Customizing Logwatch: Difference between revisions

From Research
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
There are two basic customizations we often perform:
There are three basic customizations we often perform:
# set up logwatch cron-job to mail us the daily output from watching the logs.  A Mar '09 update to logwatch-7.3.6 inexplicably removed the mail-outs!
# increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc):
# increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc):
# adjust the order of the information - we care very much about disk-usage, and prefer it ''first''
# adjust the order of the information - we care very much about disk-usage, and prefer it ''first''
Start by ensuring logwatch is actually installed!  A mail-transport agent (MTA) like Postfix or nullmailer must be installed and working (to receive the daily logwatch summary).
Start by ensuring logwatch is actually installed!  A mail-transport agent (MTA) like Postfix or nullmailer must be installed and working (to receive the daily logwatch summary).
<br>
<br>
<br>
== Cron Job ==
As-installed, under logwatch 7.3.6, this is the file we see under '''/etc/cron.daily/00-logwatch''':
#!/bin/sh
if [ -x /usr/sbin/logwatch.pl ] ; then
exec /usr/sbin/logwatch.pl 2>&1 > /dev/null
fi
Instead, we need to make these changes (shown in red):
<font color=red>hostname</font> <font color=blue># </font>'''emacs -nw /etc/cron.daily/00-logwatch'''
#!/bin/sh
if [ -x /usr/sbin/logwatch.pl ] ; then
exec /usr/sbin/logwatch.pl <font color=red>'''--mailto root --output mail '''</font>2>&1 > /dev/null
fi
<br>
<br>
== Logwatch Headers ==
== Logwatch Headers ==
Line 20: Line 38:
   Used by Gordon Pritchard <gordonp+zero@sfu.ca)
   Used by Gordon Pritchard <gordonp+zero@sfu.ca)
   Into service September 6, 2005.
   Into service September 6, 2005.
  Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
Yet Another Example:
Machine info:  Core2Duo 2.66GHz, 4GB, GigE, 3Ware 9650SE-4LP with 2x75GB Raptor RAID1,
  nvidia QuadroFX1700 512MB
  Running Gentoo Linux (amd64/2008.0/desktop profile)
  Located in office 3726, Podium, SFU Surrey Campus
  Used by Gordon Pritchard <gordonp+zero@sfu.ca)
  Into service March 2008.  ACS-leased Dell Precision T3400
   Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
   Administered by Gordon Pritchard <gordonp+zero@sfu.ca>
<br>
<br>
<br>
<br>
To include this custom header, we now have to modify the main logwatch Perl script '''logwatch.pl''' to add the bold / red line:
To include this custom header, we now have to modify the main logwatch Perl script ''logwatch.pl''.  To help remember which machines have up-to-date kernels, we want logwatch to assist us by printing the kernel-version in the header.  Using a Gentoo example, add the bold / red lines to '''/usr/sbin/logwatch.pl''':
* on a Gentoo machine, this file is /usr/sbin/logwatch.pl:
 
   output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line");
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /usr/sbin/logwatch.pl'''
   &output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line");
   }
   }
 
 
   output( $index_par, "      Processing Initiated: " . localtime(time) . "\n", "line");
   &output( $index_par, "      Processing Initiated: " . localtime(time) . "\n", "line");
   output( $index_par, "      Date Range Processed: $Config{'range'}\n", "line");
   &output( $index_par, "      Date Range Processed: $Config{'range'}\n", "line");
   output( $index_par, "                            $print_range\n", "line") if ($Config{'range'} ne 'all');
   &output( $index_par, "                            $print_range\n", "line") if ($Config{'range'} ne 'all');
   output( $index_par, "                            Period is " . GetPeriod() . ".\n", "line")
   &output( $index_par, "                            Period is " . GetPeriod() . ".\n", "line")
       if ($Config{'range'} ne 'all');
       if ($Config{'range'} ne 'all');
   output( $index_par, "    Detail Level of Output: $Config{'detail'}\n", "line");
   &output( $index_par, "    Detail Level of Output: $Config{'detail'}\n", "line");
   output( $index_par, "            Type of Output: $Config{'output'}\n", "line");
   &output( $index_par, "            Type of Output: $Config{'output'}\n", "line");
   output( $index_par, "\n" . `/bin/cat  $BaseDir/custom_header` . "\n", "line");
   &output( $index_par, "         Logfiles for Host: $Config{'hostname'}\n", "line");
   <font color=red>'''output( $index_par, " `/bin/cat  $BaseDir/custom_header` . "\n", "line");'''</font>
  <font color=red>'''&output( $index_par, "                    Kernel: " . `/bin/uname -r` . "\n", "line");'''</font>
 
   <font color=red>'''&output( $index_par, "\n" . `/bin/cat  $BaseDir/custom_header` . "\n", "line");'''</font>
 
   if ( $outtype_html ) {
   if ( $outtype_html ) {
       output( $index_par, "\n", "stop");
       &output( $index_par, "\n", "stop");
   } else {
   } else {
       output( $index_par, "################################################################## \n", "line");
       &output( $index_par, "################################################################## \n", "line");
<br>
* on a RedHat 9 machine, this file is /etc/log.d/scripts/logwatch.pl:
    $printing = 'y';
    print OUTFILE "\n ################### LogWatch $Version ($VDate) #################### \n";
    print OUTFILE "      Processing Initiated: " . localtime(time) . "\n";
    print OUTFILE "      Date Range Processed: $Config{'range'}\n";
    print OUTFILE "    Detail Level of Output: $Config{'detail'}\n";
    print OUTFILE "          Logfiles for Host: $Config{'hostname'}\n";
    <font color=red>'''print OUTFILE "\n" . `/bin/cat  $BaseDir/custom_header` .  "\n";'''</font>
    print OUTFILE "################################################################ \n\n";
}
 
<br>
Lately, it's been more-difficult to remember which machines have up-to-date kernels, so we want logwatch to assist us, by printing the kernel-version in the header.  Using a Gentoo example, it's a one-line addition:
 
  output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line");
  }
 
  output( $index_par, "      Processing Initiated: " . localtime(time) . "\n", "line");
  output( $index_par, "      Date Range Processed: $Config{'range'}\n", "line");
  output( $index_par, "                            $print_range\n", "line") if ($Config{'range'} ne 'all');
  output( $index_par, "                            Period is " . GetPeriod() . ".\n", "line")
      if ($Config{'range'} ne 'all');
  output( $index_par, "    Detail Level of Output: $Config{'detail'}\n", "line");
  output( $index_par, "            Type of Output: $Config{'output'}\n", "line");
  output( $index_par, "          Logfiles for Host: $Config{'hostname'}\n", "line");
  <font color=red>'''output( $index_par, "                    Kernel: " . `/bin/uname -r` . "\n", "line");'''</font>
  <font color=red>'''output( $index_par, "\n" . `/bin/cat  $BaseDir/custom_header` . "\n", "line");'''</font>
 
<br>
<br>


== Logwatch Information Order ==
== Logwatch Information Order ==
The scripts located in '''/etc/log.d/scripts/services/''' are run according to their file-name ordering.  Simply renaming a file changes it's relationship to other information.  We should move '''zz-disk_space''' to '''aa-disk_space''' to have our disk-usage appear right after the custom header; as root:
The scripts located in '''/usr/share/logwatchscripts/services/''' are run according to their file-name ordering.  Simply renaming a file changes it's relationship to other information.  We should move '''zz-disk_space''' to '''aa-disk_space''' to have our disk-usage appear right after the custom header; as root:
 
<font color=red>zero</font> <font color=blue>services # </font>'''mv /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/aa-disk_space'''
 
'''The following is no longer necessary for current Gentoo systems; they *always* print the disk-usage'''
<br>
<br>
<s>But wait - there's more!!
This disk-space script evolves through the various releases, often suppressing output if nothing prior is printed.  And, (now) as the first entry, nothing prior will '''ever''' get printed :-O  So, we'll strip out all the conditionals, and produce a pared-down script '''/etc/log.d/scripts/services/aa-disk_space''' which forever more will always give us our disk-usage as the first thing:
 
