Difference between revisions of "Logwatch"

From SME Server
Jump to navigation Jump to search
(move from contribs to how-to)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Logwatch is a program that analyzes the server logs in /var/logs to detect errors and warnings such as, for exapmple, attempts unsuccessful of authentication, mail delivery errors ecc...
+
Logwatch is a program that analyzes the server logs in /var/logs to detect errors and warnings such as, for example, attempts unsuccessful of authentication, mail delivery errors ecc...
 
All logs will be monitored, and an email summarizing the full report will be sent to the administrator of the Sme (admin) every night.
 
All logs will be monitored, and an email summarizing the full report will be sent to the administrator of the Sme (admin) every night.
 
To install the package:
 
To install the package:
Line 12: Line 12:
 
  signal-event post-upgrade && signal-event reboot
 
  signal-event post-upgrade && signal-event reboot
  
The program at the present time works without templates so all modification can be performed directly over conf files.
+
The program at the present time works without templates so all modification can be performed directly over scripts/conf files.
  
 
==Mixed tweaks==
 
==Mixed tweaks==
 
===Mail messages in html===
 
===Mail messages in html===
If you want the mail message in html format you must edit the file with your favourite editor (mc, nano, joe, vi....):
+
If you want the mail message in html format you must edit the main perl script with your favourite editor (mc, nano, joe, vi....):
 
  /usr/share/logwatch/scripts/logwatch.pl
 
  /usr/share/logwatch/scripts/logwatch.pl
find the line (it should be line 78):
+
find the line (it should be line 85):
 
  $Config{'output'} = "unformatted";
 
  $Config{'output'} = "unformatted";
 
and modify it in:
 
and modify it in:
 
  $Config{'output'} = "html";
 
  $Config{'output'} = "html";
 +
 
===Parsing Fetchmail log===
 
===Parsing Fetchmail log===
The actual realease does not contain a script to parse /var/maillog
+
The actual release does not contain a script to parse /var/maillog; you can simply add a script and the related conf to do this.
 +
Create the fetchmail script file:
 +
/usr/share/logwatch/scripts/services/fetchmail
 +
and paste into the file the following:
 +
##########################################################################
 +
# $Id: fetchmail $
 +
##########################################################################
 +
 +
########################################################
 +
# This was written and is maintained by:
 +
#    Oron Peled <oron \@\ actcom.net.il>
 +
#
 +
########################################################
 +
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
 +
my %no_mail;
 +
my %messages_for;
 +
my %auth_fail;
 +
my %conn_fail;
 +
 +
#Inits
 +
 +
while (defined($ThisLine = <STDIN>)) {
 +
        chomp($ThisLine);
 +
        $ThisLine =~ s/^[a-zA-Z0-9]+: //;
 +
        if($ThisLine =~ s/^No mail for (\S+) at (\S+)//) {
 +
                $no_mail{"${1} at ${2}"}++;
 +
        } elsif($ThisLine =~ /^reading message /) {
 +
                # ignore
 +
        } elsif($ThisLine =~ s/^Query status=[23]//) {
 +
                # ignore. Counted below (Authorization, Connection)
 +
        } elsif($ThisLine =~ s/^Authorization failure on (\S+)//) {
 +
                $auth_fail{"${1}"}++;
 +
        } elsif($ThisLine =~ s/^\S+ connection to \S+ failed: .*//) {
 +
                # ignore. Counted below
 +
        } elsif($ThisLine =~ s/^connection to (\S+) \[[^]]+\] failed: (.*).//) {
 +
                $conn_fail{"${1} -- ${2}"}++;
 +
        } elsif($ThisLine =~ s/^(\d+) messages? for (\S+) at (\S+).*.//) {
 +
                $messages_for{"${2} at ${3}"} += $1;
 +
        } else {
 +
                chomp($ThisLine);
 +
                # Report any unmatched entries...
 +
                $OtherList{$ThisLine}++;
 +
        }
 +
}
 +
 +
if (keys %messages_for) {
 +
        my $total;
 +
        print "\nMessages\n";
 +
        foreach my $who (sort keys %messages_for) {
 +
                print "  $who: $messages_for{$who}\n";
 +
                $total += $messages_for{$who};
 +
        }
 +
        print "  Total: $total\n";
 +
}
 +
 +
if (keys %conn_fail) {
 +
        my $total;
 +
        print "\nConnection failures\n";
 +
        foreach my $who (sort keys %conn_fail) {
 +
                print "  $who: $conn_fail{$who} Time(s)\n";
 +
                $total += $conn_fail{$who};
 +
        }
 +
        print "  Total: $total\n";
 +
}
 +
 +
if (keys %auth_fail) {
 +
        my $total;
 +
        print "\nAuthorization failures\n";
 +
        foreach my $who (sort keys %auth_fail) {
 +
                print "  $who: $auth_fail{$who} Time(s)\n";
 +
                $total += $auth_fail{$who};
 +
        }
 +
        print "  Total: $total\n";
 +
}
 +
 +
if (keys %no_mail) {
 +
        my $total;
 +
        print "\nNo Mail\n";
 +
        foreach my $who (sort keys %no_mail) {
 +
                print "  $who: $no_mail{$who} Time(s)\n";
 +
                $total += $no_mail{$who};
 +
        }
 +
        print "  Total: $total\n";
 +
}
 +
 +
if (keys %OtherList) {
 +
        print "\n**Unmatched Entries**\n";
 +
        foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
 +
                print "  $line: $OtherList{$line} Time(s)\n";
 +
        }
 +
}
 +
 +
exit(0);
 +
 +
# vi: shiftwidth=3 tabstop=3 syntax=perl et
 +
 
