Logwatch功能介绍

Logwatch是一款Perl脚本编写的、开源的日志分析工具。它能对原始的日志文件进行解析并转换成结构化格式的文档,也能根据您的使用情况和需求来定制报告。Logwatch的特点是配置简单、监控、分析日志方便,而且可以对某些功能进行定制化。 项目源码位于https://sourceforge.net/projects/logwatch/

LogWatch的官文档介绍:

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.

Logwatch安装升级

 

1: 查看是否安装Logwatch组件

[root@DB-Server ~]# rpm -qa | grep logwatch

logwatch-7.3-9.el5_6

2: Logwatch的安装、升级、卸载

 

2.1.1 Logwatch的RPM安装

[root@DB-Server Server]# rpm -ivh logwatch-7.3-9.el5_6.noarch.rpm 

warning: logwatch-7.3-9.el5_6.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

        package logwatch-7.3-9.el5_6.noarch is already installed

[root@DB-Server Server]# 

 

 

 

[root@DB-Server Server]# yum install logwatch

2.1.2 Logwatch的源码安装

[root@DB-Server tmp]# tar -xzvf logwatch-7.4.3.tar.gz 

[root@DB-Server tmp]# cd logwatch-7.4.3

[root@DB-Server logwatch-7.4.3]# ./install_logwatch.sh

#################################

Preparing to install Logwatch

Enter the path to the Logwatch BaseDir [/usr/share/logwatch] : 

### Using /usr/share/logwatch

Enter the path for the Logwatch ConfigDir [/etc/logwatch] : 

### Using /etc/logwatch

Enter the dir name to be used for temp files [/var/cache/logwatch] : 

### Using /var/cache/logwatch

Enter the location of perl [/usr/bin/perl] : 

### Using /usr/bin/perl

Enter the dir name to used for the manpage [/usr/share/man] : 

### Using /usr/share/man

### Installing

Created symlink for /usr/sbin/logwatch 

Created /etc/cron.daily/0logwatch

 

2.2 Logwatch的卸载

[root@DB-Server Server]# rpm -e logwatch-7.3-9.el5_6

2.2 Logwatch的升级

[root@DB-Server Server]#rpm -Uvh logwatch***.rpm

Logwatch的配置介绍

Logwatch的配置文件为 /etc/logwatch/conf/logwatch.conf ,初始安装后,这个配置文件是空的。你可以将配置文件的模板拷贝过来,如果不做这一步,就会默认使用/usr/share/logwatch/default.conf/logwatch.conf 这个配置文件。

[root@DB-Server ~]# more  /etc/logwatch/conf/logwatch.conf

# Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf)

[root@DB-Server ~]# cp  /usr/share/logwatch/default.conf/logwatch.conf  /etc/logwatch/conf/logwatch.conf 

cp: overwrite `/etc/logwatch/conf/logwatch.conf'? yes

 

配置的具体参数介绍:

LogDir = /var/log                系统日志或需要分析日志所在路径

 

TmpDir = /var/cache/logwatch     临时文件位置

 

Output = stdout                  输出格式(stdout 屏幕上显示)

 

Format = text                    输出格式,有text、html选项可以选择

 

Encode = none                    编码格式

 

MailTo = root                    分析结果发送给那些人或邮件组。多个邮箱逗号隔开

 

MailFrom = Logwatch              邮件的发件人

 

Range = yesterday                处理什么时候的日志 , 可选项 All(所有) ,Yesterday(昨天) , Today(今天)

 

                                 Range = "1 hours ago for that hour"

 

                                 Range = "-7 days"

 

                                 Range = "between -7 days and -3 days"

 

                                 Range = "since March 15, 2017"

 

                                 Range = "first Friday in October"

 

                                 Range = "2017/04/15 12:50:15 for that second"

 

Detail = Low                     该参数控制着 Logwatch 报告的详细程, 可选项:Low , Med , High 也可以用0-10数字表示

 

                                 其中High、Med、Low 几个选项分别代表着10、5和0数字。

 

Service = All                    监控所有服务 all

 

Service = "-httpd"               不监控的服务前面加 “-” , 如 -httpd ,即不监控 httpd 服务 , 可以写多条

 

mailer = "/usr/sbin/sendmail -t" 发送邮件的方式(可以选sendmail,postfix,Qmail)

注意不同版本的Logwatch的参数有所区别,例如如下logwatch-7.3-9与logwatch-7.4.3的对比如下

[root@DB-Server01 ~]# sed -n "/^\s*[^#\t].*$/p" /usr/share/logwatch/default.conf/logwatch.conf

LogDir = /var/log

TmpDir = /var/cache/logwatch

MailTo = root

MailFrom = Logwatch

Print = No

Range = yesterday

Detail = Low 

Service = All

Service = "-zz-network"     # Prevents execution of zz-network service, which

                            # prints useful network configuration info.

Service = "-zz-sys"         # Prevents execution of zz-sys service, which

                            # prints useful system configuration info.

Service = "-eximstats"      # Prevents execution of eximstats service, which

                            # is a wrapper for the eximstats program.

mailer = "sendmail -t"

 

 

 

[root@DB-Server ~]# sed -n "/^\s*[^#\t].*$/p" /etc/logwatch/conf/logwatch.conf 

LogDir = /var/log

TmpDir = /var/cache/logwatch

Output = stdout

Format = text

Encode = none

MailTo = root

MailFrom = Logwatch

Range = yesterday

Detail = Low

Service = All

Service = "-zz-network"     # Prevents execution of zz-network service, which

                            # prints useful network configuration info.

Service = "-zz-sys"         # Prevents execution of zz-sys service, which

                            # prints useful system configuration info.

Service = "-eximstats"      # Prevents execution of eximstats service, which

                            # is a wrapper for the eximstats program.

mailer = "/usr/sbin/sendmail -t"

[root@DB-Server ~]#

Logwatch 并不是以系统服务形式来跑的 ,而是在/etc/cron.daily下生成了一个脚本/etc/cron.daily/0logwatch ,有些版本是一个软链 。如下所示。 当然你也可以在crontab里面设置自己的作业.如果要使用发送邮件功能,你必须提前进行配置。例如,配置sendmail。

logwatch-7.3-9

[root@mynx01 ~]# ls -l /etc/cron.daily/0logwatch

lrwxrwxrwx 1 root root 39 Apr 23  2015 /etc/cron.daily/0logwatch -> /usr/share/logwatch/scripts/logwatch.pl

 

logwatch-7.4.3

[root@DB-Server tmp]# more  /etc/cron.daily/0logwatch

#!/bin/sh

 

#Set logwatch location

LOGWATCH_SCRIPT="/usr/sbin/logwatch"

#Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf,

#but some are only for the nightly cronrun such as --output mail and should be set here.

#Other options to consider might be "--format html" or "--encode base64", man logwatch for more details.

OPTIONS="--output mail"

 

#Call logwatch

$LOGWATCH_SCRIPT $OPTIONS

 

exit 0

[root@DB-Server tmp]# ls -l  /etc/cron.daily/0logwatch

-rwxr-xr-x 1 root root 434 Apr 27 15:09 /etc/cron.daily/0logwatch

[root@DB-Server tmp]#

 

Logwatch的用例介绍

1: 查看logwatch的帮助信息(注意不同版本间的区别)

[root@DB-Server log]# logwatch --help

 

Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--output <output_type>]

   [--format <format_type>] [--encode <enconding>] [--numeric]

   [--mailto <addr>] [--archives] [--range <range>] [--debug <level>]

   [--filename <filename>] [--help|--usage] [--version] [--service <name>]

   [--hostformat <host_format type>] [--hostlimit <host1,host2>] [--html_wrap <num_characters>]

 

--detail <level>: Report Detail Level - High, Med, Low or any #.

--logfile <name>: *Name of a logfile definition to report on.

--logdir <name>: Name of default directory where logs are stored.

--service <name>: *Name of a service definition to report on.

--output <output type>: Report Output - stdout [default], mail, file.

--format <formatting>: Report Format - text [default], html.

--encode <encoding>: Enconding to use - none [default], base64.

--mailto <addr>: Mail report to <addr>.

--archives: Use archived log files too.

--filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file].