Gentoo:
#!/bin/bash
##########################################################################
# $Id: aa-disk_space,v 1.8 2005/02/24 17:08:05 kirk Exp $
##########################################################################
 
    echo
    df -hP | head -n1; df -hP | grep '^[/ ]'
</s>
RedHat 9:
#!/bin/bash
##########################################################################
# $Id: disk_space,v 1.1 2003/01/13 04:00:59 kirk Exp $
##########################################################################
 
    echo
    echo
    echo "------------------ Disk Space --------------------"
    echo
    df -h
    echo


<font color=red>zero</font> <font color=blue># </font>'''mv /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/aa-disk_space'''


One more thing to do - there is a corresponding configuration file which we simply move (rename) to align with the above:
One more thing to do - there is a corresponding configuration file which we simply move (rename) to align with the above:
<br>
<br>
* Gentoo shown; earlier Gentoo and RedHat 9 had these files at /etc/log.d/conf/services/zz-disk_space.conf and /etc/log.d/scripts/services/zz-disk_space
* Current Gentoo shown:


  <font color=red>zero</font> <font color=blue># </font>'''mv /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/aa-disk_space.conf'''
  <font color=red>zero</font> <font color=blue># </font>'''mv /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/aa-disk_space.conf'''
Line 116: Line 87:


  <font color=red>zero</font> <font color=blue># </font>'''sh /etc/cron.daily/00-logwatch'''
  <font color=red>zero</font> <font color=blue># </font>'''sh /etc/cron.daily/00-logwatch'''
<br>
== Filtering Noise (aka clutter-reduction) ==
We'll edit two files, to enhance clarity of the resulting email (add or edit the lines in red):
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /usr/share/logwatch/default.conf/services/sshd.conf'''
# Which logfile group...
LogFile = secure
<font color=red>##LogFile = messages</font>
<font color=red># Ignore these hosts</font>
<font color=red>*Remove = 209.87.60.112</font>
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /usr/share/logwatch/default.conf/logwatch.conf'''
Service = All
# You can also disable certain services (when specifying all)
<font color=red>Service = "-barracuda"      # Prevent log-clutter with system temp/voltages
                            # which are captured/displayed by the barracuda filter
Service = "-sendmail-largeboxes"
                            # noisily, erroneeously reported (no sendmail here)</font>
Service = "-zz-network"    # Prevents execution of zz-network service, which
                            # prints useful network configuration info.


<br>
<br>

Latest revision as of 22:24, 14 October 2016

There are three basic customizations we often perform:

  1. set up logwatch cron-job to mail us the daily output from watching the logs. A Mar '09 update to logwatch-7.3.6 inexplicably removed the mail-outs!
  2. increase the header-information with machine-specific info (hardware, admininstrator(s), usage, etc):
  3. adjust the order of the information - we care very much about disk-usage, and prefer it first

Start by ensuring logwatch is actually installed! A mail-transport agent (MTA) like Postfix or nullmailer must be installed and working (to receive the daily logwatch summary).

Cron Job

As-installed, under logwatch 7.3.6, this is the file we see under /etc/cron.daily/00-logwatch: 

#!/bin/sh

if [ -x /usr/sbin/logwatch.pl ] ; then
	exec /usr/sbin/logwatch.pl 2>&1 > /dev/null
fi

Instead, we need to make these changes (shown in red): 

hostname # emacs -nw /etc/cron.daily/00-logwatch

#!/bin/sh

if [ -x /usr/sbin/logwatch.pl ] ; then
	exec /usr/sbin/logwatch.pl --mailto root --output mail 2>&1 > /dev/null
fi


Logwatch Headers

Use this template, to create /usr/share/logwatch/custom_header (ASCII, plain-text file; previous Gentoo and other distributions used /etc/log.d/custom_header). 

