Logwatch on Syslog Server

From Wiki
Revision as of 10:59, 2 July 2013 by Candidhat (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Why run a centralised Logwatch?

On Debian Squeeze/Wheezy, it's possible to have Logwatch run a report to tell you of any concerns that have been reported by processes in the last 24 hours. On a XEN system, it's likely that you'll have multiple hosts each emailing you a report every day. Wouldn't it be better if you only got one email a day that contains details from all your hosts? Read on



Configure Clients

Packages

  • First off - remove logwatch, or nullify it's output.
  • Install syslog-ng
 apt-get install syslog-ng 

Configure syslog

Edit /etc/syslog-ng/syslog-ng.conf Add the following lines to the bottom:

destination d_tcp { tcp("172.16.2.13" port(1234) localport(999)); };
log { source(s_src); destination(d_tcp); };

Make sure the ip address matches the ip of your syslog server.


Configure Server

Packages

  • Install logwatch
 apt-get install logwatch
 cp /usr/share/logwatch/default.conf.d/logwatch.conf /etc/logwatch/conf 
  • Install syslog-ng
 apt-get install syslog-ng 

Configure syslog

Edit /etc/syslog-ng/syslog-ng.conf Add the following lines to the bottom:

source s_net { tcp(ip(172.16.2.13) port(1234)); };

destination collector {
        file("/var/log/$FACILITY.log"
        owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
        );
};

log { source(s_net); destination(collector); };

Make sure the ip address matches the ip of your server.

Make some alterations to vi /etc/cron.daily/00logwatch

/usr/sbin/logwatch --output mail --hostformat split

Done! All very simple!