Logwatch功能介绍
Logwatch是一款Perl脚本编写的、开源的日志分析工具。它能对原始的日志文件进行解析并转换成结构化格式的文档,也能根据您的使用情况和需求来定制报告。Logwatch的特点是配置简单、监控、分析日志方便,而且可以对某些功能进行定制化。 项目源码位于https://sourceforge.net/projects/logwatch/ 。
LogWatch的官文档介绍:
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.
Logwatch安装升级
1: 查看是否安装Logwatch组件
[root@DB-Server ~]# rpm -qa | grep logwatchlogwatch-7.3-9.el5_6
2: Logwatch的安装、升级、卸载
2.1.1 Logwatch的RPM安装
[root@DB-Server Server]# rpm -ivh logwatch-7.3-9.el5_6.noarch.rpm warning: logwatch-7.3-9.el5_6.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]package logwatch-7.3-9.el5_6.noarch is already installed
[root@DB-Server Server]# [root@DB-Server Server]# yum install logwatch
2.1.2 Logwatch的源码安装
[root@DB-Server tmp]# tar -xzvf logwatch-7.4.3.tar.gz [root@DB-Server tmp]# cd logwatch-7.4.3[root@DB-Server logwatch-7.4.3]# ./install_logwatch.sh#################################Preparing to install Logwatch
Enter the path to the Logwatch BaseDir [/usr/share/logwatch] :
### Using /usr/share/logwatchEnter the path for the Logwatch ConfigDir [/etc/logwatch] : ### Using /etc/logwatchEnter the dir name to be used for temp files [/var/cache/logwatch] : ### Using /var/cache/logwatchEnter the location of perl [/usr/bin/perl] :
### Using /usr/bin/perlEnter the dir name to used for the manpage [/usr/share/man] : ### Using /usr/share/man### InstallingCreated symlink for /usr/sbin/logwatch Created /etc/cron.daily/0logwatch
2.2 Logwatch的卸载
[root@DB-Server Server]# rpm -e logwatch-7.3-9.el5_6
2.2 Logwatch的升级
[root@DB-Server Server]#rpm -Uvh logwatch***.rpm
Logwatch的配置介绍
Logwatch的配置文件为 /etc/logwatch/conf/logwatch.conf ,初始安装后,这个配置文件是空的。你可以将配置文件的模板拷贝过来,如果不做这一步,就会默认使用/usr/share/logwatch/default.conf/logwatch.conf 这个配置文件。
[root@DB-Server ~]# more /etc/logwatch/conf/logwatch.conf# Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf)[root@DB-Server ~]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf cp: overwrite `/etc/logwatch/conf/logwatch.conf'? yes
配置的具体参数介绍:
LogDir = /var/log 系统日志或需要分析日志所在路径
TmpDir = /var/cache/logwatch 临时文件位置
Output = stdout 输出格式(stdout 屏幕上显示)
Format = text 输出格式,有text、html选项可以选择
Encode = none 编码格式
MailTo = root 分析结果发送给那些人或邮件组。多个邮箱逗号隔开
MailFrom = Logwatch 邮件的发件人
Range = yesterday 处理什么时候的日志 , 可选项 All(所有) ,Yesterday(昨天) , Today(今天)
Range = "1 hours ago for that hour" Range = "-7 days" Range = "between -7 days and -3 days" Range = "since March 15, 2017" Range = "first Friday in October" Range = "2017/04/15 12:50:15 for that second"Detail = Low 该参数控制着 Logwatch 报告的详细程, 可选项:Low , Med , High 也可以用0-10数字表示
其中High、Med、Low 几个选项分别代表着10、5和0数字。
Service = All 监控所有服务 all
Service = "-httpd" 不监控的服务前面加 “-” , 如 -httpd ,即不监控 httpd 服务 , 可以写多条mailer = "/usr/sbin/sendmail -t" 发送邮件的方式(可以选sendmail,postfix,Qmail)
注意不同版本的Logwatch的参数有所区别,例如如下logwatch-7.3-9与logwatch-7.4.3的对比如下
[root@DB-Server01 ~]# sed -n "/^s*[^# ].*$/p" /usr/share/logwatch/default.conf/logwatch.confLogDir = /var/log
TmpDir = /var/cache/logwatch
MailTo = root
MailFrom = Logwatch
Print = No
Range = yesterday
Detail = Low
Service = All
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.mailer = "sendmail -t"[root@DB-Server ~]# sed -n "/^s*[^# ].*$/p" /etc/logwatch/conf/logwatch.conf LogDir = /var/log
TmpDir = /var/cache/logwatch
Output = stdout
Format = text
Encode = none
MailTo = root
MailFrom = Logwatch
Range = yesterday
Detail = Low
Service = All
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.mailer = "/usr/sbin/sendmail -t"[root@DB-Server ~]#
Logwatch 并不是以系统服务形式来跑的 ,而是在/etc/cron.daily下生成了一个脚本/etc/cron.daily/0logwatch ,有些版本是一个软链 。如下所示。 当然你也可以在crontab里面设置自己的作业.如果要使用发送邮件功能,你必须提前进行配置。例如,配置sendmail。
logwatch-7.3-9
[root@mynx01 ~]# ls -l /etc/cron.daily/0logwatchlrwxrwxrwx 1 root root 39 Apr 23 2015 /etc/cron.daily/0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
logwatch-7.4.3
[root@DB-Server tmp]# more /etc/cron.daily/0logwatch#!/bin/sh#Set logwatch locationLOGWATCH_SCRIPT="/usr/sbin/logwatch"#Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf,#but some are only for the nightly cronrun such as --output mail and should be set here.#Other options to consider might be "--format html" or "--encode base64", man logwatch for more details.OPTIONS="--output mail"#Call logwatch$LOGWATCH_SCRIPT $OPTIONS
