本文即介绍LogWatch的简单使用,更详细的用法请参见Logwatch — a syslog analyzer written in Perl。 安装与配置 os kernel [root@dev ~]# uname -a Linux dev.egolife.com 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 13:35:02 PST 2013 x86_64 x86_64 x86_64 GNU/Linuxyum install [root@dev ~]# yum install -y logwatch ... ... ================================================================ Installing: logwatch noarch 7.3.6-49.el6 base 297 k Installing for dependencies: perl-Date-Manip noarch 6.24-1.el6 base 1.3 M perl-YAML-Syck x86_64 1.07-4.el6 base 75 k ... ...在安装logwatch时,会同时安装依赖包perl-Date-Manip和perl-YAML-Syck。 初次使用 1.命令帮助 [root@dev ~]# logwatch --help Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--print] [--mailto <addr>] [--archives] [--range <range>] [--debug <level>] [--save <filename>] [--help] [--version] [--service <name>] [--numeric] [--output <output_type>] [--splithosts] [--multiemail] [--no-oldfiles-log] --detail <level>: Report Detail Level - High, Med, Low or any #. --logfile <name>: *Name of a logfile definition to report on. --logdir <name>: Name of default directory where logs are stored. --service <name>: *Name of a service definition to report on. --print: Display report to stdout. --mailto <addr>: Mail report to <addr>. --archives: Use archived log files too. --save <filename>: Save to <filename>. --range <range>: Date range: Yesterday, Today, All, Help where help will describe additional options --numeric: Display addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup). --debug <level>: Debug Level - High, Med, Low or any #. --splithosts: Create a report for each host in syslog. --multiemail: Send each host report in a separate email. Ignored if not using --splithosts. --output <output type>: Report Format - mail, html or unformatted#. --encode: Use base64 encoding on output mail. --no-oldfiles-log: Suppress the logwatch log, which informs about the old files in logwatch tmpdir. --version: Displays current version. --help: This message. * = Switch can be specified multiple times...从以上帮助,可以看出,LogWatch整个原理就是,LogWatch 首先要知道针对哪一个服务, 从这个服务中得到需要处理的 Log 文件信息, 然后这个文件送给过滤脚本处理, 之后把处理后格式化的信息展现出。 2.显示SSH登陆历史 [root@dev ~]# logwatch --service sshd --print ################### Logwatch 7.3.6 (05/19/07) #################### Processing Initiated: Fri Jun 21 08:47:19 2013 Date Range Processed: yesterday ( 2013-Jun-20 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: dev.egolife.com ################################################################## --------------------- SSHD Begin ------------------------ Failed logins from: 172.29.73.125: 2 times Received disconnect: 13: Authentication cancelled by user. : 2 Time(s) **Unmatched Entries** userauth_pubkey: unsupported public key algorithm: x509v3-sign-rsa : 2 time(s) ---------------------- SSHD End ------------------------- ###################### Logwatch End #########################配置 查看logwatch package的主要文件 [root@dev ~]# rpm -ql logwatch /etc/cron.daily/0logwatch /etc/logwatch /etc/logwatch/conf /etc/logwatch/conf/ignore.conf /etc/logwatch/conf/logfiles /etc/logwatch/conf/logwatch.conf /etc/logwatch/conf/override.conf /etc/logwatch/conf/services /etc/logwatch/scripts /etc/logwatch/scripts/services /usr/sbin/logwatch /usr/share/doc/logwatch-7.3.6 ... ... /var/cache/logwatch从以上输出,可以看出logwatch是以cron job的方式定时运行的,默认在/etc/cron.daily目录下,即每天运行一次。 [root@dev ~]# cat /etc/cron.daily/0logwatch #!/bin/bash DailyReport=`grep -e "^[[:space:]]*DailyReport[[:space:]]*=[[:space:]]*" /usr/share/logwatch/default.conf/logwatch.conf | head -n1 | sed -e "s|^\s*DailyReport\s*=\s*||"` if [ "$DailyReport" != "No" ] && [ "$DailyReport" != "no" ] then logwatch fi主要配置文件 [root@dev ~]# tree /etc/logwatch/ /etc/logwatch/ ├── conf │ ├── ignore.conf │ ├── logfiles │ ├── logwatch.conf │ ├── override.conf │ └── services └── scripts └── services 5 directories, 3 files
邮件通知 [root@dev ~]# less /usr/share/logwatch/default.conf/logwatch.conf # Default person to mail reports to. Can be a local account or a # complete email address. Variable Print should be set to No to # enable mail feature. MailTo = rootLogWatch默认将分析的日志报告发送给本机的root用户,此时要查看则需登陆到服务器上,使用mail指令查看。 另外,也可以将报告发送到外部邮箱,如sa.logwatch@gmail.com,此时需在服务器上配置简单的邮件服务,如Postfix,Sendmail,编辑/etc/logwatch/conf/logwatch.conf覆盖MailTo配置,或者在/etc/aliase中定义账户别名,使root为sa.logwatch@gmail.com别名,则LogWatch会将日志报告发送给sa.logwatch@gmail.com,这样不用登陆到服务器就可以查看日志报告了。 小结 LogWatch安装后,基本不用配置即可使用,即可达到主动、集中的分析系统日志,并生产报告,定时发送给管理员的目的。 转载请保留固定链接: https://linuxeye.com/Linux/LogWatch.html |