From ArchWiki

Logwatch is a powerful and versatile log parser and analyzer. Logwatch is designed to give a unified report of all activity on a server, which can be delivered through the command line or email.


Install logwatch.

In addition to the logwatch binaries, scripts and configuration files, the package used to include a cron job that was installed as /etc/cron.daily/0logwatch. You need to start/enable logwatch.timer to generate regular logwatch reports.


Logwatch has a tiered configuration approach. There are several locations where configuration details can be specified, with each one superseding the previous one:

  • /usr/share/logwatch/default.conf/*
  • /etc/logwatch/conf/dist.conf/*
  • /etc/logwatch/conf/*
  • The script / command line arguments

Logwatch will parse all these location when called.

Within these directories, there are several areas of configuration. The logwatch.conf files are where most of the high-level settings are, which allow you to set where your reports are sent, how they are formatted, etc. The configuration file at /usr/share/logwatch/default.conf/logwatch.conf contains all the default settings and comments on what they do. It is recommended to leave the default configuration alone and instead re-define a setting variable you want to change in /etc/logwatch/conf/logwatch.conf.

Within the logfiles directory of any locations are configuration files detailing specific log files. By default, most of the common log files found in a Linux system are already accounted for. If you have some esoteric application that does not have a log file configuration already, copy an existing one from the default.conf/logfiles directory and customize it for your application.

The services folder contains similar definitions, but these one define the various services reported by logwatch. This is necessary because often multiple services will report to the same log (e.g. messages, dmesg, boot, etc.). For more information, examine some of the default services files.

Note that if you want logwatch messages delivered by email, you need to install a package that provides a sendmail frontend. Postfix is a good choice.

There is a helpful document supplied with the package to give further information on configuration. It is located at /usr/share/logwatch/HOWTO-Customize-LogWatch.