Logwatch功能介绍

Logwatch是一款Perl脚本编写的、开源的日志分析工具。它能对原始的日志文件进行解析并转换成结构化格式的文档,也能根据您的使用情况和需求来定制报告。Logwatch的特点是配置简单、监控、分析日志方便,而且可以对某些功能进行定制化。 项目源码位于https://sourceforge.net/projects/logwatch/

LogWatch的官文档介绍:

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.

Logwatch安装升级

 

1: 查看是否安装Logwatch组件

[root@DB-Server ~]# rpm -qa | grep logwatch

logwatch-7.3-9.el5_6

2: Logwatch的安装、升级、卸载

 

2.1.1 Logwatch的RPM安装

[root@DB-Server Server]# rpm -ivh logwatch-7.3-9.el5_6.noarch.rpm 

warning: logwatch-7.3-9.el5_6.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

        package logwatch-7.3-9.el5_6.noarch is already installed

[root@DB-Server Server]# 

 

 

 

[root@DB-Server Server]# yum install logwatch

2.1.2 Logwatch的源码安装

[root@DB-Server tmp]# tar -xzvf logwatch-7.4.3.tar.gz 

[root@DB-Server tmp]# cd logwatch-7.4.3

[root@DB-Server logwatch-7.4.3]# ./install_logwatch.sh

#################################

Preparing to install Logwatch

Enter the path to the Logwatch BaseDir [/usr/share/logwatch] : 

### Using /usr/share/logwatch

Enter the path for the Logwatch ConfigDir [/etc/logwatch] : 

### Using /etc/logwatch

Enter the dir name to be used for temp files [/var/cache/logwatch] : 

### Using /var/cache/logwatch

Enter the location of perl [/usr/bin/perl] : 

### Using /usr/bin/perl

Enter the dir name to used for the manpage [/usr/share/man] : 

### Using /usr/share/man

### Installing

Created symlink for /usr/sbin/logwatch 

Created /etc/cron.daily/0logwatch

 

2.2 Logwatch的卸载

[root@DB-Server Server]# rpm -e logwatch-7.3-9.el5_6

2.2 Logwatch的升级

[root@DB-Server Server]#rpm -Uvh logwatch***.rpm

Logwatch的配置介绍

Logwatch的配置文件为 /etc/logwatch/conf/logwatch.conf ,初始安装后,这个配置文件是空的。你可以将配置文件的模板拷贝过来,如果不做这一步,就会默认使用/usr/share/logwatch/default.conf/logwatch.conf 这个配置文件。

[root@DB-Server ~]# more  /etc/logwatch/conf/logwatch.conf

# Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf)

[root@DB-Server ~]# cp  /usr/share/logwatch/default.conf/logwatch.conf  /etc/logwatch/conf/logwatch.conf 

cp: overwrite `/etc/logwatch/conf/logwatch.conf'? yes

 

配置的具体参数介绍:

LogDir = /var/log                系统日志或需要分析日志所在路径

 

TmpDir = /var/cache/logwatch     临时文件位置

 

Output = stdout                  输出格式(stdout 屏幕上显示)

 

Format = text                    输出格式,有text、html选项可以选择

 

Encode = none                    编码格式

 

MailTo = root                    分析结果发送给那些人或邮件组。多个邮箱逗号隔开

 

MailFrom = Logwatch              邮件的发件人

 

Range = yesterday                处理什么时候的日志 , 可选项 All(所有) ,Yesterday(昨天) , Today(今天)

 

                                 Range = "1 hours ago for that hour"

 

                                 Range = "-7 days"

 

                                 Range = "between -7 days and -3 days"

 

                                 Range = "since March 15, 2017"

 

                                 Range = "first Friday in October"

 

                                 Range = "2017/04/15 12:50:15 for that second"

 

Detail = Low                     该参数控制着 Logwatch 报告的详细程, 可选项:Low , Med , High 也可以用0-10数字表示

 

                                 其中High、Med、Low 几个选项分别代表着10、5和0数字。

 

Service = All                    监控所有服务 all

 

Service = "-httpd"               不监控的服务前面加 “-” , 如 -httpd ,即不监控 httpd 服务 , 可以写多条

 

mailer = "/usr/sbin/sendmail -t" 发送邮件的方式(可以选sendmail,postfix,Qmail)

