Tuesday, October 9, 2012

# logwatch # script

Configuring logwatch on Linux

I customized my logwatch to include wtmp log report also.

1. Download the logwatch tar file from the internet. The latest running version is logwatch-7.4.0

2. Look here for the version-------------http://sourceforge.net/projects/logwatch/files/

3. Look here for developer details---http://logwatch.isoc.lu/tabs/docs/index.html

4. Download and store the tarball into your /tmp directory

5. Unzip, untar and cd into the folder

gunzip logwatch-7.4.0.tar.gz

tar xvf logwatch-7.4.0.tar

cd logwatch-7.4.0

6. Create these directories and soft links:

mkdir /etc/logwatch
mkdir /etc/logwatch/scripts
mkdir /etc/logwatch/conf
mkdir /etc/logwatch/conf/logfiles
mkdir /etc/logwatch/conf/services
touch /etc/logwatch/conf/logwatch.conf
touch /etc/logwatch/conf/ignore.conf
touch /etc/logwatch/conf/override.conf

mkdir /usr/share/logwatch

mkdir /usr/share/logwatch/dist.conf
mkdir /usr/share/logwatch/dist.conf/logfiles
mkdir /usr/share/logwatch/dist.conf/services

mv conf/ /usr/share/logwatch/default.conf

mv scripts/ /usr/share/logwatch/scripts
mv lib /usr/share/logwatch/lib

mkdir /var/cache/logwatch

ln -s /usr/share/logwatch/scripts/logwatch.pl /etc/cron.daily/0logwatch
ln -s /usr/share/logwatch/scripts/logwatch.pl /usr/sbin/logwatch

7. Backup and edit the config file accordingly


##to edit html format, edit these lines in the config file stated above

#Output/Format Options
#By default Logwatch will print to stdout in text with no encoding.
#To make email Default set Output = mail to save to file set Output = file
#Output = stdout
Output = mail
#To make Html the default formatting Format = html
Format = html

##to edit the email recipients, edit this line, separate multiple recipients with space

# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = oXXXXX@gmail.com

8. To add wtmp logs into logwatch monitoring you need to define three things:

  • the wtmp parsing script path
  • define the the new config into wtmp
  • add the wtmp log destination into logwatch configuration for parsing

8.1  /usr/share/logwatch/scripts/services ### this is where the script/work will be done

# pwd

# more /usr/share/logwatch/scripts/services/my-report

@type = (
    "Empty", "Run Lvl", "Boot", "New Time", "Old Time", "Init",
    "Login", "Normal",  "Term", "Account"
$recs = "";
while (<>) {
    $recs .= $_;
foreach ( split( /(.{384})/s, $recs ) ) {
    next if length($_) == 0 ;
    my ( $type, $pid, $line, $inittab, $user, $host, $t1, $t2, $t3, $t4, $t5 ) =
      $_ =~ /(.{4})(.{4})(.{32})(.{4})(.{32})(.{256})(.{4})(.{4})(.{4})(.{4})(.{4})/s;
    if ( defined $line && $line =~ /\w/ ) {
        $line =~ s/\
        $host =~ s/\x00+//g;
        $user =~ s/\x00+//g;
            "%s %-8s %-12s %10s %-45s \n",
            scalar( gmtime( unpack( "I4", $t3 ) ) ),
              unpack( "
I4", $type )
printf "\n" 

8.2  /usr/share/logwatch/default.conf/services ### this is where you define the services/config options of your script above

 # more /usr/share/logwatch/default.conf/services/my-report.conf
Title = "WTMP logs"
Logfile = wtmp

8.3  /etc/logwatch/conf/logfiles ### this is where the log files will be parsed

# more /etc/logwatch/conf/logfiles/wtmp.conf
# Define log file group for wtmp log

Logfile = /var/log/wtmp

NOTE: The reason I had the wtmp and wtmp.conf config files in red is because both names must be same. Different names will call different logs and if that log doesn't exist on the server you will get error in your logwatch report

9. Logwatch emails

No comments:

Post a Comment