3

Logwatch is really useful for me, but I find it really tiresome to watch through all emails.

Is there any tool or solution that centralizes all the daily reports into one, and allows to easily navigate through them?

Thanks.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
SyRenity
  • 3,159
  • 11
  • 55
  • 79

2 Answers2

4

We just setup a central logging server, then forward all syslog entries to that server and just run logwatch on that server.

Zypher
  • 36,995
  • 5
  • 52
  • 95
2

To give an example of Zypher's answer, what I do is forward *.debug to @loghost on all nodes. The loghost node runs syslog-ng, which has the ability to split out by source system. (I presume other modern syslog replacements like rsyslog can do similar things.)

I have a sample syslog-ng.conf file for solaris, but changing it around to be for linux isn't too hard.

As you can see, we also forward all inbound messages to a single file. This lets us run nightly (or more frequently when required) reporting on a single place, but during debugging or forensic operations we can just look at the system in question.

Another benefit of logging all messages to a single file is that the sequencing of events across multiple systems is easier to determine as that file gets written by arrival time. This means your clocks don't have to be 100% synchronized in order to figure out a sequence of events (although of course that should always be a goal, no matter how unattainable it is).

David Mackintosh
  • 14,223
  • 6
  • 46
  • 77