Logwatch: Powerful System Log Analyzer and Reporter for Linux

If you are a system administrator, you’d probably know the importance of log files as well as the pain one goes through while analysing them, especially when you are dealing with a busy server. Luckily there are certain tools that make life easy for you, and one of them is Logwatch, a command line tool for log analysing and reporting in Linux.

In this article, we will discuss the basics of this tool, along with the features it provides.

Note: All the examples discussed in this article are tested on Ubuntu 14.04 and GNU bash, version 4.3.11(1). Logwatch is available for most Linux distro though.

The Logwatch command is found in the repository of most Linux distro and can be installed using the following command.

Ubuntu or Debian-based distro:

sudo apt-get install logwatch

or

sudo yum install logwatch

for Centos, Fedora or Redhat-based distro.

You can also install it from source from its official project page.

Logwatch is basically aimed at helping with system log management. It has the ability to go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.  Here are some of the examples explaining its usage:

By default, the Logwatch tool analyses and reports logs related to a wide range of services. For example, here is the output when the command was run without any options:

logwatch-basic

As you can see, the output information is large and is not convenient enough to be viewed on the terminal screen. So, it’s best you redirect it to a text file for easy viewing.

logwatch-output

The screenshot above should give you an idea about the kind of report Logwatch creates. The header present at the top gives you an abstract of the command’s default configuration. For example, the “Processing Initiated field” contains information on the date and time when the command was executed, the “Date Range Processed” field contains information on the time period of the logs analysed, the “Detail Level of Output” field contains information on the detail level of the report, and the last two fields contain information on output format and local host.

After all this information, the actual report begins, wherein logs are segregated on the basis of services. For example, the first service here is dpkg status, followed by Kernel, pam_unix, Connections, sudo, and more.

If you want, you can limit the command’s output to a particular service. This can be achieved by using the --service option. Here is an example:

logwatch-select-service

So you can see that the command produced a report specific to the pam_unix service only.

The command also allows you to specify the detail level of the report using the --detail option. The argument to this option can be high, med, or low, which correspond to the integers 10, 5, and 0, respectively.

As is clear from the first example discussed in this article, the default detail level is 0. Here is the default output of the command for the Kernel service:

logwatch-kernel

and here is the output when the detail level was explicitly set to 10 or high:

logwatch-kernel-2

So you can see, as the detail level was increased from 0 to 10, the information produced by the command also increased.

You can also specify a date range to process, which means you can give the command a time range from which to process log entries. This can be achieved by using the --range option. Common ranges are Yesterday, Today, and All. Here is an example:

logwatch-range

Logwatch is also capable of mailing the report to a particular email address. This can be achieved by using the --mailto option. Here is an example:

logwatch --service pam_unix --range all --detail high --mailto myemail@gmail.com

The command above sent the report to an email account. You should probably check your Spam folder for the email as Gmail has marked it as Spam for my email account.

logwatch-email

For more information on Logwatch, go through the command’s man page.

If you’re looking for a command line tool that can scan system log files and present the information in a human readable form, try Logwatch. It can easily be considered as one of the most helpful command line tools for general purpose logfile parsing and filtering.