[wellylug] hating on the Logwatch
Jethro Carr
jethro.carr at jethrocarr.com
Wed Mar 4 14:54:09 NZDT 2009
On Wed, 2009-03-04 at 14:39 +1300, Spiro Harvey wrote:
> > Seriously, I can't warn you against logwatch strongly enough: it is
> > built around the worst possible model of log monitoring.
>
> Please explain.
>
> It's not actually a monitor, it's really just a log reporting tool. It
> will troll your logs and give you a summary of what happened in the
> last day (or whatever period you've defined).
>
> So I can see how you would think it's the world's worst log monitor as
> that isn't its purpose. But perhaps I'm misinterpreting your
> interpretation of monitoring. :)
Spiro has a good point, it is really a log reporting tool, not a
monitoring tool.
I use logwatch for about 10-15 machines and find it very useful - it
alerts me to any abnormal log messages, failed authentication attempts
and other useful stats.
I can understand some admins just end up skipping over them, depending
on the way logwatch is setup, you might end up with a lot of unwanted
junk.
I have found logwatch useful in the past for:
* being alerted to people making changes /etc/aliases without running
newaliases
* alerting to kernel log messages from failing HDDs
* detecting brute-force login attempts from a server which had not had
port 22 firewalled off.
--
Jethro Carr
www.jethrocarr.com/index.php?cms=blog
www.amberdms.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20090304/b7a60fe6/attachment.pgp
More information about the wellylug
mailing list