Difference between revisions of "Logwatch"
Nicolatiana (talk | contribs) |
Unnilennium (talk | contribs) (move from contribs to how-to) |
||
(8 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Logwatch is a program that analyzes the server logs in /var/logs to detect errors and warnings such as, for | + | Logwatch is a program that analyzes the server logs in /var/logs to detect errors and warnings such as, for example, attempts unsuccessful of authentication, mail delivery errors ecc... |
All logs will be monitored, and an email summarizing the full report will be sent to the administrator of the Sme (admin) every night. | All logs will be monitored, and an email summarizing the full report will be sent to the administrator of the Sme (admin) every night. | ||
To install the package: | To install the package: | ||
Line 12: | Line 12: | ||
signal-event post-upgrade && signal-event reboot | signal-event post-upgrade && signal-event reboot | ||
− | The program at the present time works without templates so all modification can be performed directly over conf files. | + | The program at the present time works without templates so all modification can be performed directly over scripts/conf files. |
==Mixed tweaks== | ==Mixed tweaks== | ||
===Mail messages in html=== | ===Mail messages in html=== | ||
− | If you want the mail message in html format you must edit the | + | If you want the mail message in html format you must edit the main perl script with your favourite editor (mc, nano, joe, vi....): |
/usr/share/logwatch/scripts/logwatch.pl | /usr/share/logwatch/scripts/logwatch.pl | ||
− | find the line (it should be line | + | find the line (it should be line 85): |
$Config{'output'} = "unformatted"; | $Config{'output'} = "unformatted"; | ||
and modify it in: | and modify it in: | ||
$Config{'output'} = "html"; | $Config{'output'} = "html"; | ||
+ | |||
===Parsing Fetchmail log=== | ===Parsing Fetchmail log=== | ||
− | The actual | + | The actual release does not contain a script to parse /var/maillog; you can simply add a script and the related conf to do this. |
+ | Create the fetchmail script file: | ||
+ | /usr/share/logwatch/scripts/services/fetchmail | ||
+ | and paste into the file the following: | ||
+ | ########################################################################## | ||
+ | # $Id: fetchmail $ | ||
+ | ########################################################################## | ||
+ | |||
+ | ######################################################## | ||
+ | # This was written and is maintained by: | ||
+ | # Oron Peled <oron \@\ actcom.net.il> | ||
+ | # | ||
+ | ######################################################## | ||
+ | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; | ||
+ | my %no_mail; | ||
+ | my %messages_for; | ||
+ | my %auth_fail; | ||
+ | my %conn_fail; | ||
+ | |||
+ | #Inits | ||
+ | |||
+ | while (defined($ThisLine = <STDIN>)) { | ||
+ | chomp($ThisLine); | ||
+ | $ThisLine =~ s/^[a-zA-Z0-9]+: //; | ||
+ | if($ThisLine =~ s/^No mail for (\S+) at (\S+)//) { | ||
+ | $no_mail{"${1} at ${2}"}++; | ||
+ | } elsif($ThisLine =~ /^reading message /) { | ||
+ | # ignore | ||
+ | } elsif($ThisLine =~ s/^Query status=[23]//) { | ||
+ | # ignore. Counted below (Authorization, Connection) | ||
+ | } elsif($ThisLine =~ s/^Authorization failure on (\S+)//) { | ||
+ | $auth_fail{"${1}"}++; | ||
+ | } elsif($ThisLine =~ s/^\S+ connection to \S+ failed: .*//) { | ||
+ | # ignore. Counted below | ||
+ | } elsif($ThisLine =~ s/^connection to (\S+) \[[^]]+\] failed: (.*).//) { | ||
+ | $conn_fail{"${1} -- ${2}"}++; | ||
+ | } elsif($ThisLine =~ s/^(\d+) messages? for (\S+) at (\S+).*.//) { | ||
+ | $messages_for{"${2} at ${3}"} += $1; | ||
+ | } else { | ||
+ | chomp($ThisLine); | ||
+ | # Report any unmatched entries... | ||
+ | $OtherList{$ThisLine}++; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | if (keys %messages_for) { | ||
