Wednesday, June 26, 2013

Install Logwatch 7.40 as this has built in MySQL PHP and HTTP Error Logging

Install Logwatch 7.40 as this has built in MySQL PHP and HTTP Error Logging

Today I have installed/configured Logwatch application in Centos "Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems."


Its most powerful tools.
Download the RPM :
1wget http://downloads.sourceforge.net/project/logwatch/logwatch-7.4.0/logwatch-7.4.0-1.noarch.rpm
Install it:
1rpm -Uvh logwatch-7.4.0-1.noarch.rpm
or I like to use
1yum install logwatch-7.4.0-1.noarch.rpm
If you don't need MySQL, PHP or HTTP Error Log checking you can just install version 7.3 by using
1yum install logwatch
This will install Logwatch and also create a cronjob in the /etc/cron.daily folder.

2. Basic Configurations and Mail to Email

Now, we need to change a couple of settings within the Logwatch configuration file.
The file is located at /usr/share/logwatch/default.conf/logwatch.conf. Using your text editor open the configuration file and find the following:
1vim /usr/share/logwatch/default.conf/logwatch.conf
Find and change:
1Output = stdout
To
1Output = mail
And
1MailTo = root
To
1MailTo = youremail@yourserver.com
You can also change the Range or Detail levels:
1Range = Yesterday 
To All, Today or Yesterday, bet yesterday should work best
1Detail = Low
To Low = 0  MED = 5  or High = 10

3. Disable unneeded service monitoring

Now we need to disable some unneeded service monitoring – we can do this only if we have the Service setting set to All like so:
1Service = All 
To disable the monitoring of some services simply adds this below that line to disable postfix:
1Service = "-postfix"
or clamav for example
1Service = "-clamav"

4. Enable MySQL PHP and HTTP-Error log monitoring

This step took me a while to get working on CentOS 6 but here is how to do it.
First test if logwatch is working by simply running
1logwatch
Check your email to see what outputs you get, if everything works you can skip the rest!
If you are missing the MSQL and HTTP-ERROR outputs:
You could run this command to get a more detailed email and any debug info.
1logwatch --detail high --range all --debug 5
This command is also good for debugging specific services
1logwatch --detail high --service http-error --range yesterday --debug 5
Run these commands and check the output to see the debug output, then check your email to see the emailed output.
You could also run a specific service with the specific log file to see if it's working:
1cat /var/log/mysqld.log | perl /usr/share/logwatch/scripts/services/mysql
On my CentOS 6 I could not get any MySQL or HTTP-Error outputs so this is how I went about fixing it.
1. Run a specific service with the specific log file to see if it's working:
1cat /var/log/mysqld.log | perl mysql
I got this error
1Can't locate Logwatch.pm in @INC (@INC contains: /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5 .) at mysql line 30.
2BEGIN failed--compilation aborted at mysql line 30.
A simple symbolic link fixed that issue:
1ln -s /usr/share/logwatch/lib/Logwatch.pm /usr/local/lib/perl5/Logwatch.pm
After that the command would give me a nice output with some errors:
1cat /var/log/mysqld.log | perl mysql 
2Errors:
311 times:
4[120310 03:43:11 ±1 day(s)] Could not use /var/log/mysql/slow-queries.log for logging (error 2). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.
2. Then we need to  Run this command to debug and check the specific services
1logwatch --detail high --service mysql --range all --debug 5
 I got this output
1export LOGWATCH_DATE_RANGE='all'
2export LOGWATCH_GLOBAL_DETAIL='10'
3export LOGWATCH_OUTPUT_TYPE='mail'
4export LOGWATCH_FORMAT_TYPE='text'
5export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.jApI_bRi/'
6export LOGWATCH_DEBUG='5'
This meant that it did not process the log files
To fix this we need to fix the log file location for MYSQL
1vim /usr/share/logwatch/default.conf/logfiles/mysql.conf
Change the path to your specific mysql error log path
ie - /var/log/mysqld.log
After we fix that we can run the command again and see that it's working – you should also get a nice email with the MYSQL error output.
1logwatch --detail high --service mysql --range all --debug 5
You should see this output:
1export LOGWATCH_DATE_RANGE='all'
2export LOGWATCH_GLOBAL_DETAIL='10'
3export LOGWATCH_OUTPUT_TYPE='mail'
4export LOGWATCH_FORMAT_TYPE='text'
5export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.jApI_bRi/'
6export LOGWATCH_DEBUG='5'
7Preprocessing LogFile: mysql
8'/var/log/mysqld.log' | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''>/var/cache/logwatch/logwatch.jApI_bRi/mysql
9Processing Service: mysql
10 ( cat /var/cache/logwatch/logwatch.jApI_bRi/mysql | /usr/bin/perl /usr/share/logwatch/scripts/services/mysql) 2>&1
For the HTTP-Error service there was a different fix:
When we ran:
1logwatch --detail high --service http-error --range all --debug 5
We would see:
1Preprocessing LogFile: http-error
BUT NOT!!!
1Processing Service: http-error
To fix this I had to remove *ApplyhttpDate from /usr/share/logwatch/default.conf/logfiles/http-error.conf
1vim /usr/share/logwatch/default.conf/logfiles/http-error.conf
And comment out the *ApplyhttpDate line on the bottom like so
1# Keep only the lines in the proper date range...
2#*ApplyhttpDate
Now the HTTP-Error Service would give me the correct debug output and a nice email.