注意不同版本的Logwatch的参数有所区别,例如如下logwatch-7.3-9与logwatch-7.4.3的对比如下

[root@DB-Server01 ~]# sed -n "/^\s*[^#\t].*$/p" /usr/share/logwatch/default.conf/logwatch.conf

LogDir = /var/log

TmpDir = /var/cache/logwatch

MailTo = root

MailFrom = Logwatch

Print = No

Range = yesterday

Detail = Low 

Service = All

Service = "-zz-network"     # Prevents execution of zz-network service, which

                            # prints useful network configuration info.

Service = "-zz-sys"         # Prevents execution of zz-sys service, which

                            # prints useful system configuration info.

Service = "-eximstats"      # Prevents execution of eximstats service, which

                            # is a wrapper for the eximstats program.

mailer = "sendmail -t"

 

 

 

[root@DB-Server ~]# sed -n "/^\s*[^#\t].*$/p" /etc/logwatch/conf/logwatch.conf 

LogDir = /var/log

TmpDir = /var/cache/logwatch

Output = stdout

Format = text

Encode = none

MailTo = root

MailFrom = Logwatch

Range = yesterday

Detail = Low

Service = All

Service = "-zz-network"     # Prevents execution of zz-network service, which

                            # prints useful network configuration info.

Service = "-zz-sys"         # Prevents execution of zz-sys service, which

                            # prints useful system configuration info.

Service = "-eximstats"      # Prevents execution of eximstats service, which

                            # is a wrapper for the eximstats program.

mailer = "/usr/sbin/sendmail -t"

[root@DB-Server ~]#

Logwatch 并不是以系统服务形式来跑的 ,而是在/etc/cron.daily下生成了一个脚本/etc/cron.daily/0logwatch ,有些版本是一个软链 。如下所示。 当然你也可以在crontab里面设置自己的作业.如果要使用发送邮件功能,你必须提前进行配置。例如,配置sendmail。

logwatch-7.3-9

[root@mynx01 ~]# ls -l /etc/cron.daily/0logwatch

lrwxrwxrwx 1 root root 39 Apr 23  2015 /etc/cron.daily/0logwatch -> /usr/share/logwatch/scripts/logwatch.pl

 

logwatch-7.4.3

[root@DB-Server tmp]# more  /etc/cron.daily/0logwatch

#!/bin/sh

 

#Set logwatch location

LOGWATCH_SCRIPT="/usr/sbin/logwatch"

#Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf,

#but some are only for the nightly cronrun such as --output mail and should be set here.

#Other options to consider might be "--format html" or "--encode base64", man logwatch for more details.

OPTIONS="--output mail"

 

#Call logwatch

$LOGWATCH_SCRIPT $OPTIONS

 

exit 0

[root@DB-Server tmp]# ls -l  /etc/cron.daily/0logwatch

-rwxr-xr-x 1 root root 434 Apr 27 15:09 /etc/cron.daily/0logwatch

[root@DB-Server tmp]#

 

Logwatch的用例介绍

1: 查看logwatch的帮助信息(注意不同版本间的区别)

[root@DB-Server log]# logwatch --help

 

Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--output <output_type>]

   [--format <format_type>] [--encode <enconding>] [--numeric]

   [--mailto <addr>] [--archives] [--range <range>] [--debug <level>]

   [--filename <filename>] [--help|--usage] [--version] [--service <name>]

   [--hostformat <host_format type>] [--hostlimit <host1,host2>] [--html_wrap <num_characters>]

 

--detail <level>: Report Detail Level - High, Med, Low or any #.

--logfile <name>: *Name of a logfile definition to report on.

--logdir <name>: Name of default directory where logs are stored.

--service <name>: *Name of a service definition to report on.

--output <output type>: Report Output - stdout [default], mail, file.

--format <formatting>: Report Format - text [default], html.

--encode <encoding>: Enconding to use - none [default], base64.

--mailto <addr>: Mail report to <addr>.

--archives: Use archived log files too.

--filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file].

--range <range>: Date range: Yesterday, Today, All, Help

                             where help will describe additional options

--numeric: Display addresses numerically rather than symbolically and numerically

           (saves  a  nameserver address-to-name lookup).

