Logwatch is very easy to install and practical to detect possible attacks from pirates or any errors produced by the services installed on your server.
Indeed, Logwatch send you a summary of your logs by e-mail every day.
Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.
Note : Logwatch needs Postfix to send the summary by e-mail. To install and configure Postfix, refer to the tutorial : Debian - Install and secure a complete mail server
To begin installing "logwatch".
Bash
apt-get install logwatch
Then, edit the "/usr/share/logwatch/default.conf/logwatch.conf" file like this :
Bash
MailTo = webmaster@your-domain.com MailFrom = logwatch@your-domain.com
The changes will be reflected the next time logwatch.
Note : A cron job "00logwatch" was created to launch "logwatch" every day at the same hour.
Every day, you will receive a report similar to this :
Plain Text
################### Logwatch x.x.x (xx/xx/xx) #################### Processing Initiated: xxx xx xx xx:xx:xx xxxx Date Range Processed: yesterday ( xxxx-xx-xx ) Period is day. Detail Level of Output: 0 Type of Output/Format: mail / text Logfiles for Host: xxxxxxx ################################################################## --------------------- dpkg status changes Begin ------------------------ Installed: [package name]:[cpu architecture] x.xx-x Upgraded: [package name]:[cpu architecture] x:x.x.x... => x:x.x.x... ---------------------- dpkg status changes End ------------------------- --------------------- httpd Begin ------------------------ A total of xx sites probed the server xx.xx.xx.xx xx.xx.xx.xx xx.xx.xx.xx xx.xx.xx.xx xx.xx.xx.xx Requests with error response codes 400 Bad Request /a-bad-request.html: x Time(s) 401 Unauthorized /a-restricted-page.php: x Time(s) 404 Not Found /a-not-found-page.html: x Time(s) 405 Method Not Allowed /a-not-allowed-method.jpg: x Time(s) 408 Request Timeout null: x Time(s) 500 Internal Server Error /: 1 Time(s) 501 Not Implemented /: x Time(s) ---------------------- httpd End ------------------------- --------------------- IMAP Begin ------------------------ [IMAPd] Logout stats: ==================== User | Logouts | Downloaded | Mbox Size --------------------------------------- | ------- | ---------- | ---------- an-email-account@your-domain.com | x | xxxx | x --------------------------------------------------------------------------- x | xxxx | x ---------------------- IMAP End ------------------------- --------------------- POP-3 Begin ------------------------ [POP3] Login failures: ========================= Host (user) | # ------------------------------------------------------------- | ----------- xx.xx.xx.xx (an-email-account@your-domain.com) | x --------------------------------------------------------------------------- x ---------------------- POP-3 End ------------------------- --------------------- pam_unix Begin ------------------------ xxxxxftpd: Unknown Entries: authentication failure; logname= uid=x euid=x tty=/dev/ftpdxxxxxx ruser=xxxxxx rhost=xxx.xxx.xxx.xxx user=xxxxxx: x Time(s) ---------------------- pam_unix End ------------------------- --------------------- Postfix Begin ------------------------ xx Miscellaneous warnings x.xxxK Bytes accepted x,xxx x.xxxK Bytes delivered x,xxx ======== ================================================== xx Accepted xx.xx% xx Rejected xx.xx% -------- -------------------------------------------------- xx Total 100.00% ======== ================================================== xx 5xx Reject relay denied xx.xx% xx 5xx Reject unknown user xx.xx% -------- -------------------------------------------------- xx Total 5xx Rejects 100.00% ======== ================================================== xx Connections xx Connections lost (inbound) xx Disconnections xx Removed from queue xx Delivered ---------------------- Postfix End ------------------------- --------------------- xxxxftpd-messages Begin ----------------------- **Unmatched Entries** pam_unix(xxxxftpd:session): session opened for user xxxxxxxx by (uid=x) pam_unix(xxxxftpd:session): session closed for user xxxxxxxx ---------------------- xxxxftpd-messages End ------------------------ --------------------- sasl auth daemon Begin ------------------------ SASL Authentications failed xx Time(s) Service smtp (pam) - xx Time(s): Realm domain.com - xx Time(s): User: account@domain.com - PAM auth error - xx Time(s): ... ---------------------- sasl auth daemon End ------------------------- --------------------- SSHD Begin ------------------------ Users logging in through sshd: xxxxxxxx: xx.xx.xx.xx (xx-xx-xx-xx.xxx.fai.com): 2 times ---------------------- SSHD End ------------------------- --------------------- Syslog-ng Begin ------------------------ Syslog-ng reloaded: x Time(s) ---------------------- Syslog-ng End ------------------------- --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/xxxx xxG x.xG xxG xx% / ---------------------- Disk Space End ------------------------- ###################### Logwatch End #########################
If you don't receive the mail of Logwatch (eg because of a problem with your e-mail server), you can start Logwatch manually by entering this command :
Note : Wait a few seconds while Logwatch generates and send the report by e-mail.
Bash
/etc/cron.daily/00logwatch
Linux 2/25/2015
Linux 12/31/2016
Linux 10/2/2016
Linux 7/24/2015
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment