Logwatch configuration examples to share

Hi,

Does anyone have example logwatch.cfg configuration the would like to share for Linux, beyond the default example. Trying to gain from the forums vast experience.

Thanks in advance

Andy

I like to keep the client config rather simple. For example, on a database server I have logwatch send all lines from /var/log/mysql/error.log that are tagged as error or warning:

# /etc/check_mk/logwatch.cfg
[...]
# MySQL/MariaDB error.log:
/var/log/mysql/error.log
 C \[ERROR\]
 W \[Warning\]
[...]

Some of these warnings are not really critical with regard to server operation, like client timeout etc., so I then set up logwatch rules on the monitoring server to ignore known problems and harmless lines or remap non-critical “errors” to WARN only.

So I guess your question mostly leads to: “Which log entries on a Linux system should I care about?”, and that’s a wide topic, for sure. Every site is different. :slight_smile:

You could match on stuff like “EXT[2-4]-fs .*Opts: errors=” or “[Cc]orrupt]”, inconsistent", … to spot filesystem problems. Again, try not to put too much magic into the client side but rather filter by server-side rulesets,

Another one that has hit me on some machine in real life:

/var/log/syslog /var/log/kern.log
 W crontab file will be ignored

(or other cron error messages, find some possible ones in the binary using strings /usr/sbin/cron | less

You could also look for syslog messages concerning segfaults or oom-killer/oom-reaper events.
etc, etc :slight_smile:

Martin

2 Likes

Hi Martin,

Thanks for your suggestions especially on filesystem, didn’t think about that.
My logwatch is still evolving and plane to update when we are hit with “hmm we should have done something with that log entry” event.

Thanks

Andy