logwatch: Practical log summaries for Linux
logwatch: Practical log summaries for Linux
Logwatch is a handy tool that scans and summarizes logs from many services (such as apache, pam_unix, sshd, and more) into a concise daily report. It’s especially useful when you want a quick overview without sifting through dozens of log files.
Quick start
If you just want a brief, no-frills summary of today’s logs, run:
logwatchThis prints a report for the current day with default detail and all services. It’s a good starting point to see the default format.
If you’re on a system that uses a retained or rotated log setup, you may want to specify a date range or a service.
Range and detail basics
- Analyze logs for a range of dates at a certain level of detail:
logwatch --range yesterday --detail low- Other range options: today, all, help
logwatch --range all --detail medium- Detail levels: low, medium, high (and sometimes others like others depending on your distro)
logwatch --range today --detail highCommon pitfall: too much detail
If you set detail to high for a long range, the report can be large and noisy. Start with low or medium and narrow the range.
Restricting to a service
If you only care about a specific service (e.g., apache or pam_unix), filter the report:
logwatch --range all --service apacheYou can combine range and service:
logwatch --range yesterday --service sshdNote: The set of available services depends on what log files your distro uses and what logwatch supports out of the box.
Output formats and locations
- By default, logwatch prints to standard output and to a report file in /var/log. Some installations place a summary in /var/log/messages or /var/log/syslog.
- You can send the report to email or a file depending on your configuration:
logwatch --range today --detail low --mailto [email protected]If you want to generate a standalone report file, you can redirect the output:
logwatch --range today --detail low > ~/logwatch_today.txtPractical usage examples
- Quick daily overview for all services:
logwatch --range today --detail low- Focus on SSH activity yesterday with medium detail:
logwatch --range yesterday --service sshd --detail medium- Full system view for the past week (beware of large outputs):
logwatch --range all --detail highHow logwatch works (brief)
- It scans multiple log files (syslog, auth.log, messages, apache logs, etc.).
- It aggregates events per service and per category (security, authentication, errors, etc.).
- It formats a readable report with a header, per-service sections, and a summary.
Common pitfalls
- Not installing the right logwatch packages: Some distros split logwatch into multiple packages; you may need logwatch, logwatchx, or logwatch-mails to enable email output.
- Default config differences: Behavior varies by distro. If you don’t see expected services, check /etc/logwatch/conf and related config files.
- Large outputs: For broad ranges or high detail, reports can be lengthy. Use —range with a narrower window first.
- Missing mail setup: If —mailto or email output isn’t configured, you may not receive the report. Verify your MTA or use —mailto with a reachable address.
Quick troubleshooting tips
- Verify log files exist and are readable by the user running logwatch.
- Check the logwatch config in /etc/logwatch/ to see which services are enabled by default.
- Run with —debug or —locale to see how logwatch parses logs on your system.
When to use logwatch
- Regular health checks: daily summary emails help catch anomalies.
- Post-incident review: quickly see what happened around a problem without parsing all logs manually.
- On servers with many services: a single consolidated view beats opening dozens of log files individually.
Summary
Logwatch is a pragmatic tool for turning verbose log files into readable, focused reports. Start with a simple range and detail, then narrow by service as needed. With a couple of adjustments, it becomes a valuable daily companion for Linux administrators.