2 min read

Logwatch is a pretty simple, but essential application in my server management arsenal.

You can install it from the ubuntu repos directly, so this will do:

sudo apt-get install logwatch

After it is installed it will automatically set itself to run daily via your cron.daily folder.

Let’s take a look at this file:

sudo nano /etc/cron.daily/00logwatch

As you can see its not super complicated. Theres a line testing to see if logwatch is still there and then the line executing the “watch” and sending the results. I usually set my “MAILTO” here directly by changing the line to:

/usr/bin/logwatch --output mail --mailto [my e-mail address]

You can change when the daily cron scripts run by editing /etc/crontab

This next part is a bit tricky, however. After installation, to get the e-mail alerts working logwatch hides a critical email setting in /usr/share/logwatch/dist.conf/logwatch.conf

Logwatch processes /usr/share/logwatch/dist.conf/logwatch.conf after processing /usr/share/logwatch/default.conf/logwatch.conf.

Inside the hidden /usr/share/logwatch/dist.conf/logwatch.conf are three vital config lines:

mailer = "/usr/sbin/sendmail -t"
TmpDir = /tmp
MailFrom = root

My mails kept getting dropped from my mailhub because they were being sent from “root@mydomain.com” instead of the address I had set in the --mailto argument above. After finding this tip logwatch was set and ready to go.

You can obviously have it run less often than 'daily', just be sure to actually check out the reports it generates! There are often high impact, quick fixes in there.