本篇介紹如何在 Ubuntu Linux 中安裝並使用 logwatch 分析工具,每日自動分析各種服務的日誌,產生報表。
logwatch 是一個簡單的日誌分析工具,可以每天自動分析伺服器上各種服務的日誌,產生簡單的報表,讓管理者更容易掌握整個系統與各項服務的狀態。
logwatch首先以 apt 安裝 logwatch 套件:
# 安裝 logwatch 套件
sudo apt install logwatch
安裝好 logwatch 之後,要手動建立 logwatch 用的暫存目錄:
# 建立 logwatch 用的暫存目錄
sudo mkdir /var/cache/logwatch
logwatchlogwatch 預設的設定檔位於 /usr/share/logwatch/default.conf/logwatch.conf,若要更改其中的設定,可以將設定檔複製到 /etc/logwatch/conf/logwatch.conf,再進行修改:
# 建立 logwatch 的設定檔
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
以下是一些常見的設定。
Output 參數是設定 logwatch 要如何輸出報表,stdout 代表輸出至程式的標準輸出,可用手動在命令列執行的狀況:
# 預設輸出管道為 stdout
Output = stdout
若要讓 logwatch 在系統上定期執行,可以將輸出以 Email 的方式寄送至管理者的信箱:
# 預設輸出管道為 Email
Output = mail
若採用 Email 輸出的方式,還要另外設定信件的收件者與寄件者,收件者與寄件者可以是本機的帳號:
# 以本機帳號設定收件者與寄件者
MailTo = root
MailFrom = logwatch
收件者與寄件者也可以使用標準的 Email 位址來指定:
# 以 Email 設定收件者與寄件者
MailTo = adm@mydomain.com
MailFrom = logwatch@host1.mymachine.com
若需要將信件寄送至網路上的 Email 信箱,要先確認自己的系統可以用 sendmail 寄信,這樣信才寄的出去。
若希望 logwatch 的報表直接儲存至檔案中,則可將 Output 設定為 file:
# 預設輸出管道為檔案
Output = file
若輸出至檔案,要搭配 Filename 參數來設定輸出的檔案路徑:
# 輸出檔案位置
Filename = /tmp/logwatch.txt
Detail 參數可以設定 logwatch 報表的詳細程度,可用的選項有 Low、Med、High:
# 報表詳細程度
Detail = Low
Format 參數可以設定報表的格式,預設的格式為文字報表:
# 文字報表
Format = text
如果希望產生網頁報表,可以將 Format 設定為 html:
# 網頁報表
Format = html
Service 是用來設定 logwatch 要分析哪一些服務的日誌,所有支援的服務名稱可以從 /usr/share/logwatch/scripts/services 目錄下的檔案名稱來查詢。若要分析所有服務的日誌,可將 Service 設定為 All:
# 監看所有服務
Service = All
在 Service 設定為 All 的情況下,可以搭配額外的排除清單,將少數不重要的服務排除在外:
# 排除 eximstats 服務(搭配 Service = All) Service = "-eximstats"
如果只要分析幾個特定服務的日誌,也可以直接指定需要的服務:
# 僅分析 PAM_pwdb 與 PAM 服務日誌 Service = "pam_pwdb" Service = "pam"
Range 可設定分析日誌的時間區間,預設為前一天:
# 分析前一天的日誌
Range = yesterday
Range 亦可調整為當天(Today)或所有時間(All)。
設定好 logwatch 之後,可以直接執行 logwatch 指令,測試設定是否有問題:
# 測試執行 logwatch sudo logwatch --detail Low --range today
正常的 logwatch 輸出內容會類似這樣:
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Sat May 14 19:46:37 2022
Date Range Processed: today
( 2022-May-14 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: imgqc
##################################################################
--------------------- dpkg status changes Begin ------------------------
Installed:
comerr-dev:amd64 2.1-1.45.5-2ubuntu1
krb5-multidev:amd64 1.17-6ubuntu4.1
libczmq-dev:amd64 4.2.0-2
libczmq4:amd64 4.2.0-2
libgssrpc4:amd64 1.17-6ubuntu4.1
libkadm5clnt-mit11:amd64 1.17-6ubuntu4.1
libkadm5srv-mit11:amd64 1.17-6ubuntu4.1
logwatch:all 7.5.2-1ubuntu1.3
---------------------- dpkg status changes End -------------------------
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban: Bans:Unbans
sshd: [432:434]
---------------------- fail2ban-messages End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (61.177.173.36): 117 Time(s)
root (61.177.173.47): 99 Time(s)
root (137.184.184.40): 69 Time(s)
unknown (43.155.76.211): 1 Time(s)
unknown (43.159.59.125): 1 Time(s)
www-data (123.138.161.200): 1 Time(s)
