
 
*.*    @loghost

On loghost, tell syslogd to accept messages from the network by adding the -r option:
 
# syslog -r ....

or within /etc/sysconfig/syslog:

SYSLOGD_OPTIONS=".... -r ...."

Remember to send a signal to syslogd to pick up any changes to /etc/syslog.conf or restart he demon on loghost(remote host[above exmp]). If we store it in remote machine if an intruder breals in the sytem also he cannt remove the log messages or tampered it.

The system logger will not accept messages from another machine by default. To allow this add the syslogd -r command-line option on loghost.

To allow the loghost to be changed easily, set up a "loghost" CNAME record on your nameserver that points to a specific machine:

loghost IN CNAME watchdog.example.com.

How to setup log files in linux

Directing System Messages to Log Files (syslog)

Problem: You want to configure the system logger to use an organized collection of log files,
 
Solution: Setup /etc/syslog.conf for local logging

# vim /etc/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                      /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none  /var/log/messages

# The authpriv file has restricted access.
authpriv.*                             /var/log/secure

# Log all the mail messages in one place.
mail.*                                 -/var/log/maillog

# Log cron stuff
cron.*                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                      *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                       /var/log/spooler

# Save boot messages also to boot.log
local7.*                               /var/log/boot.log

After you modify /etc/syslog.conf you must send a signal to force syskogd to reread it and apply your changes, Any of these will do

# kill -HUP `pidof syslogd`
OR
# /etc/init.d/syslog reload
OR
# service syslog reload

How to rotate logs in linux : Logrotate

We need use tool called logrotate. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. 

The Configuration file for the tool is  /etc/logrotate.conf

/etc/logrotate.d – When individual packages are installed on the system, they drop the log rotation configuration information in this directory.

# cat /etc/logrotate.d/yum

 /var/log/yum.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

We can just check the /etc/logrotate.conf file

# vim /etc/logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here

/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1

}

Service or server specific configurations stored in /etc/logrotate.d directory, for example here is sample apache logrotate configuration file.

# cat /etc/logrotate.d/httpd

/var/log/httpd/*.log {

monthly 

minsize 1M

rotate 10  Log files are rotated 52 times before being removed or mailed to the address

copytruncate  -----: Continue to write the log information in the newly created file after rotating the old log file 

notifempty  -----: Do not rotate the log if it is empty 

dateext          ----: Rotate the old log file with date in the log filename
/home/script.sh
endscript  ----:  Run custom scripts immediately after log rotation
maxage 100  ----:  Remove older rotated log files, after 100 days.
missingok   ----:  Dont return error if the log file is missing
compress    ---:   Indicates that compression should be done.
compresscmd /bin/bzip2 ----: Specify what type of compression command should be used
compressext .bz2 ----: Specify the extension on the rotated log file. Without this option, the rotated file would have the default extension as .gz

 

Log files in Linux

All log files in linux are in the location /var/logs. And we can ready all logs by using tail or head command

# tail -f /var/log/messages

Common Linux log files are

/var/log/message      : General message and system related alerts
/var/log/auth.log    : Authenication logs
/var/log/kern.log  : Kernel logs
/var/log/cron.log    : Crond logs (cron job)
/var/log/maillog      : Mail server logs
/var/log/qmail/    : Qmail log directory 
 /var/log/httpd/      : Apache access and error logs directory
/var/log/lighttpd    : Lighttpd access and error logs directory
/var/log/boot.log    : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure        : Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log      : Yum log files

These log rotation can be done by using daemon logrotate and monitor logs files using logwatch software.