Use logwatch, from http://www.logwatch.org. For example:
# logwatch --range all --archives --detail High --print | less
to see all the useful data logwatch can display, or:
# logwatch --print | less
to see only yesterday’s entries.
logwatch is a handy utility to scan system log files and display unexpected entries. Red Hat includes it but SuSE does not. If you need it, download the binary RPM from http://www.logwatch.org,[13] and install it, as root:
# rpm -Uhv logwatch-*.noarch.rpm
The easiest way to see what logwatch does is to run it:
$ logwatch --range all --print | less ################### LogWatch 4.2.1 (10/27/02) #################### Processing Initiated: Sun Nov 10 20:53:49 2002 Date Range Processed: all Detail Level of Output: 0 Logfiles for Host: myhost ############################################################### --------------------- Connections (secure-log) Begin ------------------------ Unauthorized sudo commands attempted (1): smith: /usr/bin/tail -30 /var/log/maillog ---------------------- Connections (secure-log) End ------------------------- --------------------- SSHD Begin ------------------------ SSHD Killed: 2 Time(s) SSHD Started: 1 Time(s) Users logging in through sshd: smith logged in from foo.example.com (128.91.0.3) using publickey: 1 Time(s) Refused incoming connections: 200.23.18.56: 1 Time(s) ---------------------- SSHD End ------------------------- ...
Once installed, logwatch is often run daily by cron, emailing its results to root. This is not necessarily the most secure way to do things: if your system is compromised, then you cannot trust email or logwatch itself. Like tripwire (Chapter 1), logwatch is best run on a remote machine, or from a secure medium like CD-ROM or write-protected floppy disk.
logwatch processes most but not all common log files. For the rest, you can define your own logwatch filters to parse and summarize them. [Recipe 9.37]
If logwatch seems to do nothing when you run it, be aware of the —print option. By default, logwatch does not write its results on standard output: it sends them by email. Specify —print to see the results on screen. Also be aware that the default range is “yesterday,” which might not be what you want.
[13] Actually, there are no binaries: logwatch is a collection of Perl scripts. Therefore, you don’t need to worry about which RPM is right for your system’s architecture.
3.134.110.149