介绍

在维护Linux服务器时,经常需要查看系统中各种服务的日志,以检查服务器的运行状态。 如登陆历史、邮件、软件安装等日志。系统管理员一个个去检查会十分不方便;且大多时 候,这会是一种被动的检查,即只有在发现系统运行异常时才会想到去查看日志以获取异常 的信息。那么如何主动、集中的分析这些日志,并生产报告,定时发送给管理员就会显得十 分重要。LogWatch即提供了这样的功能。

本文即介绍LogWatch的简单使用,更详细的用法请参见Logwatch – a syslog analyzer written in Perl

安装与配置

安装

os kernel

[root@tplat1 ~]# uname -a
Linux tplat1.egolife.net 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 13:35:02 PST 2013 x86_64 x86_64 x86_64 GNU/Linux

yum install

[root@tplat1 ~]# yum install -y logwatch
... ...
================================================================
Installing:
 logwatch            noarch   7.3.6-49.el6     base       297 k
Installing for dependencies:
 perl-Date-Manip     noarch   6.24-1.el6       base       1.3 M
 perl-YAML-Syck      x86_64   1.07-4.el6       base       75 k
... ...

在安装logwatch时,会同时安装依赖包perl-Date-Manip和perl-YAML-Syck。

初次使用

命令帮助

[root@tplat1 ~]# logwatch --help

Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>]
   [--print] [--mailto <addr>] [--archives] [--range <range>] [--debug <level>]
   [--save <filename>] [--help] [--version] [--service <name>]
   [--numeric] [--output <output_type>]
   [--splithosts] [--multiemail] [--no-oldfiles-log]

--detail <level>: Report Detail Level - High, Med, Low or any #.
--logfile <name>: *Name of a logfile definition to report on.
--logdir <name>: Name of default directory where logs are stored.
--service <name>: *Name of a service definition to report on.
--print: Display report to stdout.
--mailto <addr>: Mail report to <addr>.
--archives: Use archived log files too.
--save <filename>: Save to <filename>.
--range <range>: Date range: Yesterday, Today, All, Help
                             where help will describe additional options
--numeric: Display addresses numerically rather than symbolically and numerically
           (saves  a  nameserver address-to-name lookup).
--debug <level>: Debug Level - High, Med, Low or any #.
--splithosts: Create a report for each host in syslog.
--multiemail: Send each host report in a separate email.  Ignored if 
              not using --splithosts.
--output <output type>: Report Format - mail, html or unformatted#.
--encode: Use base64 encoding on output mail.
--no-oldfiles-log: Suppress the logwatch log, which informs about the
                   old files in logwatch tmpdir.
--version: Displays current version.
--help: This message.
(* = Switch can be specified multiple times...)

从以上帮助,可以看出,LogWatch整个原理就是,LogWatch 首先要知道针对哪一个服务, 从这个服务中得到需要处理的 Log 文件信息, 然后这个文件送给过滤脚本处理, 之后把处 理后格式化的信息展现出。

显示SSH登陆历史

[root@tplat1 ~]# logwatch --service sshd --print

配置

查看logwatch package的主要文件

[root@tplat1 ~]# rpm -ql logwatch
/etc/cron.daily/0logwatch					
/etc/logwatch								
/etc/logwatch/conf
/etc/logwatch/conf/ignore.conf
/etc/logwatch/conf/logfiles
/etc/logwatch/conf/logwatch.conf
/etc/logwatch/conf/override.conf
/etc/logwatch/conf/services
/etc/logwatch/scripts
/etc/logwatch/scripts/services
/usr/sbin/logwatch
/usr/share/doc/logwatch-7.3.6
... ...
/var/cache/logwatch

从以上输出,可以看出logwatch是以cron job的方式定时运行的,默认在/etc/cron.daily 目录下,即每天运行一次。

[root@tplat1 ~]# cat /etc/cron.daily/0logwatch 
#!/bin/bash

DailyReport=`grep -e "^[[:space:]]*DailyReport[[:space:]]*=[[:space:]]*" /usr/share/logwatch/default.conf/logwatch.conf | head -n1 | sed -e "s|^\s*DailyReport\s*=\s*||"`

if [ "$DailyReport" != "No" ] && [ "$DailyReport" != "no" ]
then
    logwatch
fi
[root@tplat1 ~]# 

主要配置文件

[root@tplat1 ~]# tree /etc/logwatch/
/etc/logwatch/
├── conf
│   ├── ignore.conf
│   ├── logfiles
│   ├── logwatch.conf		
│   ├── override.conf
│   └── services
└── scripts
    └── services

5 directories, 3 files
  • logwatch.conf 自定义LogWatch主配置,如报告分析时间,级别,收件人等,默认设置在/usr/share/logwatch/default.conf/logwatch.conf文件中
  • ignore.conf 过滤配置,定义正则表达式,过滤输出报告内容
  • override.conf 覆盖或者重写配置,针对/etc/logwatch/conf/services下自定义的服务
  • conf/services 自定义需分析日志的Service目录,默认支持的Service在/usr/share/logwatch/default.conf/services下。
  • logfiles 定义待分析服务的日志路径,默认配置在/usr/share/logwatch/default.conf/logfiles/下。
  • scripts/services 定义Service的可执行脚本。

邮件通知

[root@tplat1 ~]# less /usr/share/logwatch/default.conf/logwatch.conf
# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Print should be set to No to
# enable mail feature.
MailTo = root

LogWatch默认将分析的日志报告发送给本机的root用户,此时要查看则需登陆到服务器上, 使用mail指令查看。

另外,也可以将报告发送到外部邮箱,如[email protected],此时需在服务器上配 置简单的邮件服务,如Postfix,Sendmail,编辑/etc/logwatch/conf/logwatch.conf覆盖 MailTo配置,或者在/etc/aliase中定义账户别名,使root[email protected] 别名,则LogWatch会将日志报告发送给[email protected],这样不用登陆到服务器 就可以查看日志报告了。

小结

LogWatch安装后,基本不用配置即可使用,即可达到主动、集中的分析系统日志,并生产 报告,定时发送给管理员的目的。

更详细的用法请参见Logwatch – a syslog analyzer written in Perl

Reference



blog comments powered by Disqus

Published

21 June 2013

Categories

Tags

Github