各ログを集計して見やすく出力してくれるlogwatchをインストールしてみました。
Logwatch – Browse Files at SourceForge.net
https://sourceforge.net/projects/logwatch/files/
- yum info logwatch
- yum install logwatch
- 設定ファイル
- 設定ファイル変更
- テスト実行
- 定期実行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# yum info logwatch Available Packages Name : logwatch Arch : noarch Version : 7.4.0 Release : 28.20130522svn140.el7 Size : 400 k Repo : base/7/x86_64 Summary : A log file analysis program URL : http://www.logwatch.org/ License : MIT Description : Logwatch is a customizable, pluggable log-monitoring system. It will go : through your logs for a given period of time and make a report in the areas : that you wish with the detail that you wish. Easy to use - works right out : of the package on many systems. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
# yum install logwatch Resolving Dependencies --> Running transaction check ---> Package logwatch.noarch 0:7.4.0-28.20130522svn140.el7 will be installed --> Processing Dependency: perl(Sys::MemInfo) for package: logwatch-7.4.0-28.20130522svn140.el7.noarch --> Processing Dependency: perl(Sys::CPU) for package: logwatch-7.4.0-28.20130522svn140.el7.noarch --> Processing Dependency: perl(Date::Manip) for package: logwatch-7.4.0-28.20130522svn140.el7.noarch --> Processing Dependency: mailx for package: logwatch-7.4.0-28.20130522svn140.el7.noarch --> Running transaction check ---> Package mailx.x86_64 0:12.5-12.el7_0 will be installed ---> Package perl-Date-Manip.noarch 0:6.41-2.el7 will be installed ---> Package perl-Sys-CPU.x86_64 0:0.54-4.el7 will be installed ---> Package perl-Sys-MemInfo.x86_64 0:0.91-7.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================== Package Arch Version Repository Size ====================================================================================================================== Installing: logwatch noarch 7.4.0-28.20130522svn140.el7 base 400 k Installing for dependencies: mailx x86_64 12.5-12.el7_0 base 244 k perl-Date-Manip noarch 6.41-2.el7 base 1.2 M perl-Sys-CPU x86_64 0.54-4.el7 base 14 k perl-Sys-MemInfo x86_64 0.91-7.el7 base 15 k Transaction Summary ====================================================================================================================== Install 1 Package (+4 Dependent packages) Total download size: 1.8 M Installed size: 14 M Is this ok [y/d/N]: y Downloading packages: (1/5): logwatch-7.4.0-28.20130522svn140.el7.noarch.rpm | 400 kB 00:00:00 (2/5): mailx-12.5-12.el7_0.x86_64.rpm | 244 kB 00:00:00 (3/5): perl-Sys-CPU-0.54-4.el7.x86_64.rpm | 14 kB 00:00:00 (4/5): perl-Sys-MemInfo-0.91-7.el7.x86_64.rpm | 15 kB 00:00:00 (5/5): perl-Date-Manip-6.41-2.el7.noarch.rpm | 1.2 MB 00:00:00 ---------------------------------------------------------------------------------------------------------------------- Total 9.7 MB/s | 1.8 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : mailx-12.5-12.el7_0.x86_64 1/5 Installing : perl-Sys-CPU-0.54-4.el7.x86_64 2/5 Installing : perl-Date-Manip-6.41-2.el7.noarch 3/5 Installing : perl-Sys-MemInfo-0.91-7.el7.x86_64 4/5 Installing : logwatch-7.4.0-28.20130522svn140.el7.noarch 5/5 Verifying : logwatch-7.4.0-28.20130522svn140.el7.noarch 1/5 Verifying : perl-Sys-MemInfo-0.91-7.el7.x86_64 2/5 Verifying : perl-Date-Manip-6.41-2.el7.noarch 3/5 Verifying : perl-Sys-CPU-0.54-4.el7.x86_64 4/5 Verifying : mailx-12.5-12.el7_0.x86_64 5/5 Installed: logwatch.noarch 0:7.4.0-28.20130522svn140.el7 Dependency Installed: mailx.x86_64 0:12.5-12.el7_0 perl-Date-Manip.noarch 0:6.41-2.el7 perl-Sys-CPU.x86_64 0:0.54-4.el7 perl-Sys-MemInfo.x86_64 0:0.91-7.el7 Complete! |
logwatchのデフォルト設定ファイルは/usr/share/logwatch/default.conf/logwatch.confになります。
変更を行う場合は/etc/logwatch/conf/logwatch.confを編集した方が混乱が無いかもしれません。
デフォルト設定ではこんな感じです。
1 2 |
