Configuring Logwatch

Monitor areas of interest in the system logs with Logwatch.

After you install the logwatch package, the /etc/cron.daily/0logwatch script runs every night and sends an email report to the root user.

You can set local configuration options in the /etc/logwatch/conf/logwatch.conf file, and those settings override any in the main configuration file /usr/share/logwatch/default.conf/logwatch.conf, including the following:

• Log files to monitor, including log files that are stored for other hosts.

• Names of the services to monitor, or services to be excluded from monitoring.

• Level of detail to report.

• User that's sent emailed reports.

Configuring Logwatch on a log server to monitor the system logs for suspicious messages, and disabling Logwatch on individual log clients, is considered good practice.

You can disable high precision timestamps to improve readibility by adding the following entry to the GLOBAL DIRECTIVES section of the /etc/rsyslog.conf file on each system:

module(load="builtin:omfile" Template=RSYSLOG_TraditionalFileFormat")

You can also run logwatch directly from the command line.

For more information, see the logwatch(8) manual page.