Install Logwatch 7.40 as this has built in MySQL PHP and HTTP Error Logging
Today I have installed/configured
Logwatch application in Centos "Logwatch parses through your system's
logs and creates a report analyzing areas that you specify. Logwatch is
easy to use and will work right out of the package on most systems."
Its most powerful tools.
Its most powerful tools.
Download the RPM :
1 | wget http: //downloads.sourceforge.net/project/logwatch/logwatch-7.4.0/logwatch-7.4.0-1.noarch.rpm |
Install it:
1 | rpm -Uvh logwatch- 7.4 . 0 - 1 .noarch.rpm |
or I like to use
1 | yum install logwatch- 7.4 . 0 - 1 .noarch.rpm |
If you don't need MySQL, PHP or HTTP Error Log checking you can just install version 7.3 by using
1 | yum install logwatch |
This will install Logwatch and also create a cronjob in the /etc/cron.daily folder.
2. Basic Configurations and Mail to Email
Now, we need to change a couple of settings within the Logwatch configuration file.
The file is located at
/usr/share/logwatch/default.conf/logwatch.conf. Using your text editor
open the configuration file and find the following:
1 | vim /usr/share/logwatch/ default .conf/logwatch.conf |
Find and change:
1 | Output = stdout |
To
1 | Output = mail |
And
1 | MailTo = root |
To
1 | MailTo = youremail@yourserver.com |
You can also change the Range or Detail levels:
1 | Range = Yesterday |
To All, Today or Yesterday, bet yesterday should work best
1 | Detail = Low |
To Low = 0 MED = 5 or High = 10
3. Disable unneeded service monitoring
Now we need to disable some unneeded service monitoring – we can do this only if we have the Service setting set to All like so:
1 | Service = All |
To disable the monitoring of some services simply adds this below that line to disable postfix:
1 | Service = "-postfix" |
or clamav for example
1 | Service = "-clamav" |
4. Enable MySQL PHP and HTTP-Error log monitoring
This step took me a while to get working on CentOS 6 but here is how to do it.
First test if logwatch is working by simply running
1 | logwatch |
Check your email to see what outputs you get, if everything works you can skip the rest!
If you are missing the MSQL and HTTP-ERROR outputs:
You could run this command to get a more detailed email and any debug info.
1 | logwatch --detail high --range all --debug 5 |
This command is also good for debugging specific services
1 | logwatch --detail high --service http-error --range yesterday --debug 5 |
Run these commands and check the output to see the debug output, then check your email to see the emailed output.
You could also run a specific service with the specific log file to see if it's working:
1 | cat / var /log/mysqld.log | perl /usr/share/logwatch/scripts/services/mysql |
On my CentOS 6 I could not get any MySQL or HTTP-Error outputs so this is how I went about fixing it.
1. Run a specific service with the specific log file to see if it's working:
1 | cat / var /log/mysqld.log | perl mysql |
I got this error
1 | Can't locate Logwatch.pm in @INC (@INC
contains: /usr/local/lib/perl5 /usr/local/share/perl5
/usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5
/usr/share/perl5 .) at mysql line 30 . |
2 | BEGIN failed--compilation aborted at mysql line 30 . |
A simple symbolic link fixed that issue:
1 | ln -s /usr/share/logwatch/lib/Logwatch.pm /usr/local/lib/perl5/Logwatch.pm |
After that the command would give me a nice output with some errors:
1 | cat / var /log/mysqld.log | perl mysql |
2 | Errors: |
3 | 11 times: |
4 | [ 120310 03 : 43 : 11 ± 1 day(s)] Could not use / var /log/mysql/slow-queries.log for logging (error 2 ). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it. |
2. Then we need to Run this command to debug and check the specific services
1 | logwatch --detail high --service mysql --range all --debug 5 |
I got this output
1 | export LOGWATCH_DATE_RANGE= 'all' |
2 | export LOGWATCH_GLOBAL_DETAIL= '10' |
3 | export LOGWATCH_OUTPUT_TYPE= 'mail' |
4 | export LOGWATCH_FORMAT_TYPE= 'text' |
5 | export LOGWATCH_TEMP_DIR= '/var/cache/logwatch/logwatch.jApI_bRi/' |
6 | export LOGWATCH_DEBUG= '5' |
This meant that it did not process the log files
To fix this we need to fix the log file location for MYSQL
1 | vim /usr/share/logwatch/ default .conf/logfiles/mysql.conf |
Change the path to your specific mysql error log path
ie - /var/log/mysqld.log
After we fix that we can run the command
again and see that it's working – you should also get a nice email with
the MYSQL error output.