www-data (190.216.236.62): 1 Time(s)
Invalid Users:
Unknown Account: 757 Time(s)
su:
Sessions Opened:
ubuntu -> root: 5 Time(s)
root -> nobody: 3 Time(s)
sudo:
Sessions Opened:
ubuntu -> root: 14 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries**
su: (to root) ubuntu on pts/0: 2 Time(s)
su: (to root) ubuntu on pts/1: 2 Time(s)
su: (to root) ubuntu on pts/2: 1 Time(s)
systemd-logind: Existing logind session ID 60 used by new audit session, ignoring.: 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
--------------------- SSHD Begin ------------------------
Network Read Write Errors: 4
Negotiation failed:
no matching key exchange method found: 250 Times
Failed logins from:
2.237.58.14 (2-237-58-14.ip237.fastwebnet.it): 4 Times
8.212.176.175: 2 Times
13.79.122.130: 10 Times
219.117.228.47 (219.117.228.47.static.zoot.jp): 2 Times
221.196.108.122 (www122.asd.tj.cn): 1 Time
Illegal users from:
2.237.58.14 (2-237-58-14.ip237.fastwebnet.it): 8 Times
8.212.176.175: 6 Times
221.133.1.50 (mail.bachvietdt.com.vn): 3 Times
221.196.108.122 (www122.asd.tj.cn): 8 Times
Users logging in through sshd:
ubuntu:
42.74.241.160 (42-74-241-160.emome-ip.hinet.net): 9 Times
Received disconnect:
[preauth] : 227 Times
Bye Bye [preauth] : 1095 Times
Normal Shutdown, Thank you for playing [preauth] : 97 Times
**Unmatched Entries**
error: kex_exchange_identification: Connection closed by remote host : 97 Times
error: kex_exchange_identification: client sent invalid protocol identifier "MGLNDD_103.124.73.182_22" : 1 Time
error: kex_exchange_identification: read: Connection reset by peer : 1 Time
message repeated 2 times: [ Failed password for root from 218.92.0.221 port 11137 ssh2] : 1 Time
message repeated 2 times: [ Failed password for root from 61.177.173.53 port 58952 ssh2] : 1 Time
---------------------- SSHD End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
root => root
------------
/usr/bin/apt - 1 Time(s).
/usr/bin/cp - 1 Time(s).
/usr/bin/mkdir - 1 Time(s).
/usr/sbin/logwatch - 4 Time(s).
ubuntu => root
--------------
/usr/bin/apt-get - 2 Time(s).
/usr/bin/su - 5 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 94G 73G 17G 82% /
/dev/loop0 111M 111M 0 100% /snap/core/12834
/dev/loop3 44M 44M 0 100% /snap/certbot/1952
/dev/loop2 112M 112M 0 100% /snap/core/12941
/dev/loop1 44M 44M 0 100% /snap/certbot/2035
/dev/loop5 56M 56M 0 100% /snap/core18/2344
/dev/loop4 56M 56M 0 100% /snap/core18/2409
/dev/loop7 62M 62M 0 100% /snap/core20/1405
/dev/loop6 62M 62M 0 100% /snap/core20/1434
/dev/loop8 68M 68M 0 100% /snap/lxd/22526
/dev/loop11 45M 45M 0 100% /snap/snapd/15534
/dev/loop10 44M 44M 0 100% /snap/snapd/15177
/dev/loop9 68M 68M 0 100% /snap/lxd/22753
/dev/vdb 295G 65M 280G 1% /mnt/test
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
logwatch在 Ubuntu Linux 安裝 logwatch 套件時,會自動建立一個 /etc/cron.daily/00logwatch 設定檔,所以只要將 logwatch 設定檔寫好,logwatch 每天就會自動執行。