Logwatch And Logrotate Configuration in debian
When you look after a group of machines it becomes increasingly difficult to watch the logfiles to see if anything suspicious is happening.
Enter logwatch, a simple Perl script which will keep an eye on all the common logfiles syslog produces and mail you a summery.
The summeries are simple enough to read and are sent by email once a day - they show things like available disk space, logins, rejected logins, commands ran by users via sudo and more.
Installing Logwatch in debian
#apt-get install logwatch
Follow the on screen Instructions. For more details click here
The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size. Normally, logrotate runs as a daily cron job.
Installing Logrotate in debian
#apt-get install logrotate
The most obvious package which uses logrotate is Apache, the webserver, which by default keeps its logfiles in the directory/var/log/apache2.
If you examine this directory you will see that there are a bunch of logfiles which are archived:
root@test:~# ls -1 /var/log/apache2/
Here the current logfilesaccess.log, error.log are kept raw as are yesterday's logfiles (access.log.1 and error.log.1). Previous logfiles are compressed with gzip and only kept for five weeks.
The process that is in charge of compressing and rotating these logfiles is calledlogrotate and it is executed once per day upon Debian installations.
Logrotate files can be scheduled using cron.In /etc we have one folder called
/etc/cron.daily which contains scripts which are executed once per day. Here you will find thelogrotate driver script.
Every day this script runs and examines two things:
This directory contains configuration files which other packages have installed. For example if you installapache2 the file /etc/logrotate.d/apache2 will be installed.
Many servers such as Postfix the mailserver will install their own configuration file, and you can add your own.
A typical logrotate configuration file looks like this:
create 640 root adm
if [ -f /var/run/apache.pid ]; then
/etc/init.d/apache restart > /dev/null
You can see several important things here. The most obvious is the list of files that will be matched by this configuration file:
After this we have a collection of configuration terms, a different one on each line. In the example above we have:
The upshot of this script is that any file which matches/var/log/apache2/*.log is rotated every week, compressed, if it's non-empty. The new file is created with the file mode of 640, and after the rotation has finished the server is restarted.
If we wish to install a local service which creates a logfile we can cause it to be rotated very easily, just by adding a new logrotate configuration file.
Assuming we have a new service "web" which produces its output in/var/log/web/output.log we can cause this to be rotated every day with a script like this:
create 640 web web
Default /etc/logrotate.conf file as follows
# see "man logrotate" for details
# rotate log files weekly
# keep 4 weeks worth of backlogs
# create new (empty) log files after rotating old ones
# uncomment this if you want your log files compressed
# packages drop log rotation information into this directory
# no packages own wtmp, or btmp -- we'll rotate them here
create 0664 root utmp
create 0664 root utmp
# system-specific logs may be configured here