logwatch

Analyze logs for a range of dates at a certain level of detail

$ logwatch --range [yesterday|today|all|help] --detail [low|medium|others]'

$ logwatch --range [all] --service [apache|pam_unix|...]

logwatch [OPTION...]

--detail <level>
    Sets the level of detail in the report. Common values include Low, Med, High, or an integer (e.g., 0-10).

--format <format>
    Specifies the output format of the report. Accepted values are text or html.

--output <method>
    Determines where the report is sent. Options include mail, stdout (print to screen), or file.

--mailto <email_address>
    Sends the generated report to the specified email address.

--file <filename>
    Saves the report to the specified file path instead of mailing or printing.

--print
    A shortcut for --output stdout, printing the report directly to the terminal.

--range <time_range>
    Defines the time period for which logs should be processed. Examples include yesterday, today, all, last24hours, or custom ranges like '2023/01/01 10:00:00'..'2023/01/01 11:00:00'.

--service <service_name>
    Processes logs only for the specified service(s). Can be used multiple times to include several services (e.g., --service http --service sshd).

--config_dir <directory>
    Specifies an alternative directory for configuration files instead of the default.

--log_dir <directory>
    Specifies an alternative directory where log files are located.

--hostname <name>
    Overrides the system's hostname in the report header.

--debug <level>
    Enables debugging output for troubleshooting, with increasing verbosity levels (0-10).

Logwatch is a customizable log analysis program designed to process system logs, identify relevant information, and generate concise reports. It aggregates data from various log files, such as syslog, mail logs, Apache access logs, and more, presenting it in a human-readable format. This helps system administrators quickly spot potential issues, security alerts, or important operational events without manually sifting through large volumes of log data. It's highly configurable, allowing users to specify the level of detail, report format (text or HTML), output destination (email, stdout, or file), and which services to monitor.

Logwatch relies heavily on Perl scripts for parsing, which can be complex to customize for new or unusual log formats. Its performance can degrade on systems with extremely high log volumes or when processing many services, as it processes logs sequentially. Ensure that your system's mail services are correctly configured for email reports to be delivered successfully. If `logwatch` is already running via a default cron job, be mindful to avoid conflicts with any custom scheduling.

The primary configuration file for Logwatch is typically located at /etc/logwatch/conf/logwatch.conf, which controls global settings such as output options, detail levels, and time ranges. More specific configurations and parsing scripts for individual services are found in subdirectories like /etc/logwatch/conf/services/ and /etc/logwatch/scripts/services/, enabling fine-grained control over how each log type is processed.

Logwatch is most commonly utilized as a daily automated task via cron. On many Linux systems, a script such as /etc/cron.daily/00logwatch is responsible for executing it automatically, usually in the early morning hours, to process the previous day's logs and send a summary report to the configured recipient.

Logwatch originated as a Perl-based tool developed to simplify the often tedious process of analyzing vast and complex system log files. Its primary goal was to provide system administrators with a concise, daily summary of critical events, thereby reducing the need for manual inspection of raw logs. It has been a standard utility included in many Linux distributions for well over a decade, evolving to support a wide range of log formats and services through its flexible, modular script architecture.

grep(1), tail(1), less(1), journalctl(1), cron(8), rsyslogd(8)