Logwatch How-To for CentOS or Red Hat

By | 2013/03/11

Logwatch is the classic log file email utility that emails a daily status of activity from Linux logs. On CentOS, the default install of logwatch does not have many fancy features enabled. I’ll show you how to configure logwatch!


First, install logwatch:

$ sudo yum install logwatch


Next, create a few override files with custom settings.

Create the following file

$ sudo vim /etc/logwatch/conf/services/zz-disk_space.conf

Put in the following contents

#New disk report options
#Uncomment this to show the home directory sizes
$show_home_dir_sizes = 1
$home_dir = "/home"

#Uncomment this to show the mail spool size
$show_mail_dir_sizes = 1
$mail_dir = "/var/spool/mail"

#Uncomment this to show the system directory sizes /opt /usr/ /var/log
$show_disk_usage = 1


Next, create the following file:

$ sudo vim /etc/logwatch/conf/services/http.conf

Put in these contents:

# Set flag to 1 to enable ignore
# or set to 0 to disable
$HTTP_IGNORE_ERROR_HACKS = 1


Next, you may want to edit the email address that logwatch emails the report.

$ sudo vim /etc/logwatch/conf/logwatch.conf

Set MailTo = to an email address as desired:

# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Print should be set to No to
# enable mail feature.
#MailTo = root
MailTo = linuxadmins@mycompany.com


It is common practice to send root mail from all servers to a mailing list that all admins subscribe to.

Once complete, you may run logwatch manually at the command line with no options to test:

$ sudo logwatch


Logwatch by default runs with daily cron jobs in /etc/cron.daily.

Below is an example logwatch output:

################### Logwatch 7.3.6 (05/19/07) ####################
        Processing Initiated: Mon Mar 11 06:25:04 2013
        Date Range Processed: yesterday
                              ( 2013-Mar-10 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: li166-66
  ##################################################################

 --------------------- Denyhosts Begin ------------------------

 new denied hosts:
     198.101.155.224

 ---------------------- Denyhosts End -------------------------


 --------------------- fail2ban-messages Begin ------------------------


 Banned services with Fail2Ban:                          Bans:Unbans
    ssh:                                                    [ 10:10 ]

 ---------------------- fail2ban-messages End -------------------------


 --------------------- httpd Begin ------------------------


 Requests with error response codes
    403 Forbidden
       /: 1 Time(s)
       /2011/12/28/check-site-for-malware-with-google-safe-browsing: 1 Time(s)
       /wp-content/gallery/centos6_netinstall/02_ ... _netinstall.png: 1 Time(s)
       /wp-login.php: 3 Time(s)
    404 Not Found
       /2012/05/22/install-nmap-6-on-debian-or-ub ... /icon_smile.gif: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 00ad59cfbe0d0e6: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 0428a5432cddd7a: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 100bbfd2fb6f814: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 29e2974b4e7a6d9: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 46e8cf0ecfe2950: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 93ac2279ce4b930: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... 9588a7ccfccc633: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... a4920cc0865dfcb: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... a8bb27807d8787c: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... crumb-arrow.png: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... ee9627dfa9953af: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... f2df84c37e4600c: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... linux/pixel.gif: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... n_donate_lg.gif: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... nux/default.png: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... nux/magnify.png: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... nux/twitter.png: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... ux/facebook.png: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ub ... x/nmap_logo.png: 1 Time(s)
       /2012/05/22/install-nmap-6-on-debian-or-ubuntu-linux/rss.png: 1 Time(s)
       /admin/config.php: 1 Time(s)
       /index.php?do=register: 1 Time(s)
       /tag/button/feed/www.gimp.org: 1 Time(s)
       http://37.28.156.211/sprawdza.php: 1 Time(s)
       http://server5.cyberpods.net/azenv.php: 1 Time(s)
    408 Request Timeout
       null: 605 Time(s)
    500 Internal Server Error
       /wp-comments-post.php: 3 Time(s)
    501 Not Implemented
       null: 2 Time(s)

