This How to contains instructions on how to install and configure Logwatch 7.4.0 on CentOS 6 running Virtualmin, and how to – Configure Mail to Email – Disable Service Monitoring – Debug and Fix MySQL and HTTP Error Checking:
1. Install Logwatch 7.40 as this has build in MySQL PHP and HTTP Error Logging
2. Basic Configurations and Mail to Email
3. Disable unneeded service monitoring
4. Enable MySQL PHP and HTTP-Error log monitoring
1. Install Logwatch 7.40 as this has build in MySQL PHP and HTTP Error Logging
Download the RPM :
wget http://downloads.sourceforge.net/project/logwatch/logwatch-7.4.0/logwatch-7.4.0-1.noarch.rpm
Install it:
rpm -Uvh logwatch-7.4.0-1.noarch.rpm
or I like to use
yum install logwatch-7.4.0-1.noarch.rpm
If you dont need MySQL, PHP or HTTP Error Log checking you can just install version 7.3 by using
yum install logwatch
This will install Logwatch and also create a cronjob in the /etc/cron.daily folder.
2. Basic Configurations and Mail to Email
Now, we need to change a couple of settings within the Logwatch configuration file.
The file is located at /usr/share/logwatch/default.conf/logwatch.conf. Using your text editor open the configuration file and find the following:
vim /usr/share/logwatch/default.conf/logwatch.conf
Find and change:
Output = stdout
to
Output = mail
and
MailTo = root
to
MailTo = [email protected]
You can also change the Range or Detail levels:
Range = Yesterday
To All, Today or Yesterday, bet yesterday should work best
Detail = Low
To Low = 0 Med = 5 or High = 10
3. Disable unneeded service monitoring
Now we need to disable some unneeded service monitoring – we can do this only if we have the Service setting set to All like so:
Service = All
To disable the monitoring of some services simply add this below that line to disable postfix:
Service = "-postfix"
or clamav for example
Service = "-clamav"
4. Enable MySQL PHP and HTTP-Error log monitoring
This step took me a while to get working on CentOS 6 but here is how to do it.
First test if logwatch is working by simply running
logwatch
check your email to see what outputs you get, if everything works you can skip the rest!
If you are missing the MSQL and HTTP-ERROR outputs:
You could run this command to get a more detailed email and some debug info.
logwatch --detail high --range all --debug 5
This command is also good for debugging spesific services
logwatch --detail high --service http-error --range yesterday --debug 5
Run these commands and check the output to see the debug output, then check your email to see the emailed output.
You could also run a specific service with the specific log file to see if its working:
cat /var/log/mysqld.log | perl /usr/share/logwatch/scripts/services/mysql
On my CentOS 6 I could not get any MySQL or HTTP-Error outputs so this is how I went about fixing it.
1. Run a specific service with the specific log file to see if its working:
cat /var/log/mysqld.log | perl mysql
I got this error
Can't locate Logwatch.pm in @INC (@INC contains: /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5 .) at mysql line 30. BEGIN failed--compilation aborted at mysql line 30.
A simple symbolic link fixed that issue:
ln -s /usr/share/logwatch/lib/Logwatch.pm /usr/local/lib/perl5/Logwatch.pm
After that the command would give me a nice output with some errors:
cat /var/log/mysqld.log | perl mysql Errors: 11 times: [120310 03:43:11 ±1 day(s)] Could not use /var/log/mysql/slow-queries.log for logging (error 2). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it.
2. Then we need to Run this command to debug and check the specific services
logwatch --detail high --service mysql --range all --debug 5
I got this output
export LOGWATCH_DATE_RANGE='all' export LOGWATCH_GLOBAL_DETAIL='10' export LOGWATCH_OUTPUT_TYPE='mail' export LOGWATCH_FORMAT_TYPE='text' export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.jApI_bRi/' export LOGWATCH_DEBUG='5'
This meant that it did not process the log files
To fix this we need to fix the logfile location for MYSQL
vim /usr/share/logwatch/default.conf/logfiles/mysql.conf
Change the path to your spesific mysql error log path
ie – /var/log/mysqld.log
After we fix that we can run the command again and see that its working – you should also get a nice email with the MYSQL error output.
logwatch --detail high --service mysql --range all --debug 5
You should see this output:
export LOGWATCH_DATE_RANGE='all' export LOGWATCH_GLOBAL_DETAIL='10' export LOGWATCH_OUTPUT_TYPE='mail' export LOGWATCH_FORMAT_TYPE='text' export LOGWATCH_TEMP_DIR='/var/cache/logwatch/logwatch.jApI_bRi/' export LOGWATCH_DEBUG='5' Preprocessing LogFile: mysql '/var/log/mysqld.log' | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''>/var/cache/logwatch/logwatch.jApI_bRi/mysql Processing Service: mysql ( cat /var/cache/logwatch/logwatch.jApI_bRi/mysql | /usr/bin/perl /usr/share/logwatch/scripts/services/mysql) 2>&1
For the HTTP-Error service there was a different fix:
When we ran:
logwatch --detail high --service http-error --range all --debug 5
We would see:
Preprocessing LogFile: http-error
BUT NOT!!!
Processing Service: http-error
To fix this I had to remove *ApplyhttpDate from /usr/share/logwatch/default.conf/logfiles/http-error.conf
vim /usr/share/logwatch/default.conf/logfiles/http-error.conf
and comment out the *ApplyhttpDate line on the bottom like so
# Keep only the lines in the proper date range... #*ApplyhttpDate
Now the HTTP-Error Service would give me the correct debug output and a nice email.
Thats it! Everything should work! You can also use these instructions to debug and fix all the related services!
Some nice info:
http://mbaierl.com/2009/03/logwatch-for-php-errors-the-apache-error-log-and-mysql.html
After too much searching and trying I figure out my issue to be the error log format on apache 2.4 was not compatible with the the filters logwatch was trying to use. I was able to apply a custom log format to get back to something similar that was on apache 2.2:
ErrorLogFormat “[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i”
thank you, excellent tutorial
Glad I could help with you Logwatch CentOS needs!
grate
Glad I could help you set up Logwatch on your CentOS Server!
Thanks for your this learn about this service I glad for your learn that thanks so much.
Great tutorial! Thanks! 🙂
Great explanation – Helped on CentOS 5.9.
Great! Glad I could help with your Logwatch CentOS needs!
Very good. You have provided a nice succinct description of how to set up logwatch. I wish I had found this earlier.
Glad I could help! Let me know if you have any other Logwatch CentOS related questions!
Thanks fo rthis. Probably a stupid question, but this is my first server setup with Webmin/Virtualmin. Would it be normal practice to set logwatch in a cron job daily?
Hi Alan! Yes, I would say it is normal practice – you would want to check your Logs every day! Please let me know if there is anything else I can help with on your Virtualmin Setup! I would suggest reading some of the other posts on my site and looking at what else you can add to your server!
Thanks so much, this saved me a lot of time!
Glad I could help! Let me know if you have any other CentOS 6, Virtualmin or Logwatch related issues!