+ | my $total; | ||
+ | print "\nMessages\n"; | ||
+ | foreach my $who (sort keys %messages_for) { | ||
+ | print " $who: $messages_for{$who}\n"; | ||
+ | $total += $messages_for{$who}; | ||
+ | } | ||
+ | print " Total: $total\n"; | ||
+ | } | ||
+ | |||
+ | if (keys %conn_fail) { | ||
+ | my $total; | ||
+ | print "\nConnection failures\n"; | ||
+ | foreach my $who (sort keys %conn_fail) { | ||
+ | print " $who: $conn_fail{$who} Time(s)\n"; | ||
+ | $total += $conn_fail{$who}; | ||
+ | } | ||
+ | print " Total: $total\n"; | ||
+ | } | ||
+ | |||
+ | if (keys %auth_fail) { | ||
+ | my $total; | ||
+ | print "\nAuthorization failures\n"; | ||
+ | foreach my $who (sort keys %auth_fail) { | ||
+ | print " $who: $auth_fail{$who} Time(s)\n"; | ||
+ | $total += $auth_fail{$who}; | ||
+ | } | ||
+ | print " Total: $total\n"; | ||
+ | } | ||
+ | |||
+ | if (keys %no_mail) { | ||
+ | my $total; | ||
+ | print "\nNo Mail\n"; | ||
+ | foreach my $who (sort keys %no_mail) { | ||
+ | print " $who: $no_mail{$who} Time(s)\n"; | ||
+ | $total += $no_mail{$who}; | ||
+ | } | ||
+ | print " Total: $total\n"; | ||
+ | } | ||
+ | |||
+ | if (keys %OtherList) { | ||
+ | print "\n**Unmatched Entries**\n"; | ||
+ | foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) { | ||
+ | print " $line: $OtherList{$line} Time(s)\n"; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | exit(0); | ||
+ | |||
+ | # vi: shiftwidth=3 tabstop=3 syntax=perl et | ||
+ | |||
+ | File permissions are: | ||
+ | root:root rwxr-xr-x | ||
+ | |||
+ | Then you must create the corresponding conf file: | ||
+ | /usr/share/logwatch/default.conf/services/fetchmail.conf | ||
+ | and paste into the file the following: | ||
+ | |||
+ | ########################################################################### | ||
+ | # $Id: fetchmail $ | ||
+ | ########################################################################### | ||
+ | |||
+ | # You can put comments anywhere you want to. They are effective for the | ||
+ | # rest of the line. | ||
+ | |||
+ | # this is in the format of <name> = <value>. Whitespace at the beginning | ||
+ | # and end of the lines is removed. Whitespace before and after the = sign | ||
+ | # is removed. Everything is case *insensitive*. | ||
+ | |||
+ | # Yes = True = On = 1 | ||
+ | # No = False = Off = 0 | ||
+ | |||
+ | Title = "Fetchmail" | ||
+ | |||
+ | # Which logfile group... | ||
+ | LogFile = maillog | ||
+ | |||
+ | *OnlyService = fetchmail | ||
+ | *RemoveHeaders | ||
+ | |||
+ | #Fetchmail Global ENV Variables | ||
+ | |||
+ | ######################################################## | ||
+ | # This was written and is maintained by: | ||
+ | # Oron Peled <oron \@\ actcom.net.il> | ||
+ | # | ||
+ | ######################################################## | ||
+ | |||
+ | # vi: shiftwidth=3 tabstop=3 et | ||
+ | |||
+ | File permissions are: | ||
+ | root:root rw-r--r-- | ||
− | [[Category:Administration:Monitoring]][[Category: | + | [[Category:Administration:Monitoring]][[Category:Howto]] |
Latest revision as of 03:36, 22 April 2021
Logwatch is a program that analyzes the server logs in /var/logs to detect errors and warnings such as, for example, attempts unsuccessful of authentication, mail delivery errors ecc... All logs will be monitored, and an email summarizing the full report will be sent to the administrator of the Sme (admin) every night. To install the package:
yum --enablerepo=smecontribs install logwatch
then you can type this if you want a report lighter without the firewall reporting
echo 'Service = "-iptables"' >> /etc/logwatch/conf/logwatch.conf echo 'Service = "-iptables-multi"' >> /etc/logwatch/conf/logwatch.conf
signal-event post-upgrade && signal-event reboot
The program at the present time works without templates so all modification can be performed directly over scripts/conf files.