 ---------------------- httpd End -------------------------


 --------------------- iptables firewall Begin ------------------------


 Listed by source hosts:
 Logged 610 packets on interface eth0
   From 1.34.254.8 - 1 packet to tcp(23)
   From 2.28.22.209 - 11 packets to tcp(443)
   From 2.50.172.58 - 3 packets to tcp(3389)
   From 5.34.242.184 - 3 packets to tcp(3128)
   From 15.219.201.68 - 18 packets to tcp(80)
   From 38.81.66.114 - 18 packets to tcp(4242)
   From 41.137.24.82 - 3 packets to tcp(80)
   From 42.96.156.107 - 2 packets to tcp(3389)
   From 46.20.35.92 - 1 packet to udp(6060)
   From 49.88.119.47 - 9 packets to tcp(3899,4899,4900)
   From 59.165.88.171 - 1 packet to tcp(23)
   From 60.191.170.125 - 2 packets to tcp(135)
   From 60.218.122.219 - 1 packet to tcp(1433)
   From 61.147.103.188 - 1 packet to tcp(1433)
   From 61.155.106.212 - 1 packet to tcp(1433)
   From 61.174.50.67 - 1 packet to tcp(135)
   From 66.207.200.146 - 3 packets to tcp(1433,3306,8080)
   From 69.155.10.189 - 1 packet to tcp(23)
   From 69.172.200.161 - 8 packets to tcp(12623)
   From 69.175.126.170 - 1 packet to udp(5353)
   From 72.223.99.33 - 1 packet to udp(56423)
   From 77.232.135.244 - 1 packet to tcp(5900)
   From 78.43.232.88 - 22 packets to tcp(80)
   From 78.69.210.213 - 31 packets to tcp(80)
   From 79.10.37.58 - 1 packet to udp(56423)
   From 80.24.53.69 - 18 packets to tcp(21)
   From 80.212.224.97 - 4 packets to tcp(80)
   From 82.173.96.40 - 6 packets to tcp(80)
   From 83.8.73.55 - 1 packet to udp(17569)
   From 85.25.147.36 - 1 packet to udp(5060)
   From 87.4.17.169 - 2 packets to tcp(80)
   From 87.246.138.244 - 3 packets to tcp(8080)
   From 92.86.253.174 - 3 packets to tcp(80)
   From 93.115.85.194 - 1 packet to tcp(5900)
   From 93.214.142.24 - 10 packets to tcp(80)
   From 94.20.26.2 - 1 packet to tcp(80)
   From 96.254.171.2 - 4 packets to tcp(1080,3128,8080)
   From 98.143.36.192 - 1 packet to tcp(8123)
   From 107.15.14.134 - 60 packets to tcp(4242)
   From 108.58.98.254 - 1 packet to tcp(23)
   From 108.171.254.201 - 2 packets to tcp(1433)
   From 110.76.47.71 - 1 packet to tcp(1433)
   From 113.11.194.210 - 1 packet to tcp(1433)
   From 115.238.247.123 - 1 packet to tcp(1433)
   From 117.35.157.251 - 1 packet to tcp(5900)
   From 117.79.89.16 - 1 packet to tcp(22222)
   From 118.123.255.173 - 1 packet to tcp(1433)
   From 118.126.16.10 - 1 packet to tcp(135)
   From 119.86.194.10 - 1 packet to udp(62752)
   From 121.10.133.143 - 1 packet to tcp(3389)
   From 122.141.177.94 - 1 packet to tcp(1433)
   From 122.226.109.101 - 2 packets to tcp(3389)
   From 123.30.66.69 - 2 packets to tcp(80)
   From 124.232.141.41 - 1 packet to tcp(1433)
   From 124.232.153.86 - 1 packet to tcp(3306)
   From 138.162.128.52 - 5 packets to tcp(80)
   From 138.162.128.54 - 4 packets to tcp(80)
   From 138.162.128.55 - 1 packet to tcp(80)
   From 142.196.45.37 - 4 packets to tcp(80)
   From 146.0.74.29 - 6 packets to tcp(8118)
   From 150.70.172.207 - 1 packet to tcp(80)
   From 173.199.120.51 - 5 packets to tcp(80)
   From 174.29.86.148 - 8 packets to tcp(80)
   From 175.207.157.7 - 1 packet to tcp(23)
   From 176.10.35.241 - 1 packet to tcp(5560)
   From 176.61.139.128 - 3 packets to tcp(3128)
   From 178.149.13.60 - 3 packets to tcp(80)
   From 178.170.91.6 - 1 packet to udp(5060)
   From 178.216.50.22 - 3 packets to tcp(8080)
   From 182.52.115.94 - 3 packets to tcp(4899)
   From 183.102.243.91 - 1 packet to tcp(3389)
   From 184.80.28.3 - 6 packets to udp(161)
   From 186.45.244.177 - 2 packets to tcp(5900)
   From 192.81.129.78 - 1 packet to tcp(5900)
   From 192.151.154.106 - 1 packet to tcp(3306)
   From 192.168.91.128 - 11 packets to tcp(80)
   From 198.13.96.197 - 3 packets to tcp(1433)
   From 198.20.70.114 - 1 packet to tcp(110)
   From 198.101.155.224 - 5 packets to tcp(22)
   From 198.154.104.41 - 2 packets to tcp(80)
   From 199.119.225.91 - 10 packets to tcp(22)
   From 199.245.52.26 - 1 packet to tcp(3072)
   From 202.22.199.229 - 11 packets to tcp(80)
   From 202.47.115.95 - 1 packet to tcp(23)
   From 202.91.241.246 - 1 packet to tcp(3389)
   From 203.116.39.115 - 22 packets to tcp(80)
   From 203.219.29.182 - 10 packets to tcp(80)
   From 204.227.127.170 - 4 packets to tcp(80)
   From 206.195.193.254 - 10 packets to tcp(80)
   From 210.13.80.217 - 1 packet to tcp(1433)
   From 211.110.10.146 - 1 packet to tcp(3306)
   From 211.162.79.51 - 1 packet to tcp(5900)
   From 218.25.237.230 - 1 packet to tcp(1433)
   From 218.80.254.147 - 1 packet to tcp(3389)
   From 218.232.105.120 - 1 packet to tcp(1433)
   From 219.153.48.115 - 1 packet to tcp(3389)
   From 219.235.8.241 - 1 packet to tcp(1433)
   From 222.89.46.73 - 1 packet to tcp(1433)
   From 223.4.147.229 - 169 packets to tcp(22)
   From 223.18.147.116 - 1 packet to tcp(23)

