- Linux
- 26 December 2014 at 12:34 UTC
-
Logwatch is very easy to install and practical to detect possible attacks from pirates or any errors produced by the services installed on your server.
Indeed, Logwatch send you a summary of your logs by e-mail every day.
Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.
Note : Logwatch needs Postfix to send the summary by e-mail. To install and configure Postfix, refer to the tutorial : Debian - Install and secure a complete mail server
To begin installing "logwatch".
Bash
apt-get install logwatch
Then, edit the "/usr/share/logwatch/default.conf/logwatch.conf" file like this :
Bash
MailTo = webmaster@your-domain.com MailFrom = logwatch@your-domain.com
The changes will be reflected the next time logwatch.
Note : A cron job "00logwatch" was created to launch "logwatch" every day at the same hour.
Every day, you will receive a report similar to this :
Plain Text
################### Logwatch x.x.x (xx/xx/xx) ####################
Processing Initiated: xxx xx xx xx:xx:xx xxxx
Date Range Processed: yesterday
( xxxx-xx-xx )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: xxxxxxx
##################################################################
--------------------- dpkg status changes Begin ------------------------
Installed:
[package name]:[cpu architecture] x.xx-x
Upgraded:
[package name]:[cpu architecture] x:x.x.x... => x:x.x.x...
---------------------- dpkg status changes End -------------------------
--------------------- httpd Begin ------------------------
A total of xx sites probed the server
xx.xx.xx.xx
xx.xx.xx.xx
xx.xx.xx.xx
xx.xx.xx.xx
xx.xx.xx.xx
Requests with error response codes
400 Bad Request
/a-bad-request.html: x Time(s)
401 Unauthorized
/a-restricted-page.php: x Time(s)
404 Not Found
/a-not-found-page.html: x Time(s)
405 Method Not Allowed
/a-not-allowed-method.jpg: x Time(s)
408 Request Timeout
null: x Time(s)
500 Internal Server Error
/: 1 Time(s)
501 Not Implemented
/: x Time(s)
---------------------- httpd End -------------------------
--------------------- IMAP Begin ------------------------
[IMAPd] Logout stats:
====================
User | Logouts | Downloaded | Mbox Size
--------------------------------------- | ------- | ---------- | ----------
an-email-account@your-domain.com | x | xxxx | x
---------------------------------------------------------------------------
x | xxxx | x
---------------------- IMAP End -------------------------
--------------------- POP-3 Begin ------------------------
[POP3] Login failures:
=========================
Host (user) | #
------------------------------------------------------------- | -----------
xx.xx.xx.xx (an-email-account@your-domain.com) | x
---------------------------------------------------------------------------
x
---------------------- POP-3 End -------------------------
--------------------- pam_unix Begin ------------------------
xxxxxftpd:
Unknown Entries:
authentication failure; logname= uid=x euid=x tty=/dev/ftpdxxxxxx ruser=xxxxxx rhost=xxx.xxx.xxx.xxx user=xxxxxx: x Time(s)
---------------------- pam_unix End -------------------------
--------------------- Postfix Begin ------------------------
xx Miscellaneous warnings
x.xxxK Bytes accepted x,xxx
x.xxxK Bytes delivered x,xxx
======== ==================================================
xx Accepted xx.xx%
xx Rejected xx.xx%
-------- --------------------------------------------------
xx Total 100.00%
======== ==================================================
xx 5xx Reject relay denied xx.xx%
xx 5xx Reject unknown user xx.xx%
-------- --------------------------------------------------
xx Total 5xx Rejects 100.00%
======== ==================================================
xx Connections
xx Connections lost (inbound)
xx Disconnections
xx Removed from queue
xx Delivered
---------------------- Postfix End -------------------------
--------------------- xxxxftpd-messages Begin -----------------------
**Unmatched Entries**
pam_unix(xxxxftpd:session): session opened for user xxxxxxxx by (uid=x)
pam_unix(xxxxftpd:session): session closed for user xxxxxxxx
---------------------- xxxxftpd-messages End ------------------------
--------------------- sasl auth daemon Begin ------------------------
SASL Authentications failed xx Time(s)
Service smtp (pam) - xx Time(s):
Realm domain.com - xx Time(s):
User: account@domain.com - PAM auth error - xx Time(s):
...
---------------------- sasl auth daemon End -------------------------
--------------------- SSHD Begin ------------------------
Users logging in through sshd:
xxxxxxxx:
xx.xx.xx.xx (xx-xx-xx-xx.xxx.fai.com): 2 times
---------------------- SSHD End -------------------------
--------------------- Syslog-ng Begin ------------------------
Syslog-ng reloaded: x Time(s)
---------------------- Syslog-ng End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/xxxx xxG x.xG xxG xx% /
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
If you don't receive the mail of Logwatch (eg because of a problem with your e-mail server), you can start Logwatch manually by entering this command :
Note : Wait a few seconds while Logwatch generates and send the report by e-mail.
Bash
/etc/cron.daily/00logwatch
Share this tutorial
To see also
-
Linux 12/12/2014
Debian / Ubuntu - Configure a DNS server (BIND)
-
Linux 1/11/2014
Ubuntu - Enable root account
-
Linux 2/14/2014
Ubuntu - Securing your LDAP server with SSL
-
Linux 1/31/2014
Ubuntu - Update your server
You must be logged in to post a comment