Machine info:  Pentium4 2.4GHz, 1GB, GigE, 40GB+120GB, RivaTNT
 Running RedHat 9 Linux
 Located in Podium shared server-room, SFU Surrey campus
 Used by John Doe <john_doe@sfu.ca>
 Into service xxx.  Re-purposed Dec. 15, 2004
 Administered by Gordon Pritchard <gordonp+corsair@sfu.ca>

Another example: 

Machine info:  Pentium4 dual-core 3GHz, 2GB, GigE, 80GB, ATI-R300-mobility
 Running Gentoo Linux
 Located in office  525 / The Axis (Beta Space, Surrey Campus)
 Used by Gordon Pritchard <gordonp+zero@sfu.ca)
 Into service September 6, 2005.
 Administered by Gordon Pritchard <gordonp+zero@sfu.ca>

Yet Another Example: 

Machine info:  Core2Duo 2.66GHz, 4GB, GigE, 3Ware 9650SE-4LP with 2x75GB Raptor RAID1,
  nvidia QuadroFX1700 512MB
 Running Gentoo Linux (amd64/2008.0/desktop profile)
 Located in office 3726, Podium, SFU Surrey Campus
 Used by Gordon Pritchard <gordonp+zero@sfu.ca)
 Into service March 2008.  ACS-leased Dell Precision T3400
 Administered by Gordon Pritchard <gordonp+zero@sfu.ca>



To include this custom header, we now have to modify the main logwatch Perl script logwatch.pl. To help remember which machines have up-to-date kernels, we want logwatch to assist us by printing the kernel-version in the header. Using a Gentoo example, add the bold / red lines to /usr/sbin/logwatch.pl: 

hostname ~ # emacs -nw /usr/sbin/logwatch.pl

  &output( $index_par, "\n ################### Logwatch $Version ($VDate) #################### \n", "line");
  }
 
  &output( $index_par, "       Processing Initiated: " . localtime(time) . "\n", "line");
  &output( $index_par, "       Date Range Processed: $Config{'range'}\n", "line");
  &output( $index_par, "                             $print_range\n", "line") if ($Config{'range'} ne 'all');
  &output( $index_par, "                             Period is " . GetPeriod() . ".\n", "line")
     if ($Config{'range'} ne 'all');
  &output( $index_par, "     Detail Level of Output: $Config{'detail'}\n", "line");
  &output( $index_par, "             Type of Output: $Config{'output'}\n", "line");
  &output( $index_par, "          Logfiles for Host: $Config{'hostname'}\n", "line");
  &output( $index_par, "                     Kernel: " . `/bin/uname -r` . "\n", "line");
  &output( $index_par, "\n" . `/bin/cat  $BaseDir/custom_header` . "\n", "line");
  
  if ( $outtype_html ) {
     &output( $index_par, "\n", "stop");
  } else {
     &output( $index_par, "################################################################## \n", "line");


Logwatch Information Order

The scripts located in /usr/share/logwatchscripts/services/ are run according to their file-name ordering. Simply renaming a file changes it's relationship to other information. We should move zz-disk_space to aa-disk_space to have our disk-usage appear right after the custom header; as root: 

zero # mv /usr/share/logwatch/scripts/services/zz-disk_space /usr/share/logwatch/scripts/services/aa-disk_space

One more thing to do - there is a corresponding configuration file which we simply move (rename) to align with the above:

  • Current Gentoo shown:
zero # mv /usr/share/logwatch/default.conf/services/zz-disk_space.conf /usr/share/logwatch/default.conf/services/aa-disk_space.conf

To test it all, invoke the daily logwatch cron-job manually (Gentoo shown; others similar): 

zero # sh /etc/cron.daily/00-logwatch


Filtering Noise (aka clutter-reduction)

We'll edit two files, to enhance clarity of the resulting email (add or edit the lines in red): 

hostname ~ # emacs -nw /usr/share/logwatch/default.conf/services/sshd.conf

# Which logfile group...
LogFile = secure
##LogFile = messages

# Ignore these hosts
*Remove = 209.87.60.112

hostname ~ # emacs -nw /usr/share/logwatch/default.conf/logwatch.conf
Service = All

# You can also disable certain services (when specifying all)
Service = "-barracuda"      # Prevent log-clutter with system temp/voltages
                            # which are captured/displayed by the barracuda filter
Service = "-sendmail-largeboxes"
                            # noisily, erroneeously reported (no sendmail here)
Service = "-zz-network"     # Prevents execution of zz-network service, which
                            # prints useful network configuration info.


Retrieved from "https://research.wiki.iat.sfu.ca/research/index.php?title=Customizing_Logwatch&oldid=5819"