Whereas LogCheck is low level and hourly log lines extractions, LogWatch is higher level daily log analysis with aggregation to have behavior statistics and detect trends, slow scans or slow attacks. The email reports are shorter and consolidated. This is a very short basic default installation documentation blog post. Part of my default server installation.

LogWatch presentation

ba17b78e47a8747e7559fd2ba367c6f3.png

LogWatch 1 only sends one single summary email per day. This is the first email to open in the morning. It is short, fast to read and gives a clue if something happened during the last 24h. Then, if you have doubts, or if there are other unusual emails, you can dive a little bit further with the daily TripWire email, fwlogcheck email, rkhunter email or logcheck emails.

Logwatch is very easy to configure, and I do not change any defaults, thus I even do not install any configuration file.

Prerequisites

This article only depends on the Generic machine preparation post serie.

Installation

Let’s install it from the official Linux Debian 11 Bullseye repositories :

apt-get install -y logwatch

Default configuration

As said previously, I do not need to change the configuration’s default values, thus I do not install the default configuration file. Anyway, if I want to change something, I’ll install it from the template and alter it.

#cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

Test

This tests not only the log analysis but also the notifications. It can be executed several times, it is idempotent, it does not track the last execution and parses the last 24h.

/usr/sbin/logwatch --output mail

Materials and links

Footnotes

  1. https://sourceforge.net/projects/logwatch/  2