Posted inUbuntu

Logwatch: Condense Thousands of Ubuntu Log Lines into a Daily Email Report

Ubuntu tutorial - IT technology blog
Ubuntu tutorial - IT technology blog

The “Log Diving” Nightmare Every Morning

Back when I first started managing servers for a startup, I often found myself in a reactive loop. One morning, I woke up to a 502 error on the website. Upon checking, I was horrified to find the server had been under an SSH brute-force attack all night with over 20,000 password attempts. At that moment, I was scrambling with grep and tail -f to dig through the massive /var/log/auth.log file.

Watching thousands of log lines scroll past on a console screen is pure torture. It’s straining on the eyes and makes it incredibly easy to miss suspicious signs. If you’re managing 3 to 5 VPS units or more, manually logging into each one to check logs every day is simply impossible.

Why Do We Often Ignore Critical Warnings?

Linux systems log everything: from successful logins to kernel errors. However, we usually ignore them for three main reasons:

  • A Sea of Data: A typical server running Nginx can generate 50-100MB of logs daily. 99% of that is inconsequential information.
  • Fragmentation: Every service (MySQL, SSH, Cron) hides its logs in its own corner.
  • Lack of Proactivity: Logs just sit there. Unless there’s an incident, nobody has the time to go looking.

The result is that warning signs—like a disk being 90% full or a strange IP probing for passwords—are often ignored until the system crashes completely.

What’s the Solution for Effective Log Management?

To handle this mountain of data, you usually consider three paths:

  1. ELK Stack or Graylog: These are high-end solutions with beautiful dashboards. But beware: they are massive RAM hogs. Running ELK on a 2GB RAM VPS is suicidal, not to mention the configuration takes all day.
  2. Custom Bash/Python Scripts: You can write scripts to grep for the keyword “Error” and send it to Telegram. This is flexible but high-maintenance when log formats change.
  3. Lean Log Analysis Tools: This is the optimal choice for small and medium-sized servers.

Logwatch – Your Lightweight Log Summary Assistant

After much trial and error, I chose Logwatch. This is an incredibly lightweight Perl script that works by scanning all log files from the last 24 hours, filtering out the key points, and sending a concise report via email. Instead of reading 10,000 lines of raw logs, you only need to skim an email about two phone screens long. A total win, right?

Step 1: Install Logwatch and Postfix

To send emails, the server needs a Mail Transfer Agent (MTA). I recommend Postfix because it’s stable and easy to relay through Gmail or SendGrid.

sudo apt update
sudo apt install logwatch postfix -y

When installing Postfix, a configuration screen will appear; select “Internet Site”. Then, enter your server’s domain name (e.g., server.itfromzero.com) in the system mail name field.

Step 2: Configure Email Reports

By default, Logwatch only prints reports to the terminal. To automate email delivery, we need to edit the configuration file. Don’t edit the file in /usr/share/logwatch directly. Copy it to /etc/logwatch to prevent it from being overwritten during package updates.

sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

Now, open the file with nano and adjust the following lines:

sudo nano /etc/logwatch/conf/logwatch.conf

Priority parameters to set:

  • Output = mail (Switch from terminal output to email)
  • Format = html (Sending in HTML format makes the report look professional and easier to read than plain text)
  • MailTo = [email protected] (The address to receive reports every morning)
  • Detail = Low (Start with Low or Med for a general overview; only use High when you need a deep dive)
  • Range = yesterday (Summarize data from the previous day)

Step 3: Test and Check Your Inbox

Don’t wait until tomorrow morning. Run this command now to test your configuration:

sudo logwatch --output mail

If the command runs smoothly and an email appears in your Inbox (or Spam folder), you’re 90% of the way there.

Step 4: Set Up Email Relay (The Key to Success)

Emails sent directly from a VPS IP are often blocked by Gmail as suspected spam. The best fix is to configure Postfix to relay through SendGrid or Amazon SES. For personal use, you can use Gmail’s own SMTP via the “App Password” feature. This ensures your log reports always reach you on time without getting lost.

Pro Tips for Using Logwatch Effectively

Here are a few lessons I’ve learned after several years of use:

1. Focus only on critical services: If your server runs many things but you only care about SSH and Nginx, specify those services in the config file using the Service variable for a shorter report.

2. Adjust the report delivery time: Ubuntu automatically creates a cron job at /etc/cron.daily/00logwatch. I usually change the cron time to 7:00 AM. That way, I have a fresh report to read while sipping my morning coffee.

3. Stay alert with SSH: Scrutinize the “SSH Begin” section. If you see the number of “Failed password” attempts spike into the thousands from a strange IP, install Fail2ban immediately or change your SSH port to protect the server.

Server administration is less exhausting when you know how to leverage the right tools. Logwatch doesn’t replace real-time monitoring systems, but it’s an excellent general layer of protection. It takes less than 5 minutes a day to stay fully informed about your server’s health.

Wishing you an easier time managing your servers. If you run into trouble configuring the Postfix relay, don’t hesitate to leave a question in the comments!

Share:
Tags: