Logwatch功能介绍

Logwatch是一款Perl脚本编写的、开源的日志分析工具。它能对原始的日志文件进行解析并转换成结构化格式的文档,也能根据您的使用情况和需求来定制报告。Logwatch的特点是配置简单、监控、分析日志方便,而且可以对某些功能进行定制化。 项目源码位于https://sourceforge.net/projects/logwatch/

LogWatch的官文档介绍:

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.

Logwatch安装升级

 

1: 查看是否安装Logwatch组件

[root@DB-Server ~]# rpm -qa | grep logwatch

logwatch-7.3-9.el5_6

2: Logwatch的安装、升级、卸载

 

2.1.1 Logwatch的RPM安装

[root@DB-Server Server]# rpm -ivh logwatch-7.3-9.el5_6.noarch.rpm 

warning: logwatch-7.3-9.el5_6.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

        package logwatch-7.3-9.el5_6.noarch is already installed

[root@DB-Server Server]# 

 

 

 

[root@DB-Server Server]# yum install logwatch

2.1.2 Logwatch的源码安装

[root@DB-Server tmp]# tar -xzvf logwatch-7.4.3.tar.gz 

[root@DB-Server tmp]# cd logwatch-7.4.3

[root@DB-Server logwatch-7.4.3]# ./install_logwatch.sh

#################################

Preparing to install Logwatch

Enter the path to the Logwatch BaseDir [/usr/share/logwatch] : 

### Using /usr/share/logwatch

Enter the path for the Logwatch ConfigDir [/etc/logwatch] : 

### Using /etc/logwatch

Enter the dir name to be used for temp files [/var/cache/logwatch] : 

### Using /var/cache/logwatch

Enter the location of perl [/usr/bin/perl] : 

### Using /usr/bin/perl

Enter the dir name to used for the manpage [/usr/share/man] : 

### Using /usr/share/man

### Installing

Created symlink for /usr/sbin/logwatch 

Created /etc/cron.daily/0logwatch

 

2.2 Logwatch的卸载

[root@DB-Server Server]# rpm -e logwatch-7.3-9.el5_6

2.2 Logwatch的升级

[root@DB-Server Server]#rpm -Uvh logwatch***.rpm

Logwatch的配置介绍

Logwatch的配置文件为 /etc/logwatch/conf/logwatch.conf ,初始安装后,这个配置文件是空的。你可以将配置文件的模板拷贝过来,如果不做这一步,就会默认使用/usr/share/logwatch/default.conf/logwatch.conf 这个配置文件。

[root@DB-Server ~]# more  /etc/logwatch/conf/logwatch.conf

# Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf)

[root@DB-Server ~]# cp  /usr/share/logwatch/default.conf/logwatch.conf  /etc/logwatch/conf/logwatch.conf 

cp: overwrite `/etc/logwatch/conf/logwatch.conf'? yes

 

配置的具体参数介绍:

LogDir = /var/log                系统日志或需要分析日志所在路径

 

TmpDir = /var/cache/logwatch     临时文件位置

 

Output = stdout                  输出格式(stdout 屏幕上显示)

 

Format = text                    输出格式,有text、html选项可以选择

 

Encode = none                    编码格式

 

MailTo = root                    分析结果发送给那些人或邮件组。多个邮箱逗号隔开

 

MailFrom = Logwatch              邮件的发件人

 

Range = yesterday                处理什么时候的日志 , 可选项 All(所有) ,Yesterday(昨天) , Today(今天)

 

                                 Range = "1 hours ago for that hour"

 

                                 Range = "-7 days"

 

                                 Range = "between -7 days and -3 days"

 

                                 Range = "since March 15, 2017"

 

                                 Range = "first Friday in October"

 

                                 Range = "2017/04/15 12:50:15 for that second"

 

Detail = Low                     该参数控制着 Logwatch 报告的详细程, 可选项:Low , Med , High 也可以用0-10数字表示

 

                                 其中High、Med、Low 几个选项分别代表着10、5和0数字。

 

Service = All                    监控所有服务 all

 

Service = "-httpd"               不监控的服务前面加 “-” , 如 -httpd ,即不监控 httpd 服务 , 可以写多条

 

mailer = "/usr/sbin/sendmail -t" 发送邮件的方式(可以选sendmail,postfix,Qmail)

