Table of Contents

24.04 Logwatch Install

Logwatch is a handy utility that can parse the system logs and send you details of system errors or issues with the server. Lets stick this on and set it up to mail the logs to an email address daily.

sudo apt install logwatch

As part of the installation, logwatch will install the postfix mailer which we need to configure on install. We will choose the option 'satellite system'

Set the System mail name = your solaris.scottworld.net

For the mail outgoing mail to relay correctly we need to set a 'relayhost' When prompted for the relay host, enter:

[ssl0.ovh.net]:465

Next we need to change a few parameters

sudo nano /etc/postfix/main.cf

Modify the parameters below

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_wrappermode = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = solaris.scottworld.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = solaris.scottworld.net, $myhostname, solaris, localhost.localdomain, localhost
relayhost = [ssl0.ovh.net]:465
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

# Added to authentice SMTP with OVH
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# Added to re-map senders
sender_canonical_maps = regexp:/etc/postfix/sender_rewrite

Create a file

nano /etc/postfix/sasl_passwd

add the host and the account details.

ssl0.ovh.net root@scottworld.net:password

Execute the command (to refresh the password table)

postmap /etc/postfix/sasl_passwd

Alias the sender account if needed by your ISP

If you dont have authorisation on your SMTP relay to send mail for the standard sender account (in this case root@scottworld.net) you can alias it.

Now create /etc/postfix/sender_rewrite

sudo nano /etc/postfix/sender_rewrite

And add the following to allow the replay host to not be rejected as we don't own the address root@scottworld.net (this will alias the outgoing address)

/.*/      root@scottworld.net

Then run the following to enable the re-write.

postmap /etc/postfix/sender_rewrite

Restart postfix

systemctl restart postfix.service

Testing

You can now test logwatch and the email functionality is working with the following command.

logwatch --detail Med --mailto mark@scottworld.net

Monitor email errors with

tail -f /var/log/mail.log

Emailing Tweaks

We may want to catch mail errors, so we need to set up a root mailing account and a few mail utilities. We should be good citizens and set this up as it will collect bounced emails.

sudo apt-get install mailutils

Install the mutt mail reader

sudo apt-get install mutt

Check 'roots' mailbox

sudo touch /var/mail/root
sudo chown root:root /var/mail/root
mutt -f /var/mail/root

You can test this by sending a mail to root@servername and reading it with mutt.

Configure Logwatch Daily Reports

Create a file

/etc/logwatch/conf/logwatch.conf

Add the following

MailTo = mark@scottworld.net
MailFrom = root@scottworld.net
Detail = Med
Format = text
Range = since 24 hours ago for those hours
Service = All
Service = -audit
Service = -http
Service = -sshd
Service = -pam_unix

Now we can make some changes to the level of logging for each service

/etc/logwatch/conf/override.conf

Add this line to tone down the logging

services/fail2ban: Detail = 1

Add a script for SMARTD error reporting

/etc/logwatch/conf/services/smartd.conf

Set the following to change the log file and reporting

LogFile =
LogFile = none
*JournalCtl = "--output=cat --no-pager --unit=smartmontools.service"

Update the named script to fix issues with qname minimization

wget -O /etc/logwatch/scripts/services/named https://sourceforge.net/p/logwatch/git/ci/master/tree/scripts/services/named?format=raw
sed -i 's/DoLookup/#DoLookup/' /etc/logwatch/scripts/services/named
sed -i -e '/minimization/s/failure/.*/' /etc/logwatch/scripts/services/named

Add a script for NAMED error reporting

/etc/logwatch/conf/services/named.conf

Set the following to change the log file and reporting

LogFile =
LogFile = syslog