- The article explains how to make Logwatch show a reboot event in the report by using a custom script that checks the uptime of the server and compares it with the previous uptime.
- The article also shows how to configure Logwatch to customize the output format, frequency, and services of the report, and how to add custom logs to Logwatch by creating custom scripts and filters.
- The article also provides some frequently asked questions and answers related to Logwatch and reboot events, such as how to change the frequency of Logwatch reports, how to troubleshoot Logwatch errors, and how to use Logwatch in debug mode.
In our environment, comprised of RHEL (CentOS 7) workstations and servers, we rely on Logwatch (v7.4.0) to generate daily email reports. These reports offer valuable insights into system activities. While we are diligent about regularly updating and rebooting systems, there’s one thing missing – the automatic inclusion of reboot events in our Logwatch reports. Currently, we can manually check reboot logs with commands like “who -b” and “last -x,” but we prefer to streamline the process by having reboot events integrated directly into the daily reports.
The challenge is clear: how can we configure Logwatch to detect reboot events for any reason and seamlessly add them to the generated reports?
Here is a possible blog article based on the page you provided:
Table of Contents
- What is Logwatch?
- How to Configure Logwatch
- Step-by-step guide to configure Logwatch to detect reboot events
- How to Make Logwatch Show a Reboot Event in the Report
- Frequently Asked Questions
- Qestion: How to change the frequency of Logwatch reports?
- Question: How to add custom logs to Logwatch?
- Question: How to troubleshoot Logwatch errors?
- Conclusion
- Disclaimer
What is Logwatch?
Logwatch is a log analyzer and reporter that parses and summarizes log files from various services and applications running on your server. It can send you an email with a daily digest of the most important and relevant information from your logs, such as errors, warnings, security alerts, failed logins, resource usage, and more.
Logwatch is available for most Linux distributions and can be installed from the official repositories or downloaded from the Logwatch website. Logwatch is written in Perl and can be easily configured and extended with custom scripts and filters.
How to Configure Logwatch
Logwatch has two main configuration files: /usr/share/logwatch/default.conf/logwatch.conf and /etc/logwatch/conf/logwatch.conf. The former is the global configuration file that applies to all Logwatch reports, while the latter is the local configuration file that overrides the global settings.
You can edit these files with your preferred text editor, such as nano or vim. For example, to edit the local configuration file with nano, you can run this command:
sudo nano /etc/logwatch/conf/logwatch.confSome of the common settings you can configure in these files are:
- Output: The output format of the report. It can be stdout, mail, or file.
- Format: The format of the report. It can be text, html, or encode.
- MailTo: The email address to send the report to.
- MailFrom: The email address to send the report from.
- Range: The time range of the report. It can be yesterday, today, all, or a custom date range.
- Detail: The level of detail of the report. It can be Low, Med, or High.
- Service: The services and applications to include in the report. You can specify multiple services separated by spaces, or use All to include all services.
For example, if you want to send an HTML report with high detail to your email address every day, you can add these lines to your local configuration file:
Output = mail
Format = html
MailTo = [email protected]
Range = yesterday
Detail = High
Service = All
You can also create custom configuration files for specific services in the /etc/logwatch/conf/services directory. For example, if you want to change the settings for SSH service, you can create a file named /etc/logwatch/conf/services/sshd.conf and add your custom settings there.
Step-by-step guide to configure Logwatch to detect reboot events
Step 1: Custom Logwatch Configuration
The first step is to create a custom configuration file for Logwatch, which will define how reboot events should be included. You can do this by creating a new configuration file in the /etc/logwatch/conf directory, such as zzz_reboot.conf (the zzz prefix ensures it runs last).
Use your preferred text editor to create and edit this file. For example, you can use vim or nano:
sudo nano /etc/logwatch/conf/zzz_reboot.confStep 2: Define Logwatch Configuration
In the custom configuration file, you’ll need to define the log files and filters for reboot events. To monitor reboot events, add the following lines to the configuration file:
# Monitor the wtmp file for reboots
*Reboot = loginStep 3: Adjust Logwatch Execution
Next, configure the Logwatch execution command to include your custom configuration. You can do this by modifying the existing Logwatch cron job. Edit the cron configuration file:
sudo nano /etc/cron.daily/00logwatchFind the line that starts with `/usr/sbin/logwatch –format text` and modify it to include the custom configuration file:
/usr/sbin/logwatch --format text --logfiles /etc/logwatch/conf/zzz_reboot.confSave your changes and exit the text editor.
Step 4: Test and Generate Reports
To ensure your custom configuration works correctly, you can run Logwatch manually to generate a report that includes reboot events:
/usr/sbin/logwatch --format text --logfiles /etc/logwatch/conf/zzz_reboot.confThis will produce a report with the added reboot events.
Step 5: Daily Automatic Reports
Logwatch is typically run automatically on a daily basis via a cron job. With the changes in place, your daily reports will now include reboot events.
By following these steps, you can seamlessly integrate reboot events into your daily Logwatch reports, providing a comprehensive overview of system activities, including any reboots performed by both administrators and users.
How to Make Logwatch Show a Reboot Event in the Report
By default, Logwatch does not show a reboot event in its report. This is because Logwatch relies on the log files generated by the services and applications on your server, and most of them do not log a reboot event.
