How to install Logwatch on Ubuntu 20.04?

Overview

You may quickly identify the odd by just watching a server's login behavior if you are familiar with the regular operation of your network and servers. So, we will walk you through the whole creation of a program in this tutorial that will analyze your logs and provide you feedback on every server action.

An open-Source log management and monitoring program called Logwatch keeps track of every action on the server and emails the administrator a summary of the logs on a daily or weekly basis, depending on how it is configured. It can streamline network maintenance and speed up problem response since it compiles the logs from several devices into a single report.

Prerequisites

We are about to set up Logwatch on an Ubuntu 20.04 system; there are no minimal resource requirements, but the server where you install it must have root level access. You've given your computer a static IP address and a fully qualified domain name, and you're connected to the internet.

Also, you should keep your system up to date and patch it with the necessary dependencies. Thus, use the following commands to update your system's packages list before beginning the installation.

Get Started

Step-1: Updating dependencies

Update all the dependencies using the following command.

 sudo apt-get update

Step-2: Install Logwatch

It's not difficult to have Logwatch installed on your Linux server because it may be done using its accessible packages in all Linux distributions. As Logwatch doesn't operate as a daemon and doesn't interact with any other services that are already running, installing it is completely safe. Use the root user to run the following command to install Logwatch on Ubuntu 20.04.

sudo apt-get -y install logwatch

Postfix Configuration

You must select the mail server settings here based on your requirements. Let's select one of the common mail setting options offered and then click "OK" to continue.

• Let's set up the fully qualified domain name for your system mail. Very likely, the hostname of your server is the mail address. To pick the best alternatives for your needs during configuration, carefully read the instructions.

• You will be able to examine the installation's final outcomes, as depicted in the snapshot, after the Logwatch installation is complete.

Logwatch Configurations

Choose the best options in accordance with your needs while configuring a few installation packages. The default Logwatch configuration file, located at /usr/share/Logwatch/default.conf/Logwatch.conf, manages all Logwatch configurations. The command listed below can be used to alter this file:

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Using this command, the Nano editor will open the Logwatch configuration file. There are several setting choices available here. Let's examine a few of the following possibilities:

a. Email: You must instruct Logwatch where to send its reports through email as the initial configuration step. Look for the following line in the Logwatch configuration file and provide your email address there:

MailTo = root

With the MailFrom option, you can also change the email sender. Find the following line in the Logwatch configuration file, and provide your email address there.

MailFrom = Logwatch

b. Range: The reports' range can also be specified. Find the following line in the Logwatch configuration file:

Range = yesterday

The predetermined choice is yesterday. Using today (today's log) or All, you can modify it (since Logwatch was installed).

c. Report detail: The desired amount of information for your log reports can also be adjusted to Low, Medium, or High. By default, the detail level is set to low. Find the following line in the configuration file, then update it to the desired level to alter the default value:

Detail= Low

d. Services: You may produce reports for all services or a single one using the Logwatch services option. Logwatch automatically produces reports for all services (All). Find the following line in the Logwatch configuration file and update it:

Service = All

To create reports just for specified services like HTTP, FTP, SSH, delete the above given line and write the required services as shown:

Service = http

Service = ftp

Service = sshd

Testing Logwatch

We may manually start the Logwatch service anytime we need to acquire a report in order to test the Logwatch. Use the Logwatch command as follows to test the Logwatch:

logwatch

• The initial report layout from the Logwatch will look like this.

• The logwatch command will provide a report from each service that is active and any installed apps. The output of Logwatch from some of the services operating on it, such as postfix, ssh, etc., is shown below.

• The final lines of the Logwatch command display a report on the filesystem disc space use.

Conclusion

All system administrators should test Logwatch and use it to see the logs that are operating certain vital services and receives a large number of daily connections. You must keep an eye on the logs to see if someone has made any modifications to the server. Hence, get set up with Logwatch and begin analyzing your logs effectively and professionally.