注意不同版本的Logwatch的参数有所区别,例如如下logwatch-7.3-9与logwatch-7.4.3的对比如下

[root@DB-Server01 ~]# sed -n "/^\s*[^#\t].*$/p" /usr/share/logwatch/default.conf/logwatch.conf

LogDir = /var/log

TmpDir = /var/cache/logwatch

MailTo = root

MailFrom = Logwatch

Print = No

Range = yesterday

Detail = Low 

Service = All

Service = "-zz-network"     # Prevents execution of zz-network service, which

                            # prints useful network configuration info.

Service = "-zz-sys"         # Prevents execution of zz-sys service, which

                            # prints useful system configuration info.

Service = "-eximstats"      # Prevents execution of eximstats service, which

                            # is a wrapper for the eximstats program.

mailer = "sendmail -t"

 

 

 

[root@DB-Server ~]# sed -n "/^\s*[^#\t].*$/p" /etc/logwatch/conf/logwatch.conf 

LogDir = /var/log

TmpDir = /var/cache/logwatch

Output = stdout

Format = text

Encode = none

MailTo = root

MailFrom = Logwatch

Range = yesterday

Detail = Low

Service = All

Service = "-zz-network"     # Prevents execution of zz-network service, which

                            # prints useful network configuration info.

Service = "-zz-sys"         # Prevents execution of zz-sys service, which

                            # prints useful system configuration info.

Service = "-eximstats"      # Prevents execution of eximstats service, which

                            # is a wrapper for the eximstats program.

mailer = "/usr/sbin/sendmail -t"

[root@DB-Server ~]#

Logwatch 并不是以系统服务形式来跑的 ,而是在/etc/cron.daily下生成了一个脚本/etc/cron.daily/0logwatch ,有些版本是一个软链 。如下所示。 当然你也可以在crontab里面设置自己的作业.如果要使用发送邮件功能,你必须提前进行配置。例如,配置sendmail。

logwatch-7.3-9

[root@mynx01 ~]# ls -l /etc/cron.daily/0logwatch

lrwxrwxrwx 1 root root 39 Apr 23  2015 /etc/cron.daily/0logwatch -> /usr/share/logwatch/scripts/logwatch.pl

 

logwatch-7.4.3

[root@DB-Server tmp]# more  /etc/cron.daily/0logwatch

#!/bin/sh

 

#Set logwatch location

LOGWATCH_SCRIPT="/usr/sbin/logwatch"

#Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf,

#but some are only for the nightly cronrun such as --output mail and should be set here.

#Other options to consider might be "--format html" or "--encode base64", man logwatch for more details.

OPTIONS="--output mail"

 

#Call logwatch

$LOGWATCH_SCRIPT $OPTIONS

 

exit 0

[root@DB-Server tmp]# ls -l  /etc/cron.daily/0logwatch

-rwxr-xr-x 1 root root 434 Apr 27 15:09 /etc/cron.daily/0logwatch

[root@DB-Server tmp]#

 

Logwatch的用例介绍

1: 查看logwatch的帮助信息(注意不同版本间的区别)

[root@DB-Server log]# logwatch --help

 

Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--output <output_type>]

   [--format <format_type>] [--encode <enconding>] [--numeric]

   [--mailto <addr>] [--archives] [--range <range>] [--debug <level>]

   [--filename <filename>] [--help|--usage] [--version] [--service <name>]

   [--hostformat <host_format type>] [--hostlimit <host1,host2>] [--html_wrap <num_characters>]

 

--detail <level>: Report Detail Level - High, Med, Low or any #.

--logfile <name>: *Name of a logfile definition to report on.

--logdir <name>: Name of default directory where logs are stored.

--service <name>: *Name of a service definition to report on.

--output <output type>: Report Output - stdout [default], mail, file.

--format <formatting>: Report Format - text [default], html.

--encode <encoding>: Enconding to use - none [default], base64.

--mailto <addr>: Mail report to <addr>.

--archives: Use archived log files too.

--filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file].

--range <range>: Date range: Yesterday, Today, All, Help

                             where help will describe additional options

--numeric: Display addresses numerically rather than symbolically and numerically

           (saves  a  nameserver address-to-name lookup).