 +
File permissions are:
 +
root:root rwxr-xr-x
 +
 
 +
Then you must create the corresponding conf file:
 +
/usr/share/logwatch/default.conf/services/fetchmail.conf
 +
and paste into the file the following:
 +
 
 +
###########################################################################
 +
# $Id: fetchmail $
 +
###########################################################################
 +
 +
# You can put comments anywhere you want to.  They are effective for the
 +
# rest of the line.
 +
 +
# this is in the format of <name> = <value>.  Whitespace at the beginning
 +
# and end of the lines is removed.  Whitespace before and after the = sign
 +
# is removed.  Everything is case *insensitive*.
 +
 +
# Yes = True  = On  = 1
 +
# No  = False = Off = 0
 +
 +
Title = "Fetchmail"
 +
 +
# Which logfile group...
 +
LogFile = maillog
 +
 +
*OnlyService = fetchmail
 +
*RemoveHeaders
 +
 +
#Fetchmail Global ENV Variables
 +
 +
########################################################
 +
# This was written and is maintained by:
 +
#    Oron Peled <oron \@\ actcom.net.il>
 +
#
 +
########################################################
 +
 +
# vi: shiftwidth=3 tabstop=3 et
 +
 +
File permissions are:
 +
root:root rw-r--r--
  
[[Category:Administration:Monitoring]][[Category:Contrib]]
+
[[Category:Administration:Monitoring]][[Category:Howto]]

Latest revision as of 03:36, 22 April 2021

Logwatch is a program that analyzes the server logs in /var/logs to detect errors and warnings such as, for example, attempts unsuccessful of authentication, mail delivery errors ecc... All logs will be monitored, and an email summarizing the full report will be sent to the administrator of the Sme (admin) every night. To install the package:

yum --enablerepo=smecontribs install logwatch

then you can type this if you want a report lighter without the firewall reporting

echo 'Service = "-iptables"' >> /etc/logwatch/conf/logwatch.conf
echo 'Service = "-iptables-multi"' >> /etc/logwatch/conf/logwatch.conf
signal-event post-upgrade && signal-event reboot

The program at the present time works without templates so all modification can be performed directly over scripts/conf files.

Mixed tweaks

Mail messages in html

If you want the mail message in html format you must edit the main perl script with your favourite editor (mc, nano, joe, vi....):

/usr/share/logwatch/scripts/logwatch.pl

find the line (it should be line 85):

$Config{'output'} = "unformatted";

and modify it in:

$Config{'output'} = "html";

Parsing Fetchmail log

The actual release does not contain a script to parse /var/maillog; you can simply add a script and the related conf to do this. Create the fetchmail script file:

/usr/share/logwatch/scripts/services/fetchmail

and paste into the file the following:

##########################################################################
# $Id: fetchmail $
##########################################################################

########################################################
# This was written and is maintained by:
#    Oron Peled <oron \@\ actcom.net.il>
#
########################################################
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %no_mail;
my %messages_for;
my %auth_fail;
my %conn_fail;

#Inits

while (defined($ThisLine = <STDIN>)) {
        chomp($ThisLine);
        $ThisLine =~ s/^[a-zA-Z0-9]+: //;
        if($ThisLine =~ s/^No mail for (\S+) at (\S+)//) {
                $no_mail{"${1} at ${2}"}++;
        } elsif($ThisLine =~ /^reading message /) {
                # ignore
        } elsif($ThisLine =~ s/^Query status=[23]//) {
                # ignore. Counted below (Authorization, Connection)
        } elsif($ThisLine =~ s/^Authorization failure on (\S+)//) {
                $auth_fail{"${1}"}++;
        } elsif($ThisLine =~ s/^\S+ connection to \S+ failed: .*//) {
                # ignore. Counted below
        } elsif($ThisLine =~ s/^connection to (\S+) \^+\] failed: (.*).//) {
                $conn_fail{"${1} -- ${2}"}++;
        } elsif($ThisLine =~ s/^(\d+) messages? for (\S+) at (\S+).*.//) {
                $messages_for{"${2} at ${3}"} += $1;
        } else {
                chomp($ThisLine);
                # Report any unmatched entries...
                $OtherList{$ThisLine}++;
        }
}

if (keys %messages_for) {
        my $total;
        print "\nMessages\n";
        foreach my $who (sort keys %messages_for) {
                print "   $who: $messages_for{$who}\n";
                $total += $messages_for{$who};
        }
        print "   Total: $total\n";
}

if (keys %conn_fail) {
        my $total;
        print "\nConnection failures\n";
        foreach my $who (sort keys %conn_fail) {
                print "   $who: $conn_fail{$who} Time(s)\n";
                $total += $conn_fail{$who};
        }
        print "   Total: $total\n";
}

if (keys %auth_fail) {
        my $total;
        print "\nAuthorization failures\n";
        foreach my $who (sort keys %auth_fail) {
                print "   $who: $auth_fail{$who} Time(s)\n";
                $total += $auth_fail{$who};
        }
        print "   Total: $total\n";
}

if (keys %no_mail) {
        my $total;
        print "\nNo Mail\n";
        foreach my $who (sort keys %no_mail) {
                print "   $who: $no_mail{$who} Time(s)\n";
                $total += $no_mail{$who};
        }
        print "   Total: $total\n";
}

if (keys %OtherList) {
        print "\n**Unmatched Entries**\n";
        foreach $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
                print "   $line: $OtherList{$line} Time(s)\n";
        }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et

File permissions are:

root:root rwxr-xr-x

Then you must create the corresponding conf file:

/usr/share/logwatch/default.conf/services/fetchmail.conf

and paste into the file the following:

###########################################################################
# $Id: fetchmail $
###########################################################################

# You can put comments anywhere you want to.  They are effective for the
# rest of the line.

# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

Title = "Fetchmail"

# Which logfile group...
LogFile = maillog

*OnlyService = fetchmail
*RemoveHeaders

#Fetchmail Global ENV Variables

########################################################
# This was written and is maintained by:
#    Oron Peled <oron \@\ actcom.net.il>
#
########################################################

# vi: shiftwidth=3 tabstop=3 et

File permissions are:

root:root rw-r--r--