LogWatch Testing on Gentoo LTS

logwatch is a daily task that summarizes the logs on a machine and generates a nicely-formatted email message describing them. In our case, we have centralized logging to both MySQL and flat files in unique directory for each host but, we may remove the flat files eventually.


Installation

Install by executing the command below. In the default configuration, logwatch will run on a nightly basis and email the results to root.

emerge -av logwatch

Configuration

The default configuration is in /usr/share/logwatch/default.conf/logwatch.conf. You can add/override settings there by adding them to /etc/logwatch/conf/logwatch.conf. Note that the conf/ directory does not exist on a fresh install. Here are some suggestions for /etc/logwatch/conf/logwatch.conf: # Disable the disk-space display Service="-zz-disk_space" # Send mail elsewhere MailTo="me@myhost.com" # Give me more information Detail=Med

Flat Files

Quick and dirty script to run logwatch for every host, based on directory name, and cron'ed up to run early every morning:

#!/bin/bash for HOST in $(find /var/logs/ -maxdepth 1 -type d -printf %f\\n | sort) do /usr/bin/nice -n 5 /usr/sbin/logwatch.pl --logdir /var/logs/$HOST/ --hostname $HOST done

And you may prefer to add this for loop to the logwatch script in /etc/cron.daily/.

Note: You could also check out these entries in /usr/share/logwatch/default.conf/logwatch.conf: SplitHosts = yes
HostLimit = no
MultiEmail = no

Links

Woes

Problem Running logwatch via cron produces the following errors: Can't exec "sendmail": No such file or directory at /usr/sbin/logwatch.pl line 1017, line 1. Can't execute sendmail -t: No such file or directory
Resolution The sendmail executable was not in the path when executed as a cron job. Update the mailer definition in /usr/share/logwatch/default.conf/logwatch.conf with the full path to sendmail

Here is the corrected line in /usr/share/logwatch/default.conf/logwatch.conf: mailer = "/usr/sbin/sendmail -t"
 
Problem Very large amount of "unmatched entries" in postfix report similar to: # date time server postfix/lmtp[#####]: discarding EHLO keywords: PIPELINING
Resolution Create /etc/logwatch/conf/ignore.conf, if it does not exist, and add the following line: .*discarding EHLO keywords: PIPELINING
Links postfix-logwatch and amavis-logwatch log reporters FAQ
Logwatch and 5.0.1 now sending out LARGE messages
How can I get logwatch to ignore unmatched entries?
 
Problem Very large amount of "unmatched entries" in amavisd-new report similar to: [...] LMTP:[ipaddr]:10025 /var/amavis/tmp/amavis-[...] Received: from mail.lsit.ucsb.edu ([128.111.90.138]) by filter-priv.lsit.ucsb.edu (filter.lsit.ucsb.edu [128.111.90.145]) (amavisd-new, port 10025) with LMTP for [...]
Resolution Added the following line to /etc/logwatch/conf/ignore.conf (word wrapped for read-ability): LMTP:\[128.111.90.145\]:10025 /var/amavis/tmp/amavis-.*Received: from mail.lsit.ucsb.edu \(\[128.111.90.138\]\) by filter-priv.lsit.ucsb.edu \(filter.lsit.ucsb.edu \[128.111.90.145\]\) \(amavisd-new, port 10025\) with LMTP for.*
 
Date5/5/11
Problem Logwath daily reports are showing significantly lower than actual spam reports for amavis: --------------------- Amavisd-new Begin ------------------------
2335 Clean passed 99.40% 14 Spam passed 0.60% -------- ------------------------------------------------ 2349 Total Messages Scanned 100.00% ======== ================================================
Resolution