LOGWATCH(8) User Manuals LOGWATCH(8)
logwatch - system log analyzer and reporter
logwatch [--detail level ] [--logfile log-file-group ] [--service ser-
vice-name ] [--print] [--mailto address ] [--archives] [--range range ]
[--debug level ] [--save file-name ] [--logdir directory ] [--hostname
hostname ] [--numeric] [--help|--usage]
LogWatch is a customizable, pluggable log-monitoring system. It will
go through your logs for a given period of time and make a report in
the areas that you wish with the detail that you wish. Easy to use -
works right out of the package on almost all systems.
This is the detail level of the report. level can be high, med,
This will force LogWatch to process only the set of logfiles
defined by log-file-group (i.e. messages, xferlog, ...). Log-
Watch will therefore process all services that use those log-
files. This option can be specified more than once to specify
This will force LogWatch to process only the service specified
in service-name (i.e. login, pam, identd, ...). LogWatch will
therefore also process any log-file-groups necessary to process
these services. This option can be specified more than once to
specify multiple services to process. A useful service-name is
All which will process all services (and logfile-groups) for
which you have filters installed.
Print the results to stdout (i.e. the screen).
Mail the results to the email address or user specified in
You can specify a date-range to process. Common ranges are Yes-
terday, Today, All, and Help. Additional options are listed
when invoked with the Help parameter.
Each log-file-group has basic logfiles (i.e. /var/log/messages)
as well as archives (i.e. /var/log/messages.? or /var/log/mes-
sages.?.gz). When used with "--range all", this option will
make LogWatch search through the archives in addition to the
regular logfiles. For other values of --range, LogWatch will
search the appropriate archived logs.
For debugging purposes. level can range from 0 to 100. This
will really clutter up your output. You probably don’t want to
Save the output to file-name instead of displaying or mailing
Look in directory for log files instead of the default direc-
Use hostname for the reports instead of this system’s hostname.
In addition, if HostLimit is set in /etc/log.d/logwatch.conf,
then only logs from this hostname will be processed (where
Inhibits additional name lookups, displaying IP addresses numer-
Displays usage information
--help same as --usage.
Really a symlink to /etc/log.d/conf/logwatch.conf. This file
sets the default values of all the above options. These
defaults are used when LogWatch is called without any parameters
(i.e. from cron.daily). The file is well-documented, but the
explanations above also apply to this config file.
Configuration files for the various services whose log entries
LogWatch can process.
Configuration files for the various logfiles that the above ser-
vice’s log entries are stored in.
Filters common to many services and/or logfiles.
Filters specific to just particular logfiles.
Actual filter programs for the various services.
logwatch --service ftpd-xferlog --range all --detail high --print
This will print out all FTP transfers that are stored in all
current and archived xferlogs.
logwatch --service pam_pwdb --range yesterday --detail high --print
This will print out login information for the previous day...
For information on adding your own filter, please see the file HOWTO-
Make-Filter which should have been included with Logwatch. If you
installed from an RPM, it is probably under /usr/share/doc/logwatch-
Kirk Bauer <firstname.lastname@example.org>
Linux MARCH 1998 LOGWATCH(8)
Man(1) output converted with