--range <range>: Date range: Yesterday, Today, All, Help

                             where help will describe additional options

--numeric: Display addresses numerically rather than symbolically and numerically

           (saves  a  nameserver address-to-name lookup).

--debug <level>: Debug Level - High, Med, Low or any #.

--hostformat: Host Based Report Options - none [default], split, splitmail.

--hostlimit: Limit report to hostname - host1,host2.

--hostname: overwrites hostname

--html_wrap <num_characters>: Default is 80.

--version: Displays current version.

--help: This message.

--usage: Same as --help.

* = Switch can be specified multiple times...

2:Logwatch的使用案例:

perl /usr/share/logwatch/scripts/logwatch.pl

logwatch --service sshd --print

logwatch --detail High --Service All --range All --print

logwatch --detail High --Service All --range All --output stdout

logwatch --detail 10 --range today --service http --service postfix --service zz-disk_space --format html --output file --filename /tmp/logwatch.html

注意上面有些版本不能执行,例如logwatch-7.4.3中就没有参数--print,需要用参数--output

[root@MyLinx ~]#  logwatch --service sshd --print  

 

 ################### Logwatch 7.3 (03/24/06) #################### 

        Processing Initiated: Mon Apr 24 08:11:00 2017

        Date Range Processed: yesterday

                              ( 2017-Apr-23 )

                              Period is day.

      Detail Level of Output: 10

              Type of Output: unformatted

           Logfiles for Host: xxx.xxx.xxx

  ################################################################## 

 

 --------------------- SSHD Begin ------------------------ 

 

 Users logging in through sshd:

    xxxxx:

       192.168.xxx.xxx (xxxx): 276 times

    oracle:

       192.168.xxx.xxx (xxxxx): 1 time

 

 

 Received disconnect:

    11: The user disconnected the application

       192.168.xxx.xxx : 276 Time(s)

 

 ---------------------- SSHD End ------------------------- 

 

 

 ###################### Logwatch End ######################### 

 

[root@DB-Server log]# logwatch --detail 10 --range all --service sshd --format text --output file --filename /tmp/logwatch.txt

[root@DB-Server log]# more /tmp/logwatch.txt 

 

 ################### Logwatch 7.4.3 (04/27/16) #################### 

        Processing Initiated: Thu Apr 27 17:17:42 2017

        Date Range Processed: all

        Detail Level of Output: 10

        Type of Output/Format: file / text

        Logfiles for Host: DB-Server.localdomain

 ################################################################## 

 

 --------------------- SSHD Begin ------------------------ 

 

 Couldn't resolve these IPs:

    get253194.gfg1.esquel.com(192.168.103.21): 1 Time(s)

    get253194.gfg1.esquel.com(192.168.103.26): 1 Time(s)

 

 Failed logins from:

    192.168.7.xxx: 1 time

       root/password: 1 time

 

 Users logging in through sshd:

    root:

       192.168.103.15 (xxxxx): 4 times

       192.168.103.21 (xxxxx): 4 times

       192.168.103.22 (xxxxx): 3 times

       192.168.103.26 (xxxxx): 2 times

 

 SFTP subsystem requests: 6 Time(s)

 

 ---------------------- SSHD End ------------------------- 

 

 

 ###################### Logwatch End #########################

Linux Logwatch的学习总结的更多相关文章

  1. Linux随笔-鸟哥Linux基础篇学习总结(全)

    Linux随笔-鸟哥Linux基础篇学习总结(全) 修改Linux系统语系:LANG-en_US,如果我们想让系统默认的语系变成英文的话我们可以修改系统配置文件:/etc/sysconfig/i18n ...

  2. 20135231 —— Linux 基础入门学习

    20135231 何佳 学习计时:共12小时 读书:5 代码:2 作业:2 博客:3 一.学习目标 1. 能够独立安装Linux操作系统 2. 能够熟练使用Linux系统的基本命令 3. 熟练使用Li ...

  3. Linux系统新手学习的11点建议

    随着Linux应用的扩展许多朋友开始接触Linux,根据学习Windwos的经验往往有一些茫然的感觉:不知从何处开始学起.这里介绍学习Linux的一些建议. 一.从基础开始:常常有些朋友在Linux论 ...