--debug <level>: Debug Level - High, Med, Low or any #.

--hostformat: Host Based Report Options - none [default], split, splitmail.

--hostlimit: Limit report to hostname - host1,host2.

--hostname: overwrites hostname

--html_wrap <num_characters>: Default is 80.

--version: Displays current version.

--help: This message.

--usage: Same as --help.

* = Switch can be specified multiple times...

2:Logwatch的使用案例:

perl /usr/share/logwatch/scripts/logwatch.pl

logwatch --service sshd --print

logwatch --detail High --Service All --range All --print

logwatch --detail High --Service All --range All --output stdout

logwatch --detail 10 --range today --service http --service postfix --service zz-disk_space --format html --output file --filename /tmp/logwatch.html

注意上面有些版本不能执行,例如logwatch-7.4.3中就没有参数--print,需要用参数--output

[root@MyLinx ~]#  logwatch --service sshd --print  

 

 ################### Logwatch 7.3 (03/24/06) #################### 

        Processing Initiated: Mon Apr 24 08:11:00 2017

        Date Range Processed: yesterday

                              ( 2017-Apr-23 )

                              Period is day.

      Detail Level of Output: 10

              Type of Output: unformatted

           Logfiles for Host: xxx.xxx.xxx

  ################################################################## 

 

 --------------------- SSHD Begin ------------------------ 

 

 Users logging in through sshd:

    xxxxx:

       192.168.xxx.xxx (xxxx): 276 times

    oracle:

       192.168.xxx.xxx (xxxxx): 1 time

 

 

 Received disconnect:

    11: The user disconnected the application

       192.168.xxx.xxx : 276 Time(s)

 

 ---------------------- SSHD End ------------------------- 

 

 

 ###################### Logwatch End ######################### 

 

[root@DB-Server log]# logwatch --detail 10 --range all --service sshd --format text --output file --filename /tmp/logwatch.txt

[root@DB-Server log]# more /tmp/logwatch.txt 

 

 ################### Logwatch 7.4.3 (04/27/16) #################### 

        Processing Initiated: Thu Apr 27 17:17:42 2017

        Date Range Processed: all

        Detail Level of Output: 10

        Type of Output/Format: file / text

        Logfiles for Host: DB-Server.localdomain

 ################################################################## 

 

 --------------------- SSHD Begin ------------------------ 

 

 Couldn't resolve these IPs:

    get253194.gfg1.esquel.com(192.168.103.21): 1 Time(s)

    get253194.gfg1.esquel.com(192.168.103.26): 1 Time(s)

 

 Failed logins from:

    192.168.7.xxx: 1 time

       root/password: 1 time

 

 Users logging in through sshd:

    root:

       192.168.103.15 (xxxxx): 4 times

       192.168.103.21 (xxxxx): 4 times

       192.168.103.22 (xxxxx): 3 times

       192.168.103.26 (xxxxx): 2 times

 

 SFTP subsystem requests: 6 Time(s)

 

 ---------------------- SSHD End ------------------------- 

 

 

 ###################### Logwatch End #########################

Linux Logwatch的学习总结的更多相关文章

  1. Linux随笔-鸟哥Linux基础篇学习总结(全)

    Linux随笔-鸟哥Linux基础篇学习总结(全) 修改Linux系统语系:LANG-en_US,如果我们想让系统默认的语系变成英文的话我们可以修改系统配置文件:/etc/sysconfig/i18n ...

  2. 20135231 —— Linux 基础入门学习

    20135231 何佳 学习计时:共12小时 读书:5 代码:2 作业:2 博客:3 一.学习目标 1. 能够独立安装Linux操作系统 2. 能够熟练使用Linux系统的基本命令 3. 熟练使用Li ...

  3. Linux系统新手学习的11点建议

    随着Linux应用的扩展许多朋友开始接触Linux,根据学习Windwos的经验往往有一些茫然的感觉:不知从何处开始学起.这里介绍学习Linux的一些建议. 一.从基础开始:常常有些朋友在Linux论 ...