--debug <level>: Debug Level - High, Med, Low or any #.

--hostformat: Host Based Report Options - none [default], split, splitmail.

--hostlimit: Limit report to hostname - host1,host2.

--hostname: overwrites hostname

--html_wrap <num_characters>: Default is 80.

--version: Displays current version.

--help: This message.

--usage: Same as --help.

* = Switch can be specified multiple times...

2:Logwatch的使用案例:

perl /usr/share/logwatch/scripts/logwatch.pl

logwatch --service sshd --print

logwatch --detail High --Service All --range All --print

logwatch --detail High --Service All --range All --output stdout

logwatch --detail 10 --range today --service http --service postfix --service zz-disk_space --format html --output file --filename /tmp/logwatch.html

注意上面有些版本不能执行,例如logwatch-7.4.3中就没有参数--print,需要用参数--output

[root@MyLinx ~]#  logwatch --service sshd --print  

 

 ################### Logwatch 7.3 (03/24/06) #################### 

        Processing Initiated: Mon Apr 24 08:11:00 2017

        Date Range Processed: yesterday

                              ( 2017-Apr-23 )

                              Period is day.

      Detail Level of Output: 10

              Type of Output: unformatted

           Logfiles for Host: xxx.xxx.xxx

  ################################################################## 

 

 --------------------- SSHD Begin ------------------------ 

 

 Users logging in through sshd:

    xxxxx:

       192.168.xxx.xxx (xxxx): 276 times

    oracle:

       192.168.xxx.xxx (xxxxx): 1 time

 

 

 Received disconnect:

    11: The user disconnected the application

       192.168.xxx.xxx : 276 Time(s)

 

 ---------------------- SSHD End ------------------------- 

 

 

 ###################### Logwatch End ######################### 

 

[root@DB-Server log]# logwatch --detail 10 --range all --service sshd --format text --output file --filename /tmp/logwatch.txt

[root@DB-Server log]# more /tmp/logwatch.txt 

 

 ################### Logwatch 7.4.3 (04/27/16) #################### 

        Processing Initiated: Thu Apr 27 17:17:42 2017

        Date Range Processed: all

        Detail Level of Output: 10

        Type of Output/Format: file / text

        Logfiles for Host: DB-Server.localdomain

 ################################################################## 

 

 --------------------- SSHD Begin ------------------------ 

 

 Couldn't resolve these IPs:

    get253194.gfg1.esquel.com(192.168.103.21): 1 Time(s)

    get253194.gfg1.esquel.com(192.168.103.26): 1 Time(s)

 

 Failed logins from:

    192.168.7.xxx: 1 time

       root/password: 1 time

 

 Users logging in through sshd:

    root:

       192.168.103.15 (xxxxx): 4 times

       192.168.103.21 (xxxxx): 4 times

       192.168.103.22 (xxxxx): 3 times

       192.168.103.26 (xxxxx): 2 times

 

 SFTP subsystem requests: 6 Time(s)

 

 ---------------------- SSHD End ------------------------- 

 

 

 ###################### Logwatch End #########################

Linux Logwatch的学习总结的更多相关文章

  1. Linux随笔-鸟哥Linux基础篇学习总结(全)

    Linux随笔-鸟哥Linux基础篇学习总结(全) 修改Linux系统语系:LANG-en_US,如果我们想让系统默认的语系变成英文的话我们可以修改系统配置文件:/etc/sysconfig/i18n ...

  2. 20135231 —— Linux 基础入门学习

    20135231 何佳 学习计时:共12小时 读书:5 代码:2 作业:2 博客:3 一.学习目标 1. 能够独立安装Linux操作系统 2. 能够熟练使用Linux系统的基本命令 3. 熟练使用Li ...

  3. Linux系统新手学习的11点建议

    随着Linux应用的扩展许多朋友开始接触Linux,根据学习Windwos的经验往往有一些茫然的感觉:不知从何处开始学起.这里介绍学习Linux的一些建议. 一.从基础开始:常常有些朋友在Linux论 ...

  4. Linux进程间通信IPC学习笔记之同步二(SVR4 信号量)

    Linux进程间通信IPC学习笔记之同步二(SVR4 信号量)

  5. Linux进程间通信IPC学习笔记之同步二(Posix 信号量)

    Linux进程间通信IPC学习笔记之同步二(Posix 信号量)

  6. Linux进程间通信IPC学习笔记之消息队列(SVR4)

    Linux进程间通信IPC学习笔记之消息队列(SVR4)

  7. Linux进程间通信IPC学习笔记之有名管道

    基础知识: 有名管道,FIFO先进先出,它是一个单向(半双工)的数据流,不同于管道的是:是最初的Unix IPC形式,可追溯到1973年的Unix第3版.使用其应注意两点: 1)有一个与路径名关联的名 ...

  8. Linux进程间通信IPC学习笔记之管道

    基础知识: 管道是最初的Unix IPC形式,可追溯到1973年的Unix第3版.使用其应注意两点: 1)没有名字: 2)用于共同祖先间的进程通信: 3)读写操作用read和write函数 #incl ...

  9. Linux防火墙iptables学习笔记(三)iptables命令详解和举例[转载]

     Linux防火墙iptables学习笔记(三)iptables命令详解和举例 2008-10-16 23:45:46 转载 网上看到这个配置讲解得还比较易懂,就转过来了,大家一起看下,希望对您工作能 ...

随机推荐

  1. 【Spark篇】---Spark中广播变量和累加器

    一.前述 Spark中因为算子中的真正逻辑是发送到Executor中去运行的,所以当Executor中需要引用外部变量时,需要使用广播变量. 累机器相当于统筹大变量,常用于计数,统计. 二.具体原理 ...

  2. 边缘计算 VS 云计算,谁才是未来?

    计算是互联网中一个永恒的话题,设备的所有运行都可以看成是 0 和 1 的运算.在计算中近些年有两个越来越响亮的技术:云计算和边缘计算.现如今是云计算方兴未艾,边缘计算已经有了燎原之势,本文将对这两种技 ...

  3. 编译安装mysql5.7.24踩的坑

    1.报错如下:CMake Error at cmake/boost.cmake:76 (MESSAGE):  You can download it with -DDOWNLOAD_BOOST=1 - ...

  4. .NET Core中的路由约束

    背景介绍 上周给大家分享了Nancy in .NET Core学习笔记 - 路由之后, 就一直在考虑.NET Core能否实现和Nancy中一样的路由约束, 最近查阅了一下MSDN及一些国外博客, 发 ...

  5. .NET Core 多项目工程生成EF迁移代码

    错误表现 dotnet ef的官方文档针对的是单个项目的情况,即启动项目就是DbContext所在项目. 对于分层结构的解决方案如启动项目是WebApi项目,DbContext在基础设施项目,在Web ...

  6. Mac版AppStore无法下载、升级错误处理

    在mac版本AppStore下载软件的时候,有时会出现"This item is temporarily unavailable, Try again later"错误提示,当然等 ...

  7. TCP/IP 四次断开

    网络连接状态 网络连接状态(11种)非常重要这里既包含三次握手中的也包括四次断开中的,所以要熟悉. LISTEN 被动打开,首先服务器需要打开一个socket进行监听,监听来自远方TCP端口的连接请求 ...

  8. 使用mpvue开发小程序教程(五)

    在上一章节中,我们了解了组件的三个基本特性以及组件的基本使用方法.在实际的小程序开发中,我们应该以组件的思维去设计每个小程序的功能页面,对其进行合理的组件拆分,让每个部分都保持功能简洁.条理清楚.各司 ...

  9. 基于N-Gram判断句子是否通顺

    完整代码实现及训练与测试数据:click me 一.任务描述         自然语言通顺与否的判定,即给定一个句子,要求判定所给的句子是否通顺. 二.问题探索与分析         拿到这个问题便开 ...

  10. RDIFramework.NET ━ .NET快速信息化系统开发框架 V3.2->Web版本工作流部分业务处理界面与查看界面全新展示

    RDIFramework.NET工作流程组件是以RDIFramework.NET框架为支撑,根据我们多年的项目经验和项目实践,结合国内各大工作流产品的特点研发的一套流程管理组件.该组件不仅考虑到从零搭 ...