Customizing Logwatch
There are three basic customizations we often perform:
- set up logwatch cron-job to mail us the daily output from watching the logs. A Mar '09 update to logwatch-7.3.6 inexplicably removed the mail-outs!
- increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc):
- adjust the order of the information - we care very much about disk-usage, and prefer it first
Start by ensuring logwatch is actually installed! A mail-transport agent (MTA) like Postfix or nullmailer must be installed and working (to receive the daily logwatch summary).
Cron Job
As-installed, under logwatch 7.3.6, this is the file we see under /etc/cron.daily/00-logwatch:
#!/bin/sh if [ -x /usr/sbin/logwatch.pl ] ; then exec /usr/sbin/logwatch.pl 2>&1 > /dev/null fi
Instead, we need to make these changes (shown in red):
hostname # emacs -nw /etc/cron.daily/00-logwatch #!/bin/sh if [ -x /usr/sbin/logwatch.pl ] ; then exec /usr/sbin/logwatch.pl --mailto root --output mail 2>&1 > /dev/null fi
Logwatch Headers
Use this template, to create /usr/share/logwatch/custom_header (ASCII, plain-text file; previous Gentoo and other distributions used /etc/log.d/custom_header).
Machine info: Pentium4 2.4GHz, 1GB, GigE, 40GB+120GB, RivaTNT Running RedHat 9 Linux Located in Podium shared server-room, SFU Surrey campus Used by John Doe <john_doe@sfu.ca> Into service xxx. Re-purposed Dec. 15, 2004 Administered by Gordon Pritchard <gordonp+corsair@sfu.ca>
Another example:
Machine info: Pentium4 dual-core 3GHz, 2GB, GigE, 80GB, ATI-R300-mobility Running Gentoo Linux Located in office 525 / The Axis (Beta Space, Surrey Campus) Used by Gordon Pritchard <gordonp+zero@sfu.ca) Into service September 6, 2005. Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
Yet Another Example:
Machine info: Core2Duo 2.66GHz, 4GB, GigE, 3Ware 9650SE-4LP with 2x75GB Raptor RAID1, nvidia QuadroFX1700 512MB Running Gentoo Linux (amd64/2008.0/desktop profile) Located in office 3726, Podium, SFU Surrey Campus Used by Gordon Pritchard <gordonp+zero@sfu.ca) Into service March 2008. ACS-leased Dell Precision T3400 Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
To include this custom header, we now have to modify the main logwatch Perl script logwatch.pl. To help remember which machines have up-to-date kernels, we want logwatch to assist us by printing the kernel-version in the header. Using a Gentoo example, add the bold / red lines to /usr/sbin/logwatch.pl:
hostname ~ # emacs -nw /usr/sbin/logwatch.pl output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line"); } output( $index_par, " Processing Initiated: " . localtime(time) . "\n", "line"); output( $index_par, " Date Range Processed: $Config{'range'}\n", "line"); output( $index_par, " $print_range\n", "line") if ($Config{'range'} ne 'all'); output( $index_par, " Period is " . GetPeriod() . ".\n", "line") if ($Config{'range'} ne 'all'); output( $index_par, " Detail Level of Output: $Config{'detail'}\n", "line"); output( $index_par, " Type of Output: $Config{'output'}\n", "line"); output( $index_par, " Logfiles for Host: $Config{'hostname'}\n", "line"); output( $index_par, " Kernel: " . `/bin/uname -r` . "\n", "line"); output( $index_par, "\n" . `/bin/cat $BaseDir/custom_header` . "\n", "line"); if ( $outtype_html ) { output( $index_par, "\n", "stop"); } else { output( $index_par, "################################################################## \n", "line");
Logwatch Information Order
The scripts located in /usr/share/logwatchscripts/services/ are run according to their file-name ordering. Simply renaming a file changes it's relationship to other information. We should move zz-disk_space to aa-disk_space to have our disk-usage appear right after the custom header; as root:
zero # mv /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/aa-disk_space
One more thing to do - there is a corresponding configuration file which we simply move (rename) to align with the above:
- Current Gentoo shown:
zero # mv /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/aa-disk_space.conf
To test it all, invoke the daily logwatch cron-job manually (Gentoo shown; others similar):
zero # sh /etc/cron.daily/00-logwatch
Filtering Noise (aka clutter-reduction)
We'll edit two files, to enhance clarity of the resulting email (add or edit the lines in red):
hostname ~ # emacs -nw /usr/share/logwatch/default.conf/services/sshd.conf # Which logfile group... LogFile = secure ##LogFile = messages # Ignore these hosts *Remove = 209.87.56.234
hostname ~ # emacs -nw /usr/share/logwatch/default.conf/logwatch.conf Service = All # You can also disable certain services (when specifying all) Service = "-barracuda" # Prevent log-clutter with system temp/voltages # which are captured/displayed by the barracuda filter Service = "-sendmail-largeboxes" # noisily, erroneeously reported (no sendmail here) Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info.