  4. Linux进程间通信IPC学习笔记之同步二(SVR4 信号量)

    Linux进程间通信IPC学习笔记之同步二(SVR4 信号量)

  5. Linux进程间通信IPC学习笔记之同步二(Posix 信号量)

    Linux进程间通信IPC学习笔记之同步二(Posix 信号量)

  6. Linux进程间通信IPC学习笔记之消息队列(SVR4)

    Linux进程间通信IPC学习笔记之消息队列(SVR4)

  7. Linux进程间通信IPC学习笔记之有名管道

    基础知识: 有名管道,FIFO先进先出,它是一个单向(半双工)的数据流,不同于管道的是:是最初的Unix IPC形式,可追溯到1973年的Unix第3版.使用其应注意两点: 1)有一个与路径名关联的名 ...

  8. Linux进程间通信IPC学习笔记之管道

    基础知识: 管道是最初的Unix IPC形式,可追溯到1973年的Unix第3版.使用其应注意两点: 1)没有名字: 2)用于共同祖先间的进程通信: 3)读写操作用read和write函数 #incl ...

  9. Linux防火墙iptables学习笔记(三)iptables命令详解和举例[转载]

     Linux防火墙iptables学习笔记(三)iptables命令详解和举例 2008-10-16 23:45:46 转载 网上看到这个配置讲解得还比较易懂,就转过来了,大家一起看下,希望对您工作能 ...

随机推荐

  1. C/C++数据在内存中的存储方式

    目录 1 内存地址 2 内存空间   在学习C/C++编程语言时,免不了和内存打交道,在计算机中,我们存储有电影,文档,音乐等数据,这些数据在内存中是以什么形式存储的呢?下面做一下简单介绍. 本文是学 ...

  2. Markdown语法简介

    1.标题 在想要设置为标题的文字前面加#来表示一个#代表一级标题,总共六级 2.字体 加粗要加粗的文字左右分别用两个*号包起来 斜体要倾斜的文字左右分别用一个*号包起来 斜体加粗要倾斜和加粗的文字左右 ...

  3. Kubernetes 笔记 06 豌豆荚之旅(一)

    本文首发于我的公众号 Linux云计算网络(id: cloud_dev),专注于干货分享,号内有 10T 书籍和视频资源,后台回复「1024」即可领取,欢迎大家关注,二维码文末可以扫. Hi,大家好, ...

  4. Volatile的那些事

    上一篇中,我们了解了Synchronized关键字,知道了它的基本使用方法,它的同步特性,知道了它与Java内存模型的关系,也明白了Synchronized可以保证"原子性",&q ...

  5. asp.net core 系列 14 错误处理

    一.概述 本文介绍处理 ASP.NET Core 应用中常见错误的一些方法.主要是关于:开发环境异常页:非开发环境配置自定义异常处理页:配置状态代码页(没有正文响应,http状态400~599的). ...

  6. 使用dotnet build时复制引用dll到生成目录

    默认配置下dotnet build只会输出项目代码的dll,依赖用的是dotnet缓存中的dll,只有dotnet publish才会把依赖的dll一起输出到生成目录. 在项目csproj文件中添加以 ...

  7. AVL树和平衡二叉树 平衡因子 右旋转LL 左旋转RR LR RL

    前言 今天要介绍几种高级数据结构AVL树,介绍之前AVL,会先说明平衡二叉树,并将树的学习路线进行总结,并介绍维持平衡的方法:右旋转.左旋转. 一.树学习路线 1.路线总结 总结了一下树的学习路线,如 ...

  8. linux下的powerline安装教程

    powerline是一款比较炫酷的状态栏工具,多用于vim和终端命令行.先上两张效果图,然后介绍一下具体的安装教程. 图 1 powerline在shell下的效果图 图 2 powerline在vi ...

  9. 【WCF系列】(一)为什么我们需要WCF

    为什么我们需要WCF 传统分布式软件的架构分析 一个开发需求:社保平台 访问量较大客户端类型/平台多和其他系统交互多快速开发/部署结构复杂(B/S.C/S.桌面.服务…) 传统的实现技术: 业界需要一 ...

  10. linux文本处理三剑客的学习

    linux下有三个文本处理的神器.分别是grep,sed,awk.功能都是比较强大的. grep帮助: http://my-study-grep.readthedocs.io/en/latest/ s ...