How to Install and Use Logwatch for Automated Linux Log Analysis

Log files are essential for monitoring a server’s health, but manually reviewing them is time‑consuming and error‑prone, leading some administrators to skip log checks and risk unnoticed problems.

Logwatch is a log‑analysis tool that automatically parses logs, summarizes findings, and emails the results to the root user, allowing administrators to stay informed without inspecting each file individually.

On CentOS the tool is not installed by default on the "Basic Server" profile, so you must install it manually:

[root@localhost Packages]# yum -y install logwatch

After installation, copy the default configuration template to the active configuration location because the default file is empty:

# Copy default config
cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf

Edit /etc/logwatch/conf/logwatch.conf and set the most relevant options (comments have been removed for clarity):

LogDir = /var/log
TmpDir = /var/cache/logwatch
MailTo = root
MailFrom = Logwatch
Print =
#Print = yes   (uncomment to print to stdout instead of emailing)
#Save = /tmp/logwatch   (uncomment to save output to a file)
Range = yesterday
Detail = Low
Service = All
Service = "-zz-network"
Service = "-zz-sys"
Service = "-eximstats"

The configuration works out of the box; the only change most users make is setting Range = All to analyze the entire log history. Logwatch is triggered daily by a cron job placed in /etc/cron.daily/0logwatch.

To run the analysis immediately, execute the logwatch command. The following example shows a typical output, including sections for secure log connections, SSHD activity, installed packages, and disk usage:

# Immediately run Logwatch
logwatch
# View the generated email
mail

######## Logwatch 7.3.6 (05/19/07) ################
Processing Initiated: Fri Jun 7 11:57:33 2013
Date Range Processed: all
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: localhost.localdomain

--- Connections (secure-log) Begin ---
New Users: bb (501), def (503), hjk (504), zhangsan (505), dovecot (97), dovenull (498), aa (500)
New Groups: bb (501), def (503), hjk (504), zhangsan (505), dovecot (97), dovenull (498), aa (500)
Failed logins: User root: (null): 3 Time(s)
Root logins on tty's: 7 Time(s)
--- SSHD Begin ---
SSHD Killed: 7 Time(s)
SSHD Started: 24 Time(s)
Users logging in through sshd: 192.168.0.104 (10), 192.168.0.108 (8), 192.168.0.101 (6), ...
SFTP subsystem requests: 3 Time(s)
--- yum Begin ---
Packages Installed: perl-YAML-Syck-1.07-4.el6.i686, perl-Date-Manip-6.24-1.el6.noarch, logwatch-7.3.6-49.el6.noarch
--- Disk Space Begin ---
Filesystem   Size   Used  Avail Use% Mounted on
/dev/sda3     20G    1.9G   17G  11% /
/dev/sda1    194M    26M   158M  15% /boot
/dev/sr0    3.5G    3.5G     0 100% /mnt/cdrom
######### Logwatch End ##################

With Logwatch set up, routine log management becomes much easier. While CentOS ships with Logwatch, many other log‑analysis tools are available, and you can choose the one that best fits your workflow.