# cat /etc/logwatch/conf/logwatch.conf # Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# cat /usr/share/logwatch/default.conf/logwatch.conf ######################################################## # This was written and is maintained by: # Kirk Bauer <kirk@kaybee.org> # # Please send all comments, suggestions, bug reports, # etc, to kirk@kaybee.org. # ######################################################## # NOTE: # All these options are the defaults if you run logwatch with no # command-line arguments. You can override all of these on the # command-line. # You can put comments anywhere you want to. They are effective for the # rest of the line. # this is in the format of <name> = <value>. Whitespace at the beginning # and end of the lines is removed. Whitespace before and after the = sign # is removed. Everything is case *insensitive*. # Yes = True = On = 1 # No = False = Off = 0 # Default Log Directory # All log-files are assumed to be given relative to this directory. LogDir = /var/log # You can override the default temp directory (/tmp) here TmpDir = /var/cache/logwatch #Output/Format Options #By default Logwatch will print to stdout in text with no encoding. #To make email Default set Output = mail to save to file set Output = file Output = stdout #To make Html the default formatting Format = html Format = text #To make Base64 [aka uuencode] Encode = base64 Encode = none # Default person to mail reports to. Can be a local account or a # complete email address. Variable Output should be set to mail, or # --output mail should be passed on command line to enable mail feature. MailTo = root # WHen using option --multiemail, it is possible to specify a different # email recipient per host processed. For example, to send the report # for hostname host1 to user@example.com, use: #Mailto_host1 = user@example.com # Multiple recipients can be specified by separating them with a space. # Default person to mail reports from. Can be a local account or a # complete email address. MailFrom = Logwatch # if set, the results will be saved in <filename> instead of mailed # or displayed. Be sure to set Output = file also. #Filename = /tmp/logwatch # Use archives? If set to 'Yes', the archives of logfiles # (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will # be searched in addition to the /var/log/messages file. # This usually will not do much if your range is set to just # 'Yesterday' or 'Today'... it is probably best used with # By default this is now set to Yes. To turn off Archives uncomment this. #Archives = No # Range = All # The default time range for the report... # The current choices are All, Today, Yesterday Range = yesterday # The default detail level for the report. # This can either be Low, Med, High or a number. # Low = 0 # Med = 5 # High = 10 Detail = Low # The 'Service' option expects either the name of a filter # (in /usr/share/logwatch/scripts/services/*) or 'All'. # The default service(s) to report on. This should be left as All for # most people. Service = All # You can also disable certain services (when specifying all) Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info. Service = "-zz-sys" # Prevents execution of zz-sys service, which # prints useful system configuration info. Service = "-eximstats" # Prevents execution of eximstats service, which # is a wrapper for the eximstats program. # If you only cared about FTP messages, you could use these 2 lines # instead of the above: #Service = ftpd-messages # Processes ftpd messages in /var/log/messages #Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog # Maybe you only wanted reports on PAM messages, then you would use: #Service = pam_pwdb # PAM_pwdb messages - usually quite a bit #Service = pam # General PAM messages... usually not many # You can also choose to use the 'LogFile' option. This will cause # logwatch to only analyze that one logfile.. for example: #LogFile = messages # will process /var/log/messages. This will run all the filters that # process that logfile. This option is probably not too useful to # most people. Setting 'Service' to 'All' above analyzes all LogFiles # anyways... # # By default we assume that all Unix systems have sendmail or a sendmail-like MTA. # The mailer code prints a header with To: From: and Subject:. # At this point you can change the mailer to anything that can handle this output # stream. # TODO test variables in the mailer string to see if the To/From/Subject can be set # From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt mailer = "/usr/sbin/sendmail -t" # # With this option set to a comma separted list of hostnames, only log entries # for these particular hosts will be processed. This can allow a log host to # process only its own logs, or Logwatch can be run once per a set of hosts # included in the logfiles. # Example: HostLimit = hosta,hostb,myhost # # The default is to report on all log entries, regardless of its source host. # Note that some logfiles do not include host information and will not be # influenced by this setting. # #HostLimit = myhost # vi: shiftwidth=3 tabstop=3 et |
設定ファイルにService = Allとありますが、これは/usr/share/logwatch/scripts/services/にあるファイル名を指定します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# ls /usr/share/logwatch/scripts/services/ afpd dhcpd http netopia puppet shaperd windows amavis dnssec http-error netscreen pureftpd slon xntpd arpwatch dovecot identd oidentd qmail smartd yum audit dpkg imapd openvpn qmail-pop3d sonicwall zypp automount emerge in.qpopper pam qmail-pop3ds spamassassin zz-disk_space autorpm evtapplication init pam_pwdb qmail-send sshd zz-fortune barracuda evtsecurity ipop3d pam_unix qmail-smtpd sshd2 zz-network bfd evtsystem iptables php raid stunnel zz-runtime cisco exim kernel pix resolver sudo zz-sys citadel eximstats mailscanner pluto rt314 syslog-ng zz-zfs clam-update extreme-networks mdadm pop3 samba syslogd clamav fail2ban modprobe portsentry saslauthd tac_acc clamav-milter fetchmail mountd postfix scsi up2date courier freeradius mysql postgresql secure vdr cron ftpd-messages mysql-mmm pound sendmail vpopmail denyhosts ftpd-xferlog named proftpd-messages sendmail-largeboxes vsftpd |
また個別にservicesを作成した場合には/etc/logwatch/scripts/services/に保存しておいた方が保守をしやすいと思います。
取り敢えず必要なところを変更してみました。
1 2 |
MailTo = logwatch@hogehoge.co.jp Detail = High |
出力先はOutput = stdoutなので標準出力になります。
昨日のログを集計して詳細モードで出力されます。
1 2 3 4 5 6 7 8 9 10 11 12 |
# logwatch ################### Logwatch 7.4.0 (03/01/11) #################### Processing Initiated: Wed Sep 27 10:26:19 2016 Date Range Processed: yesterday ( 2016-Sep-26 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: host.hogehoge.co.jp ################################################################## (snip) |
logwatchは毎日定期実行されます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# cat /etc/cron.daily/0logwatch #!/bin/sh #Set logwatch location LOGWATCH_SCRIPT="/usr/sbin/logwatch" #Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf, #but some are only for the nightly cronrun such as --output mail and should be set here. #Other options to consider might be "--format html" or "--encode base64", man logwatch for more details. OPTIONS="--output mail" #Call logwatch $LOGWATCH_SCRIPT $OPTIONS exit 0 |
/etc/cron.daily/0logwatchを実行して指定されたメールアドレスに集計結果が届けば取り敢えず完了です。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# logwatch --help Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--output <output_type>] [--format <format_type>] [--encode <enconding>] [--numeric] [--no-oldfiles-log] [--mailto <addr>] [--archives] [--range <range>] [--debug <level>] [--filename <filename>] [--help|--usage] [--version] [--service <name>] [--hostformat <host_format type>] [--hostlimit <host1,host2>] [--html_wrap <num_characters>] --detail <level>: Report Detail Level - High, Med, Low or any #. --logfile <name>: *Name of a logfile definition to report on. --logdir <name>: Name of default directory where logs are stored. --service <name>: *Name of a service definition to report on. --output <output type>: Report Output - stdout [default], mail, file. --format <formatting>: Report Format - text [default], html. --encode <encoding>: Enconding to use - none [default], base64. --no-oldfiles-log: Suppress the logwatch log, which informs about the old files in logwatch tmpdir. --mailto <addr>: Mail report to <addr>. --archives: Use archived log files too. --filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file]. --range <range>: Date range: Yesterday, Today, All, Help where help will describe additional options --numeric: Display addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup). --debug <level>: Debug Level - High, Med, Low or any #. --hostformat: Host Based Report Options - none [default], split, splitmail. --hostlimit: Limit report to hostname - host1,host2. --hostname: overwrites hostname --html_wrap <num_characters>: Default is 80. --version: Displays current version. --help: This message. --usage: Same as --help. * = Switch can be specified multiple times... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