1 | logwatch --detail high --service mysql --range all --debug 5 |
You should see this output:
1 | export LOGWATCH_DATE_RANGE= 'all' |
2 | export LOGWATCH_GLOBAL_DETAIL= '10' |
3 | export LOGWATCH_OUTPUT_TYPE= 'mail' |
4 | export LOGWATCH_FORMAT_TYPE= 'text' |
5 | export LOGWATCH_TEMP_DIR= '/var/cache/logwatch/logwatch.jApI_bRi/' |
6 | export LOGWATCH_DEBUG= '5' |
7 | Preprocessing LogFile: mysql |
8 | '/var/log/mysqld.log' | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats '' >/ var /cache/logwatch/logwatch.jApI_bRi/mysql |
9 | Processing Service: mysql |
10 | ( cat / var /cache/logwatch/logwatch.jApI_bRi/mysql | /usr/bin/perl /usr/share/logwatch/scripts/services/mysql) 2 >& 1 |
For the HTTP-Error service there was a different fix:
When we ran:
1 | logwatch --detail high --service http-error --range all --debug 5 |
We would see:
1 | Preprocessing LogFile: http-error |
BUT NOT!!!
1 | Processing Service: http-error |
To fix this I had to remove *ApplyhttpDate from /usr/share/logwatch/default.conf/logfiles/http-error.conf
1 | vim /usr/share/logwatch/ default .conf/logfiles/http-error.conf |
And comment out the *ApplyhttpDate line on the bottom like so
1 | # Keep only the lines in the proper date range... |
2 | #*ApplyhttpDate |
Now the HTTP-Error Service would give me the correct debug output and a nice email.
Sample Logwatch Output logs in given below.
Sample Logwatch Output logs in given below.
- LOGWATCH Summary
- System Configuration
- httpd
- http errors
- pam_unix
- postfix
- sendmail-largeboxes (large mail spool files)
- SSHD
- XNTPD
- Disk Space
- Network Report
LOGWATCH Summary |
Logwatch Version: 7.4.0 (03/01/11) |
Processing Initiated: Tue Jun 25 15:26:38 2013 |
Date Range Processed: today |
( 2013-Jun-25 ) |
Period is day. |
Detail Level of Output: 0 |
Type of Output/Format: mail / html |
Logfiles for Host: test.example.com |
httpd |
Requests with error response codes
|
---|
403 Forbidden |
http://www.test.com/: 1 Time(s) |
http://www.google.com/: 1 Time(s) |
404 Not Found |
http://server6.test.net/azenv.php: 1 Time(s) |
http errors |
Errors:
|
---|
1 times:
|
[... Jun 25 08:56:37 2013] [client 10.0.0.12
Directory index forbidden by Options directive: /var/www/html/
|
pam_unix |
su-l:
|
---|
Authentication Failures: |
test(500) -> root: 2 Time(s) |
Sessions Opened: |
root -> root: 5 Time(s) |
sendmail-largeboxes (large mail spool files) |
Large Mailbox threshold: 40MB (41943040 bytes)
|
---|
Warning: Large mailbox: root (143990521) |
SSHD |
Users logging in through sshd:
|
---|
dlrbase: |
10.0.0.1 (NSG-St.test.in): 6 times |
Refused incoming connections:
|
150.0.0.15 (150.0.0.15 ): 1 Time(s) |
145.0.0.22 (145.0.0.22): 24 Time(s) |
XNTPD |
Time Reset 8 times (total: -7.381299 s average:
-0.922662 s)
|
---|
Total synchronizations 47 (hosts: 3)
|
Errors
|
no servers reachable: 27 time(s) |
Disk Space |
Filesystem Size
Used Avail Use% Mounted on
|
---|
/dev/sda3
47G 17G 30G 21% /
|
/dev/sda1
12M 12M 104M 11% /boot
|
Network Report |
------------- Network Interfaces ---------------
|
---|
Ethernet : 2
|
Other : 1
|
Total : 3
|
------------- Ethernet -------------------------
|
eth0 Link encap:Ethernet HWaddr
00:16:36:12:43:AS
|
eth1 Link encap:Ethernet HWaddr
00:WE:12:65:HH:LH
|
------------- Other ----------------------------
|
lo Link encap:Local
Loopback
|
------------- Network Interfaces ---------------
|
------------- Network statistics ---------------
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc
noqueue
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 |
inet 127.0.0.1/8 scope host lo |
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
1500 qdisc pfifo_fast qlen 1000
|
link/ether 00:16:12:hh:re brd ff:ff:ff:ff:ff:ff |
inet 192.168.1.21/24 brd 192.168.1.255 scope global eth0 |
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc
noop qlen 1000
|
link/ether 00:16:31:12:rd brd ff:ff:ff:ff:ff:ff |
Iface MTU RX-ERR
TX-ERR
|
eth0 1500
0 0
|
lo 16436 0
0
|
------------- Network statistics ---------------
|
No comments:
Post a Comment