内容简介:Linux Logwatch的学习总结
Logwatch 功能介绍
Logwatch是一款 Perl 脚本编写的、开源的日志分析工具。它能对原始的日志文件进行解析并转换成结构化格式的文档,也能根据您的使用情况和需求来定制报告。Logwatch的特点是配置简单、监控、分析日志方便,而且可以对某些功能进行定制化。 项目源码位于 https://sourceforge.net/projects/logwatch/ 。
LogWatch的官文档介绍:
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.
Logwatch 安装升级
1 : 查看是否安装Logwatch组件
[root@DB-Server ~]# rpm -qa | grep logwatch logwatch-7.3-9.el5_6
2: Logwatch 的安装、升级、卸载
2.1.1 Logwatch 的RPM安装
[root@DB-Server Server]# rpm -ivh logwatch-7.3-9.el5_6.noarch.rpm warning: logwatch-7.3-9.el5_6.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 37017186 Preparing... ########################################### [100%] package logwatch-7.3-9.el5_6.noarch is already installed [root@DB-Server Server]# [root@DB-Server Server]# yum install logwatch
2.1.2 Logwatch 的源码安装
[root@DB-Server tmp]# tar -xzvf logwatch-7.4.3.tar.gz [root@DB-Server tmp]# cd logwatch-7.4.3 [root@DB-Server logwatch-7.4.3]# ./install_logwatch.sh ################################# Preparing to install Logwatch Enter the path to the Logwatch BaseDir [/usr/share/logwatch] : ### Using /usr/share/logwatch Enter the path for the Logwatch ConfigDir [/etc/logwatch] : ### Using /etc/logwatch Enter the dir name to be used for temp files [/var/cache/logwatch] : ### Using /var/cache/logwatch Enter the location of perl [/usr/bin/perl] : ### Using /usr/bin/perl Enter the dir name to used for the manpage [/usr/share/man] : ### Using /usr/share/man ### Installing Created symlink for /usr/sbin/logwatch Created /etc/cron.daily/0logwatch
2.2 Logwatch 的卸载
[root@DB-Server Server]# rpm -e logwatch-7.3-9.el5_6
2.2 Logwatch 的升级
[root@DB-Server Server]#rpm -Uvh logwatch***.rpm
Logwatch 的配置介绍
Logwatch的配置文件为 /etc/logwatch/conf/logwatch.conf ,初始安装后,这个配置文件是空的。你可以将配置文件的模板拷贝过来,如果不做这一步,就会默认使用/usr/share/logwatch/default.conf/logwatch.conf 这个配置文件。
[root@DB-Server ~]# more /etc/logwatch/conf/logwatch.conf # Local configuration options go here (defaults are in /usr/share/logwatch/default.conf/logwatch.conf) [root@DB-Server ~]# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf cp: overwrite `/etc/logwatch/conf/logwatch.conf'? yes
配置的具体参数介绍:
LogDir = /var/log 系统日志或需要分析日志所在路径 TmpDir = /var/cache/logwatch 临时文件位置 Output = stdout 输出格式(stdout 屏幕上显示) Format = text 输出格式,有text、html选项可以选择 Encode = none 编码格式 MailTo = root 分析结果发送给那些人或邮件组。多个邮箱逗号隔开 MailFrom = Logwatch 邮件的发件人 Range = yesterday 处理什么时候的日志 , 可选项 All(所有) ,Yesterday(昨天) , Today(今天) Range = "1 hours ago for that hour" Range = "-7 days" Range = "between -7 days and -3 days" Range = "since March 15, 2017" Range = "first Friday in October" Range = "2017/04/15 12:50:15 for that second" Detail = Low 该参数控制着 Logwatch 报告的详细程, 可选项:Low , Med , High 也可以用0-10数字表示 其中High、Med、Low 几个选项分别代表着10、5和0数字。 Service = All 监控所有服务 all Service = "-httpd" 不监控的服务前面加 “-” , 如 -httpd ,即不监控 httpd 服务 , 可以写多条 mailer = "/usr/sbin/sendmail -t" 发送邮件的方式(可以选sendmail,postfix,Qmail)
注意不同版本的Logwatch的参数有所区别,例如如下logwatch-7.3-9与logwatch-7.4.3的对比如下
[root@DB-Server01 ~]# sed -n "/^\s*[^#\t].*$/p" /usr/share/logwatch/default.conf/logwatch.conf LogDir = /var/log TmpDir = /var/cache/logwatch MailTo = root MailFrom = Logwatch Print = No Range = yesterday Detail = Low Service = All Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info. Service = "-zz-sys" # Prevents execution of zz-sys service, which # prints useful system configuration info. Service = "-eximstats" # Prevents execution of eximstats service, which # is a wrapper for the eximstats program. mailer = "sendmail -t" [root@DB-Server ~]# sed -n "/^\s*[^#\t].*$/p" /etc/logwatch/conf/logwatch.conf LogDir = /var/log TmpDir = /var/cache/logwatch Output = stdout Format = text Encode = none MailTo = root MailFrom = Logwatch Range = yesterday Detail = Low Service = All Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info. Service = "-zz-sys" # Prevents execution of zz-sys service, which # prints useful system configuration info. Service = "-eximstats" # Prevents execution of eximstats service, which # is a wrapper for the eximstats program. mailer = "/usr/sbin/sendmail -t" [root@DB-Server ~]#
Logwatch 并不是以系统服务形式来跑的 ,而是在/etc/cron.daily下生成了一个脚本/etc/cron.daily/0logwatch ,有些版本是一个软链 。如下所示。 当然你也可以在crontab里面设置自己的作业.如果要使用发送邮件功能,你必须提前进行配置。例如,配置sendmail。
logwatch-7.3-9
[root@mynx01 ~]# ls -l /etc/cron.daily/0logwatch lrwxrwxrwx 1 root root 39 Apr 23 2015 /etc/cron.daily/0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
logwatch-7.4.3
