Debian11, Server, LogWatch for a daily aggregated log analysis
Whereas LogCheck is low level and hourly log lines extractions, LogWatch is higher level daily log analysis with aggregation to have behavior statistics and detect trends, slow scans or slow attacks. The email reports are shorter and consolidated. This is a very short basic default installation documentation blog post. Part of my default server installation.
- LogWatch presentation
- Prerequisites
- Installation
- Default configuration
- Test
- Materials and links
- Footnotes
LogWatch presentation
LogWatch 1 only sends one single summary email per day. This is the first email to open in the morning. It is short, fast to read and gives a clue if something happened during the last 24h. Then, if you have doubts, or if there are other unusual emails, you can dive a little bit further with the daily TripWire email, fwlogcheck email, rkhunter email or logcheck emails.
Logwatch is very easy to configure, and I do not change any defaults, thus I even do not install any configuration file.
Prerequisites
This article only depends on the Generic machine preparation post serie.
Installation
Let’s install it from the official Linux Debian 11 Bullseye repositories :
apt-get install -y logwatch
Default configuration
As said previously, I do not need to change the configuration’s default values, thus I do not install the default configuration file. Anyway, if I want to change something, I’ll install it from the template and alter it.
#cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
Test
This tests not only the log analysis but also the notifications. It can be executed several times, it is idempotent, it does not track the last execution and parses the last 24h.
/usr/sbin/logwatch --output mail