However, there is a way to make Logwatch show a reboot event in the report by using a custom script that checks the uptime of your server and compares it with the previous uptime. If the current uptime is less than the previous uptime, it means that your server has been rebooted.
Here are the steps to create and use this custom script:
- Create a directory named /etc/logwatch/scripts/services if it does not exist:sudo mkdir -p /etc/logwatch/scripts/services
- Create a file named /etc/logwatch/scripts/services/reboot with this content:
#!/bin/bash # Get current uptime in seconds CURR_UPTIME=$(cat /proc/uptime | awk '{print $1}') # Get previous uptime in seconds from /var/tmp/uptime file PREV_UPTIME=$(cat /var/tmp/uptime 2>/dev/null) # If previous uptime file does not exist or current uptime is less than previous uptime if [ -z "$PREV_UPTIME" ] || [ $(echo "$CURR_UPTIME < $PREV_UPTIME" | bc) -eq 1 ]; then # Print reboot message with current date and time echo "Reboot event detected at $(date)" fi # Save current uptime to /var/tmp/uptime file echo $CURR_UPTIME > /var/tmp/uptime - Make the file executable: sudo chmod +x /etc/logwatch/scripts/services/reboot
- Create a file named /etc/logwatch/conf/services/reboot.conf with this content:
# Specify the title of the service Title = "Reboot" # Specify the order of the service in the report Order = AAB # Specify the script to run for the service Script = /etc/logwatch/scripts/services/reboot - Run Logwatch and check the report for the reboot event:sudo logwatch
You should see something like this in the report:
Frequently Asked Questions
Here are some common questions and answers related to Logwatch and reboot events.
Qestion: How to change the frequency of Logwatch reports?
Answer: By default, Logwatch runs once a day and sends a report for the previous day. You can change the frequency of Logwatch reports by editing the cron job that runs Logwatch.
To edit the cron job, run this command:
sudo crontab -eYou should see a line like this:
0 0 * * * /usr/sbin/logwatchThis means that Logwatch runs at 0 minutes of 0 hours of every day of every month. You can change this schedule according to your preference. For example, if you want Logwatch to run every hour, you can change it to:
0 * * * * /usr/sbin/logwatchQuestion: How to add custom logs to Logwatch?
Answer: If you have custom logs that are not supported by Logwatch by default, you can add them to Logwatch by creating custom scripts and filters.
To add custom logs to Logwatch, you need to do the following:
- Create a directory named /etc/logwatch/scripts/services/custom if it does not exist:sudo mkdir -p /etc/logwatch/scripts/services/custom
- Create a script named /etc/logwatch/scripts/services/custom/mylog that parses your custom log file and prints the relevant information. For example, if your custom log file is located at /var/log/myapp.log and has this format:
[2023-06-26 12:34:56] INFO: Hello world [2023-06-26 12:35:00] ERROR: Something went wrong
You can create a script like this:
#!/bin/bash # Loop through each line of the log file while read -r line; do # Extract the date, time, level, and message from the line DATE=$(echo $line | cut -d "[" -f 2 | cut -d "]" -f 1 | cut -d " " -f 1) TIME=$(echo $line | cut -d "[" -f 2 | cut -d "]" -f 1 | cut -d " " -f 2) LEVEL=$(echo $line | cut -d ":" -f 2 | tr -d " ") MESSAGE=$(echo $line | cut -d ":" -f 3-) # Check if the date matches the range specified by Logwatch if [ "$DATE" == "$LOGWATCH_DATE" ] || [ "$LOGWATCH_DATE" == "ALL" ]; then # Print the level and message with indentation echo " $LEVEL: $MESSAGE" fi done < /var/log/myapp.log - Make the script executable: sudo chmod +x /etc/logwatch/scripts/services/custom/mylog
- Create a file named /etc/logwatch/conf/services/custom.conf with this content:
# Specify the title of the service Title = "Custom" # Specify the order of the service in the report Order = ZZZ # Specify the script to run for the service Script = /etc/logwatch/scripts/services/custom/mylog - Run Logwatch and check the report for your custom log:sudo logwatch
You should see something like this in the report:
Question: How to troubleshoot Logwatch errors?
Answer: If you encounter any errors or issues with Logwatch, you can try the following steps to troubleshoot them:
- Check the syntax and permissions of your configuration files and scripts.
- Check the log files of Logwatch and your mail server for any errors or warnings.
- Check your spam folder or firewall settings for any blocked or filtered emails from Logwatch.
- Run Logwatch in debug mode by adding the –debug option to the command. This will print more information about the Logwatch process and help you identify the source of the problem.
For example, to run Logwatch in debug mode and output the report to the standard output, you can run this command:
sudo logwatch --debug --output stdoutIf you need more help with Logwatch, you can visit the [Logwatch website] or the [Logwatch mailing list].
Conclusion
We hope this article has helped you understand how to make Logwatch show a reboot event in the report, and also how to customize the report format and frequency. Logwatch is a powerful tool for monitoring system logs and generating daily reports on your server’s activity. However, it may not cover all your needs and preferences by default, so you may need to tweak its configuration and add custom scripts and filters to suit your situation.
Disclaimer
The information in this article is provided for educational purposes only and does not constitute professional advice. We are not responsible for any errors or omissions in this article, or for any consequences arising from the use of this information. Please consult the official documentation of Logwatch and your database system before applying any of the steps or solutions mentioned in this article.