How to monitor server log files with Logwatch on Debian and Ubuntu

Logwatch is a system log analyzer and reporter. This tutorial covers the installation of Logwtach and explains various config options incl. reporting of notable log events by email.

Installing Logwatch.

The following command will install Logwatch n your server.

Ubuntu

sudo apt-get install logwatch

Debian

apt-get install logwatch

Configuring Logwatch.

nano /usr/share/logwatch/default.conf/logwatch.conf

After typing the above command you will see a file like:



This is what you are supposed to see in the config file. Find out the following in it: 

MailTo = root change it to MailTo = [email protected]

Editing the second line is optional. It is used when you want a notification at mutiple mails.
The third line is to state that you will be receiving the mail from logwatch. After completing the above you would like to check the report range or the time in which you will receive reports. 

Range = All

You might want to change it to Yesterday for reports of yesterday, Today for today's report of All for everyday report. The report that are available since the beginning will be sent.
The next options is the level of report you would like to send Low, Medium or High. After this you can also go ahead and add particular services you would like to have in your reports. By default all the services are sent in the reports but user can specify all those services by himself:



You can check the synopsis of logwatch:

logwatch [--detail level ] [--logfile log-file-group ] [--service ser‐ vice-name ] [--mailto address ] [--archives] [--range range ] [--debug level ] [--filename file-name ] [--logdir directory ] [--hostname host‐ name ] [--hostformat host based options ] [--output output-type ] [--format report format ] [--encode encoding to use ] [--numeric] [--version] [--help|--usage]

You can use this to use logwatch manually and skip all the above config.

logwatch --detail High --service http --mailto [email protected] --range all --logdirectory /var/cache/logwatch

The above is a custom command by a user for his own needs you my go ahead and check, what suits your needs.

 

Additional logwatch options

Usage information about Logwatch can be obtained through the man page:

man logwatch

The section titled "MORE INFORMATION" in the man page lists additional documentation files available with the distribution.

A summary of the command-line switches described in the man page can be obtained with the '--help' option:

logwatch --help

Share this page:

Suggested articles

3 Comment(s)

Add comment

Comments

By: Kettu
Reply  

I've understood that you should copy that configuration file under /etc and do the changes there in order to save those when the package  is upgraded. 

By: Tomas
Reply  

Just my 2 cents, the configuration file at /usr/share/logwatch/default.conf/logwatch.conf contains all the default settings and comments on what they do. It is recommended to leave the default conf alone and instead re-define a setting variable you want to change in /etc/logwatch/conf/logwatch.conf. 

By: SamGG
Reply  

On Mint/Debian, the default configuration is overridden by /usr/share/logwatch/dist.conf/logwatch.conf. I also recommend to define the running configuration as /etc/logwatch/conf/logwatch.conf and to redefine any useful variables.