Customizing Logwatch: Difference between revisions
(27 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
There are | There are three basic customizations we often perform: | ||
# set up logwatch cron-job to mail us the daily output from watching the logs. A Mar '09 update to logwatch-7.3.6 inexplicably removed the mail-outs! | |||
# increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc): | # increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc): | ||
# adjust the order of the information - we care very much about disk-usage, and prefer it ''first'' | # adjust the order of the information - we care very much about disk-usage, and prefer it ''first'' | ||
Start by ensuring logwatch is actually installed! A mail-transport agent (MTA) like Postfix must be installed and working (to receive the daily logwatch summary). | Start by ensuring logwatch is actually installed! A mail-transport agent (MTA) like Postfix or nullmailer must be installed and working (to receive the daily logwatch summary). | ||
<br> | |||
<br> | |||
== Cron Job == | |||
As-installed, under logwatch 7.3.6, this is the file we see under '''/etc/cron.daily/00-logwatch''': | |||
#!/bin/sh | |||
if [ -x /usr/sbin/logwatch.pl ] ; then | |||
exec /usr/sbin/logwatch.pl 2>&1 > /dev/null | |||
fi | |||
Instead, we need to make these changes (shown in red): | |||
<font color=red>hostname</font> <font color=blue># </font>'''emacs -nw /etc/cron.daily/00-logwatch''' | |||
#!/bin/sh | |||
if [ -x /usr/sbin/logwatch.pl ] ; then | |||
exec /usr/sbin/logwatch.pl <font color=red>'''--mailto root --output mail '''</font>2>&1 > /dev/null | |||
fi | |||
<br> | <br> | ||
== Logwatch Headers == | == Logwatch Headers == | ||
Use this template, to create '''/ | Use this template, to create '''/usr/share/logwatch/custom_header''' (ASCII, plain-text file; previous Gentoo and other distributions used /etc/log.d/custom_header). | ||
Machine info: Pentium4 2.4GHz, 1GB, GigE, 40GB+120GB, RivaTNT | Machine info: Pentium4 2.4GHz, 1GB, GigE, 40GB+120GB, RivaTNT | ||
Running RedHat 9 Linux | Running RedHat 9 Linux | ||
Located in | Located in Podium shared server-room, SFU Surrey campus | ||
Used by John Doe <john_doe@sfu.ca> | Used by John Doe <john_doe@sfu.ca> | ||
Into service xxx. Re-purposed Dec. 15, 2004 | Into service xxx. Re-purposed Dec. 15, 2004 | ||
Line 18: | Line 38: | ||
Used by Gordon Pritchard <gordonp+zero@sfu.ca) | Used by Gordon Pritchard <gordonp+zero@sfu.ca) | ||
Into service September 6, 2005. | Into service September 6, 2005. | ||
Administered by Gordon Pritchard <gordonp+zero@sfu.ca> | |||
Yet Another Example: | |||
Machine info: Core2Duo 2.66GHz, 4GB, GigE, 3Ware 9650SE-4LP with 2x75GB Raptor RAID1, | |||
nvidia QuadroFX1700 512MB | |||
Running Gentoo Linux (amd64/2008.0/desktop profile) | |||
Located in office 3726, Podium, SFU Surrey Campus | |||
Used by Gordon Pritchard <gordonp+zero@sfu.ca) | |||
Into service March 2008. ACS-leased Dell Precision T3400 | |||
Administered by Gordon Pritchard <gordonp+zero@sfu.ca> | Administered by Gordon Pritchard <gordonp+zero@sfu.ca> | ||
<br> | <br> | ||
To include this custom header, we now have to modify the main logwatch Perl script | <br> | ||
To include this custom header, we now have to modify the main logwatch Perl script ''logwatch.pl''. To help remember which machines have up-to-date kernels, we want logwatch to assist us by printing the kernel-version in the header. Using a Gentoo example, add the bold / red lines to '''/usr/sbin/logwatch.pl''': | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /usr/sbin/logwatch.pl''' | |||
&output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line"); | |||
} | } | ||
&output( $index_par, " Processing Initiated: " . localtime(time) . "\n", "line"); | |||
&output( $index_par, " Date Range Processed: $Config{'range'}\n", "line"); | |||
&output( $index_par, " $print_range\n", "line") if ($Config{'range'} ne 'all'); | |||
&output( $index_par, " Period is " . GetPeriod() . ".\n", "line") | |||
if ($Config{'range'} ne 'all'); | if ($Config{'range'} ne 'all'); | ||