Sample Logwatch Output logs in given below.
  • LOGWATCH Summary
  • System Configuration
  • httpd
  • http errors
  • pam_unix
  • postfix
  • sendmail-largeboxes (large mail spool files)
  • SSHD
  • XNTPD
  • Disk Space
  • Network Report

LOGWATCH Summary

      Logwatch Version: 7.4.0 (03/01/11)
      Processing Initiated: Tue Jun 25 15:26:38 2013
      Date Range Processed: today
                            ( 2013-Jun-25 )
                            Period is day.
      Detail Level of Output: 0
      Type of Output/Format: mail / html
      Logfiles for Host: test.example.com

System Configuration

No Sys::CPU module installed.  To install, execute the command:
  perl -MCPAN -e 'install Sys::CPU'

No Sys::MemInfo module installed.  To install, execute the command:
  perl -MCPAN -e 'install Sys::MemInfo'

  Machine: x86_64
  Release: Linux 2.6.18

httpd


Requests with error response codes
  403 Forbidden
     http://www.test.com/: 1 Time(s)
     http://www.google.com/: 1 Time(s)
  404 Not Found
     http://server6.test.net/azenv.php: 1 Time(s)

http errors

Errors:

1 times:
[... Jun 25 08:56:37 2013] [client 10.0.0.12 Directory index forbidden by Options directive: /var/www/html/

pam_unix

su-l:
  Authentication Failures:
     test(500) -> root: 2 Time(s)
  Sessions Opened:
    root -> root: 5 Time(s)

postfix

STATISTICS
----------

842803 bytes transferred
386 messages accepted for queue
386 messages removed from queue

DETAILS


Local Bounces: 1, 378 Time(s)









Unrecognized warning:
   backward time jump detected -- slewing clock : 2 Time(s)
   backward time jump recovered -- back to normality : 2 Time(s)

sendmail-largeboxes (large mail spool files)

Large Mailbox threshold: 40MB (41943040 bytes)
Warning: Large mailbox: root (143990521)

SSHD


Users logging in through sshd:
  dlrbase:
     10.0.0.1 (NSG-St.test.in): 6 times

Refused incoming connections:
     150.0.0.15 (150.0.0.15 ): 1 Time(s)
    145.0.0.22 (145.0.0.22): 24 Time(s)

XNTPD


Time Reset 8 times (total: -7.381299 s  average: -0.922662 s)

Total synchronizations 47 (hosts: 3)

Errors
 no servers reachable: 27 time(s)

Disk Space

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3             47G   17G  30G  21% /
/dev/sda1             12M   12M  104M  11% /boot

Network Report



------------- Network Interfaces ---------------

Ethernet : 2
Other    : 1
Total    : 3


------------- Ethernet -------------------------

eth0      Link encap:Ethernet  HWaddr 00:16:36:12:43:AS 
eth1      Link encap:Ethernet  HWaddr 00:WE:12:65:HH:LH


------------- Other ----------------------------

lo        Link encap:Local Loopback  


------------- Network Interfaces ---------------




------------- Network statistics ---------------

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
   link/ether 00:16:12:hh:re brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.21/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
   link/ether 00:16:31:12:rd brd ff:ff:ff:ff:ff:ff

Iface        MTU RX-ERR TX-ERR
eth0       1500      0      0
lo      16436      0      0


------------- Network statistics ---------------


No comments:

Post a Comment