Mixed tweaks
Mail messages in html
If you want the mail message in html format you must edit the main perl script with your favourite editor (mc, nano, joe, vi....):
/usr/share/logwatch/scripts/logwatch.pl
find the line (it should be line 85):
$Config{'output'} = "unformatted";
and modify it in:
$Config{'output'} = "html";
Parsing Fetchmail log
The actual release does not contain a script to parse /var/maillog; you can simply add a script and the related conf to do this. Create the fetchmail script file:
/usr/share/logwatch/scripts/services/fetchmail
and paste into the file the following:
########################################################################## # $Id: fetchmail $ ########################################################################## ######################################################## # This was written and is maintained by: # Oron Peled <oron \@\ actcom.net.il> # ######################################################## my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %no_mail; my %messages_for; my %auth_fail; my %conn_fail; #Inits while (defined($ThisLine = <STDIN>)) { chomp($ThisLine); $ThisLine =~ s/^[a-zA-Z0-9]+: //; if($ThisLine =~ s/^No mail for (\S+) at (\S+)//) { $no_mail{"${1} at ${2}"}++; } elsif($ThisLine =~ /^reading message /) { # ignore } elsif($ThisLine =~ s/^Query status=[23]//) { # ignore. Counted below (Authorization, Connection) } elsif($ThisLine =~ s/^Authorization failure on (\S+)//) { $auth_fail{"${1}"}++; } elsif($ThisLine =~ s/^\S+ connection to \S+ failed: .*//) { # ignore. Counted below } elsif($ThisLine =~ s/^connection to (\S+) \^+\] failed: (.*).//) { $conn_fail{"${1} -- ${2}"}++; } elsif($ThisLine =~ s/^(\d+) messages? for (\S+) at (\S+).*.//) { $messages_for{"${2} at ${3}"} += $1; } else { chomp($ThisLine); # Report any unmatched entries... $OtherList{$ThisLine}++; } } if (keys %messages_for) { my $total; print "\nMessages\n"; foreach my $who (sort keys %messages_for) { print " $who: $messages_for{$who}\n"; $total += $messages_for{$who}; } print " Total: $total\n"; } if (keys %conn_fail) { my $total; print "\nConnection failures\n"; foreach my $who (sort keys %conn_fail) { print " $who: $conn_fail{$who} Time(s)\n"; $total += $conn_fail{$who}; } print " Total: $total\n"; } if (keys %auth_fail) { my $total; print "\nAuthorization failures\n"; foreach my $who (sort keys %auth_fail) { print " $who: $auth_fail{$who} Time(s)\n"; $total += $auth_fail{$who}; } print " Total: $total\n"; } if (keys %no_mail) { my $total; print "\nNo Mail\n"; foreach my $who (sort keys %no_mail) { print " $who: $no_mail{$who} Time(s)\n"; $total += $no_mail{$who}; } print " Total: $total\n"; } if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et
File permissions are:
root:root rwxr-xr-x
Then you must create the corresponding conf file:
/usr/share/logwatch/default.conf/services/fetchmail.conf
and paste into the file the following:
########################################################################### # $Id: fetchmail $ ########################################################################### # You can put comments anywhere you want to. They are effective for the # rest of the line. # this is in the format of <name> = <value>. Whitespace at the beginning # and end of the lines is removed. Whitespace before and after the = sign # is removed. Everything is case *insensitive*. # Yes = True = On = 1 # No = False = Off = 0 Title = "Fetchmail" # Which logfile group... LogFile = maillog *OnlyService = fetchmail *RemoveHeaders #Fetchmail Global ENV Variables ######################################################## # This was written and is maintained by: # Oron Peled <oron \@\ actcom.net.il> # ######################################################## # vi: shiftwidth=3 tabstop=3 et
File permissions are:
root:root rw-r--r--