#Linux - Log File Monitoring
Logwatch is a really useful tool which normally runs as a cron job which mails a summary of the log files to root. It shows a summary of software installed, repeated authentication failures from programs such as sshd and su.
For example running:
logwatch --detail med --range Today --format text --output stdout
This give an output to stdout of:
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Sat May 18 10:56:57 2013
Date Range Processed: today
( 2013-May-18 )
Period is day.
Detail Level of Output: 5
Type of Output/Format: stdout / text
Logfiles for Host: testserver001
##################################################################
--------------------- Cron Begin ------------------------
Commands Run:
User root:
cd / && run-parts --report /etc/cron.hourly: 11 Time(s)
start -q anacron || :: 1 Time(s)
test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ): 1 Time(s)
---------------------- Cron End -------------------------
--------------------- dpkg status changes Begin ------------------------
Installed:
libdate-manip-perl:all 6.32-1
libdw1:amd64 0.153-1ubuntu1
libyaml-syck-perl:amd64 1.20-1
linux-base:all 3.5ubuntu4
linux-tools-3.5.0-17:amd64 3.5.0-17.28
linux-tools-common:all 3.5.0-30.51
logwatch:all 7.4.0+svn20111221rev79-1ubuntu1
postfix:amd64 2.9.6-1~12.10.1
---------------------- dpkg status changes End -------------------------
--------------------- Kernel Begin ------------------------
4 Time(s): [drm] nouveau 0000:01:00.0: Setting dpms mode 0 on tmds encoder (output 1)
4 Time(s): [drm] nouveau 0000:01:00.0: Setting dpms mode 0 on vga encoder (output 0)
3 Time(s): [drm] nouveau 0000:01:00.0: Setting dpms mode 3 on tmds encoder (output 1)
3 Time(s): [drm] nouveau 0000:01:00.0: Setting dpms mode 3 on vga encoder (output 0)
3 Time(s): audit_printk_skb: 3 callbacks suppressed
1 Time(s): audit_printk_skb: 30 callbacks suppressed
1 Time(s): audit_printk_skb: 54 callbacks suppressed
---------------------- Kernel End -------------------------
--------------------- pam_unix Begin ------------------------
cron:
Sessions Opened:
root: 13 Time(s)
sshd:
Authentication Failures:
root (174.142.53.72): 30 Time(s)
root (s15303747.onlinehome-server.info): 6 Time(s)
nobody (61.142.106.34): 1 Time(s)
root (183.129.172.83): 1 Time(s)
root (189-211-50-117.static.axtel.net): 1 Time(s)
unknown (174.142.53.72): 1 Time(s)
unknown (189-211-50-117.static.axtel.net): 1 Time(s)
Invalid Users:
Unknown Account: 2 Time(s)
sudo:
Sessions Opened:
leo -> root: 16 Time(s)
root -> root: 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
New Users:
postfix (116)
New Groups:
postfix (126)
postdrop (127)
Changed password expiry for users:
postfix : 1 Time(s)
**Unmatched Entries**
gnome-screensaver-dialog: gkr-pam: unlocked login keyring: 3 Time(s)
groupadd: group added to /etc/group: name=postdrop, GID=127: 1 Time(s)
groupadd: group added to /etc/group: name=postfix, GID=126: 1 Time(s)
groupadd: group added to /etc/gshadow: name=postdrop: 1 Time(s)
groupadd: group added to /etc/gshadow: name=postfix: 1 Time(s)
usermod: change user 'postfix' password: 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
61.142.106.34: 1 time
nobody/password: 1 time
174.142.53.72: 30 times
root/password: 30 times
183.129.172.83: 1 time
root/password: 1 time
189.211.50.117 (189-211-50-117.static.axtel.net): 1 time
root/password: 1 time
213.165.82.169 (s15303747.onlinehome-server.info): 6 times
root/password: 6 times
Illegal users from:
undef: 2 times
admin [preauth]: 1 time
nologin [preauth]: 1 time
174.142.53.72: 1 time
nologin: 1 time
189.211.50.117 (189-211-50-117.static.axtel.net): 1 time
admin: 1 time
Received disconnect:
11: Bye Bye [preauth]
174.142.53.72 : 30 Time(s)
189.211.50.117 : 1 Time(s)
213.165.82.169 : 6 Time(s)
---------------------- SSHD End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
leo => root
-----------
/bin/chown - 1 Time(s).
/bin/cp - 2 Time(s).
/bin/mkdir - 1 Time(s).
/etc/init.d/nginx - 1 Time(s).
/usr/bin/apt-get - 5 Time(s).
/usr/bin/nano - 3 Time(s).
/usr/bin/nemo - 1 Time(s).
/usr/bin/perf - 1 Time(s).
/usr/bin/rename - 2 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 1.8T 75G 1.7T 5% /
udev 1.5G 4.0K 1.5G 1% /dev
/home/leo/.Private 1.8T 75G 1.7T 5% /home/leo
---------------------- Disk Space End -------------------------
--------------------- Fortune Begin ------------------------
You will not be elected to public office this year.
---------------------- Fortune End -------------------------
###################### Logwatch End #########################
Logwatch can be configured to mail the log summary to your email. You can edit the settings using nano (or your editor of choice) at:
sudo nano /usr/share/logwatch/default.conf/logwatch.conf
You will need to amend or add lines to say the following:
Output = mail
Format = html
MailTo = admin@domain.example
MailFrom = logwatch@domain.example
Normally logwatch runs as a cron job. You can view the job at:
sudo nano sudo nano /etc/cron.daily/00logwatch
The file should be like:
#!/bin/bash
#Check if removed-but-not-purged
test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
#execute
/usr/sbin/logwatch --mailto admin@domain.example
#Note: It's possible to force the recipient in above command
#Just pass --mailto address@a.com instead of --output mail
See also : http://www.ubuntugeek.com/how-to-setup-logwatch-on-ubuntu-desktopserver.html