Installing LogWatch

• Tweet
• SumoMe

• Tweet

Installing LogWatch (on a Dedicated Server)

From the LogWatch website: “Logwatch is a customizable log analysis system. Logwatch parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is easy to use and will work right out of the package on most systems.”

How can you install Logwatch 5.0?

Log into your server by using SSH

* Change to the root user
su – root

* Download the RPM for the installation (here: version 5.2.2
wget ftp://ftp.kaybee.org/pub/redhat/RPM….2-1.noarch.rpm

* Now let’s install the rpm we just downloaded …
* By using the command “rpm -Uvh”, it will either upgrade your current installation of Logwatch, or if you do not have it installed, it will install it for you.
rpm -Uvh logwatch-5.2.2-1.noarch.rpm

* Now delete the rpm file to retain the disk space
rm -rf logwatch-5.2.2-1.noarch.rpm

******************************
* You now have logwatch installed on your server

By default – Logwatch runs a Cronjob so that every day you would receive the logwatch emails.

How can you customize logwatch to your needs:

# Login as root and open the configuration file.
pico -w /etc/log.d/conf/logwatch.conf

# Scroll down within the file and find the part called “MailTo”. This is where you can specify where you want the logs mailed to. By default it is set to root. We suggest setting this to an email address you check regulary. Also, you may want to send it to an email address thats not hosted on the server (just in case ….).

——————————————————————————–
MailTo = [email protected], [email protected]
——————————————————————————–

# Now set the amount of detail you want reported by Logwatch
Use CTRL-W to search the file, then type Detail… hit the “Enter” key.

You will see something similar to this:

——————————————————————————-
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
——————————————————————————–

# Save and exit
CTRL-X… Y

We suggest setting the detail to High as it will send you more information. You can then take a look at everything to see if it is too much information or if it meets your need. Take some time to understand the logs. Take some time every day to monitor your logs.

What can you in the logs emailed to you? Here is an example for attempted SSH logins to our server:

Failed logins from these:
admin/password from 130.120.81.14: 2 Time(s)
guest/password from 130.120.81.14: 1 Time(s)
root/password from 130.120.81.14: 3 Time(s)
test/password from 130.120.81.14: 2 Time(s)
user/password from 130.120.81.14: 1 Time(s)

Illegal users from these:
admin/none from 130.120.81.14: 2 Time(s)
admin/password from 130.120.81.14: 2 Time(s)
guest/none from 130.120.81.14: 1 Time(s)
guest/password from 130.120.81.14: 1 Time(s)
test/none from 130.120.81.14: 2 Time(s)
test/password from 130.120.81.14: 2 Time(s)
user/none from 130.120.81.14: 1 Time(s)
user/password from 130.120.81.14: 1 Time(s)

Standard Disclaimers:
I. Use these utilities at your own risk
II. I assume no responsibility whatsoever for the consequences of your actions
III. Your mileage may vary
IV. These instructions are for RedHat Linux and CPanel only