 ---------------------- iptables firewall End -------------------------


 --------------------- Postfix Begin ------------------------

    6.561K  Bytes accepted                               6,718
    6.561K  Bytes sent via SMTP                          6,718
 ========   ==================================================

        6   Accepted                                    75.00%
        2   Rejected                                    25.00%
 --------   --------------------------------------------------
        8   Total                                      100.00%
 ========   ==================================================

        2   5xx Reject relay denied                    100.00%
 --------   --------------------------------------------------
        2   Total 5xx Rejects                          100.00%
 ========   ==================================================

        3   4xx Reject unknown client host             100.00%
 --------   --------------------------------------------------
        3   Total 4xx Rejects                          100.00%
 ========   ==================================================

        9   Connections
        6   Connections lost (inbound)
        9   Disconnections
        6   Removed from queue
        6   Sent via SMTP

        1   SMTP dialog errors
        1   Hostname verification errors


 ---------------------- Postfix End -------------------------


 --------------------- SSHD Begin ------------------------


 Illegal users from:
    198.101.155.224: 8 times

 Refused incoming connections:
       198.101.155.224 (198.101.155.224): 2 Time(s)

 **Unmatched Entries**
 reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.147.229] failed - POSSIBLE BREAK-IN ATTEMPT! : 25 time(s)

 ---------------------- SSHD End -------------------------


 --------------------- Disk Space Begin ------------------------

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/xvda              47G   15G   32G  32% /
 /dev                  502M  112K  502M   1% /dev



 ------------- Directory Sizes ---------------

 Size    Location
 (GB)
 818M   /var/log
 1.4G   /usr


 ------------- Directory Sizes ---------------



 ------------- Home Directory Sizes ---------------

 Size    Location
 (MB)
 3.9G   /home/asdfasdf


 ------------- Home Directory Sizes ---------------



 ------------- Mail Directory Sizes ---------------

 Size    Location
 (MB)
 176K   /var/spool/mail/root


 ------------- Mail Directory Sizes ---------------


 ---------------------- Disk Space End -------------------------


 ###################### Logwatch End #########################

5 thoughts on “Logwatch How-To for CentOS or Red Hat

  1. Sergio

    Can you post your entire configuration file?
    I am interested in “iptables” and “postfix” section 🙂

    Thanks!

    Reply
  2. Ed Gage

    path is … default.conf … , not defaults.conf

    Reply
  3. John Wingenbach

    While this will work. This is wrong. Modifying the standard configuration files can result in lost customizations when the logwatch rpm is updated. Customizations should be done in the pertinent files in /etc/logwatch. See /usr/share/doc/logwatch*/HOWTO-Customize-LogWatch. for instructions on overriding the standard configurations.

    Reply
    1. Scott Miller Post author

      Thanks! I will update this post with your input.

      Update: Done.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.