Log Monitoring with Logwatch

Reading logs is among the most important administrative tasks that need to be achieved on a regular basis. Modern systems tend to take on more tasks with the multiplication of server software. This makes it increasingly hard to stay on top of logfiles. That is where log-monitoring tools come in handy, by cutting down the logfile cruft and revealing the real security gems.

By using clever filters, log-monitoring tools are able to parse your logfiles and create human-readable reports from huge logfiles. These reports can be automatically sent by email on a daily basis, and they represent a good summary of the most important events that happened on that given day.

The most widely used log-monitoring tool is Logwatch, which ships with many popular Linux distributions including Fedora Core.

Starting with Logwatch version 7.0, parsers can be locally configured with files located under /etc/logwatch/conf.

For example, by default the iptables Logwatch parser does not resolve IP addresses. Fortunately this is an option available in the iptables configuration file. All you have to do to change its default behavior is to copy the iptables.conf file to the local configuration directory and then make the variable adjustment. First copy the file:

[emoret@simca-1000 ˜]$ sudo cp /usr/share/logwatch/default.conf/services/iptables.con
f /etc/logwatch/conf/services/

Then edit the newly copied file and change the $iptables_ip_lookup variable value from No to Yes. Verify the change by running:

[emoret@simca-1000 ˜]$ sudo logwatch --service iptables --range all --print

 ################### Logwatch 7.2.1 (01/18/06) ####################
        Processing Initiated: Fri Jul 28 18:39:07 2006
        Date Range Processed: all
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: simca-1000.secteam.juniper.net
  ##################################################################

 --------------------- iptables firewall Begin ------------------------

 Denied 231 packets on interface eth0
   From 10.157.12.33 - 5 packets to udp(5353)
   From 10.157.12.51 (sec1-1.secteam.juniper.net) - 88 packets to udp(138)
   From 10.157.12.98 (simca-1000.secteam.juniper.net) - 138 packets to udp(5353) tcp(8
0)

 ---------------------- iptables firewall End -------------------------

 ###################### Logwatch End #########################