Now Trending:
Home
How to Monitor Logs with Logwatch

How to Monitor Logs with Logwatch

May 5, 2025

A while back, I was running a small server at home to host a website for my friends. Everything seemed fine—until one day, it got really slow. I didn’t know why. That’s when I learned the power of reading logs.

But reading logs manually is like looking for a needle in a haystack. That’s where Logwatch helped me. It takes those messy logs and gives you a neat summary in an email. Much easier.

In this post, I’ll show you how to set up and use Logwatch to monitor your logs.

What Is Logwatch?

Let’s start with the basics.

Logwatch is a small program that reads system logs on your Linux server. It gives you a daily report. This report tells you what’s been going on—like failed login attempts, software updates, or problems with services.

You might be thinking: “What’s a log?”

A log file is a record. Your server writes down everything it does—who logged in, what programs ran, what errors happened. Logs are stored in the /var/log/ folder.

But these files are hard to read on your own. That’s why we use Logwatch—it summarizes the logs in a way that’s easy to understand.

Why Should You Monitor Logs?

You may ask, “Why should I care about logs?”

Let me give you some real reasons:

  • Logs show you if someone is trying to hack your server.
  • You can spot errors before they turn into big problems.
  • You’ll see if a program is crashing or using too much memory.

It’s like checking your car’s dashboard. If a warning light comes on, you know something needs attention.

Reading logs every day manually? No, thanks. But with Logwatch, the server sends you a daily email summary. You can skim it in a minute and stay informed.

What You’ll Need

Here’s what you need to get started:

  • A Linux server (Ubuntu, Debian, CentOS, or similar)
  • Access to the terminal or SSH
  • A working email system on your server (to receive reports)

Optional but helpful:

  • Basic knowledge of the terminal
  • An email address that you check often

Step-by-Step: How to Set Up Logwatch

Let’s walk through how to install and use Logwatch.

1. Install Logwatch

If you’re using Ubuntu or Debian, run:

sudo apt update
sudo apt install logwatch -y

For CentOS or RHEL, run:

sudo yum install logwatch -y

That’s it—Logwatch is now installed.

2. Run Logwatch Manually

You can test it out by running this command:

sudo logwatch

It will read your logs and show a short report in the terminal.

Want to see logs for the last day? Use:

sudo logwatch --range yesterday

Want the full detailed report? Try:

sudo logwatch --detail high

3. Send Reports by Email

Here’s the useful part—getting reports in your inbox.

First, make sure your server can send emails. If not, install something like postfix or ssmtp.

For Postfix on Ubuntu:

sudo apt install postfix -y

Once your server can send mail, tell Logwatch where to send it:

sudo logwatch --output mail --mailto [email protected] --detail medium

You can try this once a day, or you can set it up to run automatically.

4. Schedule Daily Reports

To automate the process, Logwatch uses cron, a scheduler tool in Linux.

It’s usually already set to run daily. You can check the file:

cat /etc/cron.daily/00logwatch

If it’s there, Logwatch is already being run every day.

Now, make sure it sends email by editing the default config.

Open the config file:

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Look for these lines and change them:

MailTo = [email protected]
Detail = Med

Save the file.

From now on, every day, Logwatch will send a summary to your inbox.

What’s in the Logwatch Report?

Logwatch reads logs from many places. Here are some things you might see in your daily email:

  • SSH logins — who logged in and from where
  • Failed login attempts — could be someone trying to guess passwords
  • Service restarts — like web servers or databases
  • Disk space warnings
  • Errors or crashes

Some sections might not make sense at first, but after a few days, you’ll start to recognize the normal stuff—and spot the weird stuff fast.

Real-Life Example

One day, I noticed the Logwatch email said there were 30 failed SSH logins from the same IP address. I looked it up—it was from another country.

That was a bot trying to break into my server.

Because I saw the report, I knew I needed to set up a firewall and use SSH keys instead of passwords.

Without Logwatch, I wouldn’t have known until it was too late.

Customize Your Reports

You can fine-tune what Logwatch shows you. Some useful options include:

  • --range — choose what time period to report on (yesterday, today, all)
  • --service — choose a specific service (like --service sshd)
  • --detail — how much detail (low, med, high)

Want to only see SSH info?

sudo logwatch --service sshd --range yesterday --detail high

Want to save it to a file?

sudo logwatch --output file --filename /tmp/report.txt

Compare Logwatch with Other Tools

Let’s compare Logwatch to other log tools.

Feature Logwatch Logrotate Logcheck
Summarizes logs ✅ Yes ❌ No ✅ Yes
Sends emails ✅ Yes ❌ No ✅ Yes
Easy to use ✅ Very ✅ Simple ❌ More complex
Good for beginners ✅ Definitely ✅ Yes ❌ Not really

Logrotate is great for keeping logs tidy. But it doesn’t tell you what’s inside them. Logwatch does.

Three Helpful Lists

Logwatch Commands You’ll Use

  • logwatch --range yesterday — view yesterday’s logs
  • logwatch --output mail --mailto [email protected] — send report by email
  • logwatch --detail high — get a more detailed report

Common Services It Monitors

  • sshd — SSH logins
  • cron — scheduled jobs
  • apache — web server
  • postfix — mail server

Problems It Can Help Catch

  • Too many failed login attempts
  • Low disk space
  • Service errors or restarts
  • Suspicious IP addresses

Tips for Using Logwatch

Here are some tips I’ve learned:

  • Check your email every day. Even if nothing big happens, it’s good to keep an eye on it.
  • Don’t panic if you see errors. Look them up. Some warnings are normal.
  • Add Logwatch to a server as soon as you set it up. It takes 5 minutes and saves you hours later.

Wrapping Up

Using Logwatch is one of the easiest ways to monitor what’s going on with your Linux server. It gives you a summary of the day’s activity, sent right to your inbox.

I started using it when my server had a weird slowdown, and now I include it in all my setups. It helps me feel more in control and less in the dark.

So, what do you think? Will you try setting up Logwatch today?

If you’d like, I can help you later with filters, ignoring noisy logs, or setting up alerts for only critical issues.

Let me know how it goes.

 

 

Tweet

Related Posts

Leave a Reply