[root@DB-Server tmp]# more /etc/cron.daily/0logwatch #!/bin/sh #Set logwatch location LOGWATCH_SCRIPT="/usr/sbin/logwatch" #Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf, #but some are only for the nightly cronrun such as --output mail and should be set here. #Other options to consider might be "--format html" or "--encode base64", man logwatch for more details. OPTIONS="--output mail" #Call logwatch $LOGWATCH_SCRIPT $OPTIONS exit 0 [root@DB-Server tmp]# ls -l /etc/cron.daily/0logwatch -rwxr-xr-x 1 root root 434 Apr 27 15:09 /etc/cron.daily/0logwatch [root@DB-Server tmp]#
Logwatch 的用例介绍
1: 查看logwatch的帮助信息(注意不同版本间的区别)
[root@DB-Server log]# logwatch --help Usage: /usr/sbin/logwatch [--detail <level>] [--logfile <name>] [--output <output_type>] [--format <format_type>] [--encode <enconding>] [--numeric] [--mailto <addr>] [--archives] [--range <range>] [--debug <level>] [--filename <filename>] [--help|--usage] [--version] [--service <name>] [--hostformat <host_format type>] [--hostlimit <host1,host2>] [--html_wrap <num_characters>] --detail <level>: Report Detail Level - High, Med, Low or any #. --logfile <name>: *Name of a logfile definition to report on. --logdir <name>: Name of default directory where logs are stored. --service <name>: *Name of a service definition to report on. --output <output type>: Report Output - stdout [default], mail, file. --format <formatting>: Report Format - text [default], html. --encode <encoding>: Enconding to use - none [default], base64. --mailto <addr>: Mail report to <addr>. --archives: Use archived log files too. --filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file]. --range <range>: Date range: Yesterday, Today, All, Help where help will describe additional options --numeric: Display addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup). --debug <level>: Debug Level - High, Med, Low or any #. --hostformat: Host Based Report Options - none [default], split, splitmail. --hostlimit: Limit report to hostname - host1,host2. --hostname: overwrites hostname --html_wrap <num_characters>: Default is 80. --version: Displays current version. --help: This message. --usage: Same as --help. * = Switch can be specified multiple times...
2:Logwatch的使用案例:
perl /usr/share/logwatch/scripts/logwatch.pl
logwatch --service sshd --print
logwatch --detail High --Service All --range All --print
logwatch --detail High --Service All --range All --output stdout
logwatch --detail 10 --range today --service http --service postfix --service zz-disk_space --format html --output file --filename /tmp/logwatch.html
注意上面有些版本不能执行,例如logwatch-7.4.3中就没有参数--print,需要用参数--output
[root@MyLinx ~]# logwatch --service sshd --print ################### Logwatch 7.3 (03/24/06) #################### Processing Initiated: Mon Apr 24 08:11:00 2017 Date Range Processed: yesterday ( 2017-Apr-23 ) Period is day. Detail Level of Output: 10 Type of Output: unformatted Logfiles for Host: xxx.xxx.xxx ################################################################## --------------------- SSHD Begin ------------------------ Users logging in through sshd: xxxxx: 192.168.xxx.xxx (xxxx): 276 times oracle: 192.168.xxx.xxx (xxxxx): 1 time Received disconnect: 11: The user disconnected the application 192.168.xxx.xxx : 276 Time(s) ---------------------- SSHD End ------------------------- ###################### Logwatch End ######################### [root@DB-Server log]# logwatch --detail 10 --range all --service sshd --format text --output file --filename /tmp/logwatch.txt [root@DB-Server log]# more /tmp/logwatch.txt ################### Logwatch 7.4.3 (04/27/16) #################### Processing Initiated: Thu Apr 27 17:17:42 2017 Date Range Processed: all Detail Level of Output: 10 Type of Output/Format: file / text Logfiles for Host: DB-Server.localdomain ################################################################## --------------------- SSHD Begin ------------------------ Couldn't resolve these IPs: get253194.gfg1.esquel.com(192.168.103.21): 1 Time(s) get253194.gfg1.esquel.com(192.168.103.26): 1 Time(s) Failed logins from: 192.168.7.xxx: 1 time root/password: 1 time Users logging in through sshd: root: 192.168.103.15 (xxxxx): 4 times 192.168.103.21 (xxxxx): 4 times 192.168.103.22 (xxxxx): 3 times 192.168.103.26 (xxxxx): 2 times SFTP subsystem requests: 6 Time(s) ---------------------- SSHD End ------------------------- ###################### Logwatch End #########################
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
SHA 加密
SHA 加密工具
Markdown 在线编辑器
Markdown 在线编辑器