LOGWATCH(8) User Manuals LOGWATCH(8) NAME logwatch - system log analyzer and reporter SYNOPSIS logwatch [--detail level ] [--logfile log-file-group ] [--service service-name ] [--mailto address ] [--ar- chives] [--range range ] [--debug level ] [--filename file-name ] [--logdir directory ] [--hostlimit hosts ] [--hostname hostname ] [--html_wrap number of characters ] [--hostformat host based options ] [--output out- put-type ] [--format report format ] [--encode encoding to use ] [--numeric] [--no-oldfiles-log] [--version] [--help|--usage] DESCRIPTION Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Logwatch is being used for Linux and many types of UNIX. OPTIONS --detail level This is the detail level of the report. level can be a positive integer, or high, med, low, which correspond to the integers 10, 5, and 0, respectively. --logfile log-file-group This will force Logwatch to process only the set of logfiles defined by log-file-group (i.e. mes- sages, xferlog, ...). Logwatch will therefore process all services that use those logfiles. This option can be specified more than once to specify multiple logfile-groups. --service service-name This will force Logwatch to process only the service specified in service-name (i.e. login, pam, identd, ...). Logwatch will therefore also process any log-file-groups necessary to process these services. This option can be specified more than once to specify multiple services to process. A useful service-name is All which will process all services (and logfile-groups) for which you have filters installed. --mailto address Mail the results to the email address or user specified in address. --range range You can specify a date-range to process. Common ranges are Yesterday, Today, All, and Help. Addi- tional options are listed when invoked with the Help parameter. --archives Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as archives (i.e. /var/log/messages.? or /var/log/messages.?.gz). When used with "--range all", this option will make Logwatch search through the archives in addition to the regular logfiles. For other values of --range, Logwatch will search the appropriate archived logs. --debug level For debugging purposes. level can range from 0 to 100. This will really clutter up your output. You probably don't want to use this. --filename file-name Save the output to file-name instead of displaying or mailing it. --logdir directory Look in directory for log subdirectories or log files instead of the default directory. --hostlimit host1,host2 Limit report to hostname - host1, host2. --hostname hostname Use hostname for the reports instead of this system's hostname. In addition, if HostLimit is set in the logwatch.conf configuration file (see MORE INFORMATION, below), then only logs from this hostname will be processed (where appropriate). --html_wrap num-characters Number of characters that html output should be wrapped to. Default is 80. --numeric Inhibits additional name lookups, displaying IP addresses numerically. --no-oldfiles-log Suppress the logwatch log, which informs about the old files in logwatch tmpdir. --usage Displays usage information --help same as --usage. FILES /usr/share/logwatch/ This directory contains all the perl executables and configuration files shipped with the logwatch distribution. /etc/logwatch This directory contains local configuration files that override the default configuration. See MORE INFORMATION below for more information. EXAMPLES logwatch --service ftpd-xferlog --range all --detail high --archives This will print out all FTP transfers that are stored in all current and archived xferlogs. logwatch --service pam_pwdb --range yesterday --detail high This will print out login information for the previous day... MORE INFORMATION The directory /usr/share/doc/logwatch-* contains several files with additional documentation: HOWTO-Customize-LogWatch Documents the directory structure of Logwatch configuration and executable files, and describes how to customize Logwatch by overriding these default files. LICENSE Describes the License under which Logwatch is distributed. Additional clauses may be specified in individual files. README Describes how to install, where to find it, mailing lists, and other useful information. AUTHOR Kirk Bauer <kirk@kaybee.org> http://www.kaybee.org/~kirk ftp://ftp.kaybee.org/pub/redhat/RPMS Linux October 2005 LOGWATCH(8) |