Linux Configure Logwatch on the Central Log Server

I‘m using Logwatch for reporting on unusual items in syslog. I’ve central logserver up and running. All other Linux servers send logs to a remote loghost called log.example.com. How do I configure Logwatch on the central log server so that it will send daily logs messages in a single e-mail?

logwatch is system log analyzer and reporter. It will go through your logs for a given period of time and make a report in he areas that you wish with the detail that you wish.

ADVERTISEMENTS

Logwatch is being used for Linux and many types of UNIX. Logwatch will separate entries by hostname, if you set SplitHosts to yes. Make sure the option MultiEmail is set to no in order to send a single e-mail message.

Step #1: Configuration Logwatch On The Central Log Server

You need to edit the /etc/logwatch/conf/logwatch.conf file on the central log server. Edit the file using vi text editor, enter:
# vi /etc/logwatch/conf/logwatch.conf
Update / add settings as follows:

SplitHosts = yes
HostLimit = no
MultiEmail = no

Step # 2: Disable Logwatch On Other Servers

Now you’ve a central logserver which has been configured to report on logs received from all systems. You need to disable logwatch cron job on on all other boxes:
# mv /etc/cron.daily/0logwatch /path/to/backup
Alternatively, you can simply remove the logwatch package:
# rpm -e logwatch

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • Nate Dec 8, 2009 @ 4:49

    How does this work under Debian, I can’t tell which config file to use?

  • Yogesh Jun 18, 2010 @ 12:37

    A small note:-
    Service = -zz-disk_space
    The Service directive -zz-disk_space option in /etc/logwatch/conf/logwatch.conf tells Logwatch not to run the zz-disk space report, which reports on free disk space. Since all log monitoring is being done on the central logserver, the disk space listing will always be that of the logserver, regardless of which host is being monitored. This is confusing, so disable that service. Note that this does mean that Logwatch will not monitor disk usage information. Many workarounds are possible, such as running df on each host daily via cron and sending the output to syslog so that it will be reported to the logserver.

  • Fred Phillister Sep 27, 2010 @ 22:27

    One thing that bugs me about logwatch is that by default it is enabled and is always chock full of useless information. It is essentially a daily “everything is OK” alarm and as such, it ends up being ignored/unread most of the time. Figuring out which parts of it are “interesting” or “of concern” is not entirely transparent and as such, reading it is a pain, and configuring it is as well.

  • Nathan Aug 28, 2017 @ 9:16

    Is there a way to get logwatch to send individual mails for every service?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.