How-to Setup Logwatch on Linux.

It comes with the territory, that if you administrate a public system you are to expect a daily barrage of attacks by the many script kids and black-hat hackers; there is no way of stopping it less than unplugging your network and having your own closed system. In my opinion the best defense against this daily onslaught is a good monitoring system because you can lock down your system as much as you like but there will always be that one yet-to-be-patched security hole in the software you use that leaves you with your pants down and your system compromised. By monitoring your system closely and getting to know its day to day normal functions you can filter out and discover an attack before it causes too much damage.

One of the tools I use as part of my day to day monitoring is called Logwatch; this extremely useful tool can be compiled to run on almost any Linux system and I have myself had it running on Debian, Gentoo and Ubuntu to name but a few distributions which include it within their software repository.

Installing Logwatch.

Assuming you have already su as root, are logged into as root, have correct administrative privilages or are simply using sudo at the beggining of every command; do the following to install logwatch:

apt-get install logwatch

Depending on your distribution of linux, apt-get might be replaced with aptitude, dkpg, Yum, up2date, etc. Once this has been done, logwatch should now be setup and the daily cronjob setup, however by default logwatch wont send emails and will instead output its daily reports to the root users local mail account. If you need to change this do the following:

nano /usr/share/logwatch/default.conf/logwatch.conf

Then find and change the following information within logwatch.conf:

Output = mail Format = html MailTo = test@email.com

Once you have done that, save and exit the file (Ctrl + O for save and Ctrl + X for exit). Next you need to update the cronjob and tell it to email the daily report to your email address by doing the following: first open the daily cron00logwatch:

nano /etc/cron.daily/00logwatch

Then find the line begining with /usr/sbin/logwatch it should be below the line saying #execute. By default it will mailto root so you need to change it to your email address so it looks something like:

/usr/sbin/logwatch --mailto test@email.com

Once you have done all the above you will have logwatch installed and setup to email daily reports. The default reports include httpd (apache), users logging in through sshd, PAM errors and disk space alerts. Logwatch is incredibly configurable and you can find or write additional functionality to your requirements. Certain other packages such as fail2ban are also monitored by logwatch so you are able to monitor the number of failed and banned logins.