  4. Linux进程间通信IPC学习笔记之同步二(SVR4 信号量)

    Linux进程间通信IPC学习笔记之同步二(SVR4 信号量)

  5. Linux进程间通信IPC学习笔记之同步二(Posix 信号量)

    Linux进程间通信IPC学习笔记之同步二(Posix 信号量)

  6. Linux进程间通信IPC学习笔记之消息队列(SVR4)

    Linux进程间通信IPC学习笔记之消息队列(SVR4)

  7. Linux进程间通信IPC学习笔记之有名管道

    基础知识: 有名管道,FIFO先进先出,它是一个单向(半双工)的数据流,不同于管道的是:是最初的Unix IPC形式,可追溯到1973年的Unix第3版.使用其应注意两点: 1)有一个与路径名关联的名 ...

  8. Linux进程间通信IPC学习笔记之管道

    基础知识: 管道是最初的Unix IPC形式,可追溯到1973年的Unix第3版.使用其应注意两点: 1)没有名字: 2)用于共同祖先间的进程通信: 3)读写操作用read和write函数 #incl ...

  9. Linux防火墙iptables学习笔记(三)iptables命令详解和举例[转载]

     Linux防火墙iptables学习笔记(三)iptables命令详解和举例 2008-10-16 23:45:46 转载 网上看到这个配置讲解得还比较易懂,就转过来了,大家一起看下,希望对您工作能 ...

随机推荐

  1. [Swift]LeetCode658. 找到 K 个最接近的元素 | Find K Closest Elements

    Given a sorted array, two integers k and x, find the kclosest elements to x in the array. The result ...

  2. 基于IPV6的数据包分析(更新拓扑加入了linux主机和抓取133icmp包)(第十三组)

    1.拓扑图 2.配置ipv6地址,在拓扑图上对应位置标有对应网段,所在网段的端口按照网段配置,下图以r4为例 3.配置路由表,由于静态路由还要敲ip很麻烦所以使用ospf协议,下图为ospf配置以r5 ...

  3. java基础(十六)----- equals()与hashCode()方法详解 —— 面试必问

    本文将详解 equals()与hashCode()方法 概述 java.lang.Object类中有两个非常重要的方法: public boolean equals(Object obj) publi ...

  4. 使用Genymotion遇到的坑_Genymotion无法启动_unable to start the virtual device

    Genymotion 十分好用,以下是我使用Genymotion碰到的问题及解决办法.目前没有看到网上有完整的解决. 遇到如下图的问题: 这个问题很多人可能回去百度“the virtual devic ...

  5. 命令行分析组件IKende.CLI

    IKende.CLI是一款开源的命令行分解组件,它可以简地把命令行字符转换成命令对象.在编写CLI应用的时候经常要对命令字符进行繁锁的分解和转换工作,而IKende.CLI的存也是为了解决以上问题而产 ...

  6. Asp.Net SignalR Hub类中的操作详解

    Hub类中的操作 在服务端我们要通过Hub类做一系列操作,下面就说说我们都可以做什么操作 客户端的发送消息操作 调用所有的客户端的helloClient方法 Clients.All.helloClie ...

  7. 如何使用kafka增加topic的备份数量,让业务更上一层楼

    本文由云+社区发表 一.困难点 建立topic的时候,可以通过指定参数 --replication-factor 设置备份数量.但是,一旦完成建立topic,则无法通过kafka-topic.sh 或 ...

  8. 一文带你看透kubernetes 容器编排系统

    本文由云+社区发表 作者:turboxu Kubernetes作为容器编排生态圈中重要一员,是Google大规模容器管理系统borg的开源版本实现,吸收借鉴了google过去十年间在生产环境上所学到的 ...

  9. .Net Core SDK 命令介绍

    前言 本篇主要介绍 asp.net core 中,使用 dotnet tools 运行 dotnet run 之后的系统执行过程. 如果你觉得对你有帮助的话,不妨点个[推荐]. 目录 dotnet r ...

  10. 为容器化的 Go 程序搭建 CI

    本文介绍如何使用 Jenkins 的声明式 pipeline 为一个简单的 Golang web 应用搭建 CI 环境.如果你还不太了解 Jenkins 及其声明式 pipeline,请先参考笔者的 ...