exit 0
[root@DB-Server tmp]# ls -l /etc/cron.daily/0logwatch-rwxr-xr-x 1 root root 434 Apr 27 15:09 /etc/cron.daily/0logwatch
[root@DB-Server tmp]#
Logwatch的用例介绍
1: 查看logwatch的帮助信息(注意不同版本间的区别)
[root@DB-Server log]# logwatch --helpUsage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--output <output_type>]
[--format <format_type>] [--encode <enconding>] [--numeric]
[--mailto <addr>] [--archives] [--range <range>] [--debug <level>]
[--filename <filename>] [--help|--usage] [--version] [--service <name>]
[--hostformat <host_format type>] [--hostlimit <host1,host2>] [--html_wrap <num_characters>]
--detail <level>: Report Detail Level - High, Med, Low or any #.--logfile <name>: *Name of a logfile definition to report on.
--logdir <name>: Name of default directory where logs are stored.--service <name>: *Name of a service definition to report on.
--output <output type>: Report Output - stdout [default], mail, file.--format <formatting>: Report Format - text [default], html.--encode <encoding>: Enconding to use - none [default], base64.--mailto <addr>: Mail report to <addr>.
--archives: Use archived log files too.
--filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file].
--range <range>: Date range: Yesterday, Today, All, Help
where help will describe additional options
--numeric: Display addresses numerically rather than symbolically and numerically
(saves a nameserver address-to-name lookup).
--debug <level>: Debug Level - High, Med, Low or any #.--hostformat: Host Based Report Options - none [default], split, splitmail.--hostlimit: Limit report to hostname - host1,host2.
--hostname: overwrites hostname
--html_wrap <num_characters>: Default is 80.
--version: Displays current version.
--help: This message.
--usage: Same as --help.
* = Switch can be specified multiple times...
2:Logwatch的使用案例:
perl /usr/share/logwatch/scripts/logwatch.pl
logwatch --service sshd --print
logwatch --detail High --Service All --range All --print
logwatch --detail High --Service All --range All --output stdout
logwatch --detail 10 --range today --service http --service postfix --service zz-disk_space --format html --output file --filename /tmp/logwatch.html
注意上面有些版本不能执行,例如logwatch-7.4.3中就没有参数--print,需要用参数--output
[root@MyLinx ~]# logwatch --service sshd --print ################### Logwatch 7.3 (03/24/06) #################### Processing Initiated: Mon Apr 24 08:11:00 2017
Date Range Processed: yesterday
( 2017-Apr-23 )
Period is day.
Detail Level of Output: 10
Type of Output: unformatted
Logfiles for Host: xxx.xxx.xxx ################################################################## --------------------- SSHD Begin ------------------------
Users logging in through sshd:xxxxx:
192.168.xxx.xxx (xxxx): 276 times
oracle:
192.168.xxx.xxx (xxxxx): 1 time
Received disconnect:
11: The user disconnected the application
192.168.xxx.xxx : 276 Time(s)
---------------------- SSHD End -------------------------
###################### Logwatch End ######################### [root@DB-Server log]# logwatch --detail 10 --range all --service sshd --format text --output file --filename /tmp/logwatch.txt[root@DB-Server log]# more /tmp/logwatch.txt ################### Logwatch 7.4.3 (04/27/16) #################### Processing Initiated: Thu Apr 27 17:17:42 2017
Date Range Processed: all
Detail Level of Output: 10
Type of Output/Format: file / text
Logfiles for Host: DB-Server.localdomain ################################################################## --------------------- SSHD Begin ------------------------
Couldn't resolve these IPs:
get253194.gfg1.esquel.com(192.168.103.21): 1 Time(s)
get253194.gfg1.esquel.com(192.168.103.26): 1 Time(s)
Failed logins from:
192.168.7.xxx: 1 time
root/password: 1 time
Users logging in through sshd:root:
192.168.103.15 (xxxxx): 4 times
192.168.103.21 (xxxxx): 4 times
192.168.103.22 (xxxxx): 3 times
192.168.103.26 (xxxxx): 2 times
SFTP subsystem requests: 6 Time(s)
---------------------- SSHD End -------------------------
###################### Logwatch End #########################