LogWatch介绍

在维护Linux服务器时，经常需要查看系统中各种服务的日志，以检查服务器的运行状态。如登陆历史、邮件、软件安装等日志。系统管理员一个个去检查会十分不方便；且大多时候，这会是一种被动的检查，即只有在发现系统运行异常时才会想到去查看日志以获取异常的信息。那么如何主动、集中的分析这些日志，并生产报告，定时发送给管理员就会显得十分重要。LogWatch即提供了这样的功能。

本文即介绍LogWatch的简单使用，更详细的用法请参见Logwatch — a syslog analyzer written in Perl。
安装与配置
os kernel

[root@dev ~]# uname -a
Linux dev.egolife.com 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 13:35:02 PST 2013 x86_64 x86_64 x86_64 GNU/Linux

yum install

[root@dev ~]# yum install -y logwatch
... ...
================================================================
Installing:
 logwatch            noarch   7.3.6-49.el6     base       297 k
Installing for dependencies:
 perl-Date-Manip     noarch   6.24-1.el6       base       1.3 M
 perl-YAML-Syck      x86_64   1.07-4.el6       base       75 k
... ...

在安装logwatch时，会同时安装依赖包perl-Date-Manip和perl-YAML-Syck。

初次使用
1.命令帮助

[root@dev ~]# logwatch --help

Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>]
   [--print] [--mailto <addr>] [--archives] [--range <range>] [--debug <level>]
   [--save <filename>] [--help] [--version] [--service <name>]
   [--numeric] [--output <output_type>]
   [--splithosts] [--multiemail] [--no-oldfiles-log]

--detail <level>: Report Detail Level - High, Med, Low or any #.
--logfile <name>: *Name of a logfile definition to report on.
--logdir <name>: Name of default directory where logs are stored.
--service <name>: *Name of a service definition to report on.
--print: Display report to stdout.
--mailto <addr>: Mail report to <addr>.
--archives: Use archived log files too.
--save <filename>: Save to <filename>.
--range <range>: Date range: Yesterday, Today, All, Help
                             where help will describe additional options
--numeric: Display addresses numerically rather than symbolically and numerically
           (saves  a  nameserver address-to-name lookup).
--debug <level>: Debug Level - High, Med, Low or any #.
--splithosts: Create a report for each host in syslog.
--multiemail: Send each host report in a separate email.  Ignored if 
              not using --splithosts.
--output <output type>: Report Format - mail, html or unformatted#.
--encode: Use base64 encoding on output mail.
--no-oldfiles-log: Suppress the logwatch log, which informs about the
                   old files in logwatch tmpdir.
--version: Displays current version.
--help: This message.
* = Switch can be specified multiple times...

从以上帮助，可以看出，LogWatch整个原理就是，LogWatch 首先要知道针对哪一个服务, 从这个服务中得到需要处理的 Log 文件信息, 然后这个文件送给过滤脚本处理, 之后把处理后格式化的信息展现出。

2.显示SSH登陆历史

[root@dev ~]# logwatch --service sshd --print

 ################### Logwatch 7.3.6 (05/19/07) #################### 
        Processing Initiated: Fri Jun 21 08:47:19 2013
        Date Range Processed: yesterday
                              ( 2013-Jun-20 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: dev.egolife.com
  ################################################################## 

 --------------------- SSHD Begin ------------------------ 

 Failed logins from:
    172.29.73.125: 2 times


 Received disconnect:
    13: Authentication cancelled by user. : 2 Time(s)

 **Unmatched Entries**
 userauth_pubkey: unsupported public key algorithm: x509v3-sign-rsa : 2 time(s)

 ---------------------- SSHD End ------------------------- 


 ###################### Logwatch End #########################

配置
查看logwatch package的主要文件

[root@dev ~]# rpm -ql logwatch
/etc/cron.daily/0logwatch                   
/etc/logwatch                               
/etc/logwatch/conf
/etc/logwatch/conf/ignore.conf
/etc/logwatch/conf/logfiles
/etc/logwatch/conf/logwatch.conf
/etc/logwatch/conf/override.conf
/etc/logwatch/conf/services
/etc/logwatch/scripts
/etc/logwatch/scripts/services
/usr/sbin/logwatch
/usr/share/doc/logwatch-7.3.6
... ...
/var/cache/logwatch

从以上输出，可以看出logwatch是以cron job的方式定时运行的，默认在/etc/cron.daily目录下，即每天运行一次。

[root@dev ~]# cat /etc/cron.daily/0logwatch 
#!/bin/bash

DailyReport=`grep -e "^[[:space:]]*DailyReport[[:space:]]*=[[:space:]]*" /usr/share/logwatch/default.conf/logwatch.conf | head -n1 | sed -e "s|^\s*DailyReport\s*=\s*||"`

if [ "$DailyReport" != "No" ] && [ "$DailyReport" != "no" ]
then
    logwatch
fi

主要配置文件

[root@dev ~]# tree /etc/logwatch/
/etc/logwatch/
├── conf
│   ├── ignore.conf
│   ├── logfiles
│   ├── logwatch.conf     
│   ├── override.conf
│   └── services
└── scripts
    └── services

5 directories, 3 files

logwatch.conf 自定义LogWatch主配置，如报告分析时间，级别，收件人等，默认设置在/usr/share/logwatch/default.conf/logwatch.conf文件中。
ignore.conf 过滤配置，定义正则表达式，过滤输出报告内容。
override.conf 覆盖或者重写配置，针对/etc/logwatch/conf/services下自定义的服务
conf/services 自定义需分析日志的Service目录，默认支持的Service在/usr/share/logwatch/default.conf/services下。
logfiles 定义待分析服务的日志路径，默认配置在/usr/share/logwatch/default.conf/logfiles/下。
scripts/services 定义Service的执行脚本。

邮件通知

[root@dev ~]# less /usr/share/logwatch/default.conf/logwatch.conf
# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Print should be set to No to
# enable mail feature.
MailTo = root

LogWatch默认将分析的日志报告发送给本机的root用户，此时要查看则需登陆到服务器上，使用mail指令查看。

另外，也可以将报告发送到外部邮箱，如sa.logwatch@gmail.com，此时需在服务器上配置简单的邮件服务，如Postfix,Sendmail，编辑/etc/logwatch/conf/logwatch.conf覆盖MailTo配置，或者在/etc/aliase中定义账户别名，使root为sa.logwatch@gmail.com别名，则LogWatch会将日志报告发送给sa.logwatch@gmail.com，这样不用登陆到服务器就可以查看日志报告了。

小结
LogWatch安装后，基本不用配置即可使用，即可达到主动、集中的分析系统日志，并生产报告，定时发送给管理员的目的。

转载请保留固定链接： https://linuxeye.com/Linux/LogWatch.html

热门标签:

LogWatch介绍