&output( $index_par, " Detail Level of Output: $Config{'detail'}\n", "line"); | |||
&output( $index_par, " Type of Output: $Config{'output'}\n", "line"); | |||
&output( $index_par, " Logfiles for Host: $Config{'hostname'}\n", "line"); | |||
<font color=red>''' | <font color=red>'''&output( $index_par, " Kernel: " . `/bin/uname -r` . "\n", "line");'''</font> | ||
<font color=red>'''&output( $index_par, "\n" . `/bin/cat $BaseDir/custom_header` . "\n", "line");'''</font> | |||
if ( $outtype_html | |||
if ( $outtype_html ) { | |||
&output( $index_par, "\n", "stop"); | |||
} else { | } else { | ||
&output( $index_par, "################################################################## \n", "line"); | |||
<br> | |||
== Logwatch Information Order == | == Logwatch Information Order == | ||
The scripts | The scripts located in '''/usr/share/logwatchscripts/services/''' are run according to their file-name ordering. Simply renaming a file changes it's relationship to other information. We should move '''zz-disk_space''' to '''aa-disk_space''' to have our disk-usage appear right after the custom header; as root: | ||
<font color=red>zero</font> <font color=blue> | <font color=red>zero</font> <font color=blue># </font>'''mv /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/aa-disk_space''' | ||
One more thing to do - there is a corresponding configuration file which we simply move (rename) to align with the above: | |||
<br> | |||
* Current Gentoo shown: | |||
<font color=red>zero</font> <font color=blue># </font>'''mv /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/aa-disk_space.conf''' | |||
# | |||
To test it all, invoke the daily logwatch cron-job manually (Gentoo shown; others similar): | |||
<font color=red>zero</font> <font color=blue># </font>'''sh /etc/cron.daily/00-logwatch''' | |||
<br> | |||
== Filtering Noise (aka clutter-reduction) == | |||
We'll edit two files, to enhance clarity of the resulting email (add or edit the lines in red): | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /usr/share/logwatch/default.conf/services/sshd.conf''' | |||
# Which logfile group... | |||
LogFile = secure | |||
<font color=red>##LogFile = messages</font> | |||
<font color=red># Ignore these hosts</font> | |||
<font color=red>*Remove = 209.87.60.112</font> | |||
<font color=red> | <font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /usr/share/logwatch/default.conf/logwatch.conf''' | ||
Service = All | |||
# You can also disable certain services (when specifying all) | |||
<font color=red>Service = "-barracuda" # Prevent log-clutter with system temp/voltages | |||
# which are captured/displayed by the barracuda filter | |||
Service = "-sendmail-largeboxes" | |||
# noisily, erroneeously reported (no sendmail here)</font> | |||
Service = "-zz-network" # Prevents execution of zz-network service, which | |||
# prints useful network configuration info. | |||
<br> | <br> |
Latest revision as of 22:24, 14 October 2016
There are three basic customizations we often perform:
- set up logwatch cron-job to mail us the daily output from watching the logs. A Mar '09 update to logwatch-7.3.6 inexplicably removed the mail-outs!
- increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc):
- adjust the order of the information - we care very much about disk-usage, and prefer it first
Start by ensuring logwatch is actually installed! A mail-transport agent (MTA) like Postfix or nullmailer must be installed and working (to receive the daily logwatch summary).
Cron Job
As-installed, under logwatch 7.3.6, this is the file we see under /etc/cron.daily/00-logwatch:
#!/bin/sh if [ -x /usr/sbin/logwatch.pl ] ; then exec /usr/sbin/logwatch.pl 2>&1 > /dev/null fi
Instead, we need to make these changes (shown in red):
hostname # emacs -nw /etc/cron.daily/00-logwatch #!/bin/sh if [ -x /usr/sbin/logwatch.pl ] ; then exec /usr/sbin/logwatch.pl --mailto root --output mail 2>&1 > /dev/null fi
Logwatch Headers
Use this template, to create /usr/share/logwatch/custom_header (ASCII, plain-text file; previous Gentoo and other distributions used /etc/log.d/custom_header).
Machine info: Pentium4 2.4GHz, 1GB, GigE, 40GB+120GB, RivaTNT Running RedHat 9 Linux Located in Podium shared server-room, SFU Surrey campus Used by John Doe <john_doe@sfu.ca> Into service xxx. Re-purposed Dec. 15, 2004 Administered by Gordon Pritchard <gordonp+corsair@sfu.ca>
Another example:
Machine info: Pentium4 dual-core 3GHz, 2GB, GigE, 80GB, ATI-R300-mobility Running Gentoo Linux Located in office 525 / The Axis (Beta Space, Surrey Campus) Used by Gordon Pritchard <gordonp+zero@sfu.ca) Into service September 6, 2005. Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
Yet Another Example:
Machine info: Core2Duo 2.66GHz, 4GB, GigE, 3Ware 9650SE-4LP with 2x75GB Raptor RAID1, nvidia QuadroFX1700 512MB Running Gentoo Linux (amd64/2008.0/desktop profile) Located in office 3726, Podium, SFU Surrey Campus Used by Gordon Pritchard <gordonp+zero@sfu.ca) Into service March 2008. ACS-leased Dell Precision T3400 Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
To include this custom header, we now have to modify the main logwatch Perl script logwatch.pl. To help remember which machines have up-to-date kernels, we want logwatch to assist us by printing the kernel-version in the header. Using a Gentoo example, add the bold / red lines to /usr/sbin/logwatch.pl:
hostname ~ # emacs -nw /usr/sbin/logwatch.pl &output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line"); } &output( $index_par, " Processing Initiated: " . localtime(time) . "\n", "line"); &output( $index_par, " Date Range Processed: $Config{'range'}\n", "line"); &output( $index_par, " $print_range\n", "line") if ($Config{'range'} ne 'all'); &output( $index_par, " Period is " . GetPeriod() . ".\n", "line") if ($Config{'range'} ne 'all'); &output( $index_par, " Detail Level of Output: $Config{'detail'}\n", "line"); &output( $index_par, " Type of Output: $Config{'output'}\n", "line"); &output( $index_par, " Logfiles for Host: $Config{'hostname'}\n", "line"); &output( $index_par, " Kernel: " . `/bin/uname -r` . "\n", "line"); &output( $index_par, "\n" . `/bin/cat $BaseDir/custom_header` . "\n", "line"); if ( $outtype_html ) { &output( $index_par, "\n", "stop"); } else { &output( $index_par, "################################################################## \n", "line");
Logwatch Information Order
The scripts located in /usr/share/logwatchscripts/services/ are run according to their file-name ordering. Simply renaming a file changes it's relationship to other information. We should move zz-disk_space to aa-disk_space to have our disk-usage appear right after the custom header; as root:
zero # mv /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/aa-disk_space
One more thing to do - there is a corresponding configuration file which we simply move (rename) to align with the above:
- Current Gentoo shown:
zero # mv /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/aa-disk_space.conf
To test it all, invoke the daily logwatch cron-job manually (Gentoo shown; others similar):
zero # sh /etc/cron.daily/00-logwatch
Filtering Noise (aka clutter-reduction)
We'll edit two files, to enhance clarity of the resulting email (add or edit the lines in red):
hostname ~ # emacs -nw /usr/share/logwatch/default.conf/services/sshd.conf # Which logfile group... LogFile = secure ##LogFile = messages # Ignore these hosts *Remove = 209.87.60.112
hostname ~ # emacs -nw /usr/share/logwatch/default.conf/logwatch.conf Service = All # You can also disable certain services (when specifying all) Service = "-barracuda" # Prevent log-clutter with system temp/voltages # which are captured/displayed by the barracuda filter Service = "-sendmail-largeboxes" # noisily, erroneeously reported (no sendmail here) Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info.