目的
Logwatchは、日々吐き出されるログを、特定の人にメールしてくれる便利なソフトです。今回このソフトを導入してみますが、すでにCentOSには導入済みでした。簡単な設定でメールが届きます。
Logwatchの設定
Logwachtは、標準で導入されています。postfixやsendmailが組み込まれていれば初期設定では、rootに送られてきます。
設定ファイルは、/usr/share/logwatch/default.conf/logwatch.confになります。
初期設定内容は、以下の通りです。
########################################################
# This was written and is maintained by:
# Kirk Bauer
#
# Please send all comments, suggestions, bug reports,
# etc, to kirk@kaybee.org.
#
########################################################
# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of = . Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log ←ログの入っているディレクトリーの指定
# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch ←メールされる情報が格納されているディレクトリー
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = root ←メールされる宛先(初期設定はroot)
# Default person to mail reports from. Can be a local account or a
# complete email address.
MailFrom = Logwatch
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = Nov
# if set, the results will be saved in instead of mailed
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday ←昨日のログを送る(Todayにすると本日のログが送られてくる。)
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.
Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...
#
# By default we assume that all Unix systems have sendmail or a sendmail-like system.
# The mailer code Prints a header with To: From: and Subject:.
# At this point you can change the mailer to any thing else that can handle that output
# stream. TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "sendmail -t"
#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes
# vi: shiftwidth=3 tabstop=3 et
# This was written and is maintained by:
# Kirk Bauer
#
# Please send all comments, suggestions, bug reports,
# etc, to kirk@kaybee.org.
#
########################################################
# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log ←ログの入っているディレクトリーの指定
# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch ←メールされる情報が格納されているディレクトリー
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = root ←メールされる宛先(初期設定はroot)
# Default person to mail reports from. Can be a local account or a
# complete email address.
MailFrom = Logwatch
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = Nov
# if set, the results will be saved in
# or displayed.
#Save = /tmp/logwatch
# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday ←昨日のログを送る(Todayにすると本日のログが送られてくる。)
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.
Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many
# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...
#
# By default we assume that all Unix systems have sendmail or a sendmail-like system.
# The mailer code Prints a header with To: From: and Subject:.
# At this point you can change the mailer to any thing else that can handle that output
# stream. TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "sendmail -t"
#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes
# vi: shiftwidth=3 tabstop=3 et
以上で、ほとんど変更はしない。メールの宛先を変えたければrootを、自分宛のメールアドレスに変更すれば送られてくる。
今回は、postfixでaliasesDBの設定をrootあてはinfoに来るように設定してあるので、変更はしない。
Logwatchが動作しない?
メールが来ない
翌日メールを確認すると、Logwatchからメールが来ていない。
おっと、これはまた、はまってしまうのか。
maillogを確認すると、以下のログが残っていた。
Jun 22 04:02:08 localhost sendmail[29563]: n5LJ232e029563: from=root, size=25638,
class=0, nrcpts=1, msgid=<200906211902.n5LJ232e029563@localhost.localdomain>, relay=root@localhost
Jun 22 04:02:09 localhost postfix/smtpd[29837]: connect from localhost.localdomain[127.0.0.1]
Jun 22 04:02:09 localhost postfix/smtpd[29837]: NOQUEUE: reject: RCPT from localhost.
localdomain[127.0.0.1]: 450 4.1.8 <root@localhost.localdomain>: Sender address rejected:
Domain not found; from=<root@localhost.localdomain> to=<info@localhost.localdomain>
proto=ESMTP helo=
Jun 22 04:02:09 localhost sendmail[29563]: n5LJ232e029563: to=info, ctladdr=root (0/0),
delay=00:00:06, xdelay=00:00:00, mailer=relay, pri=55638, relay=[127.0.0.1] [127.0.0.1],
dsn=4.1.8, stat=Deferred: 450 4.1.8: Sender address rejected:
Domain not found
Jun 22 04:02:09 localhost postfix/smtpd[29837]: disconnect from localhost.localdomain[127.0.0.1]
class=0, nrcpts=1, msgid=<200906211902.n5LJ232e029563@localhost.localdomain>, relay=root@localhost
Jun 22 04:02:09 localhost postfix/smtpd[29837]: connect from localhost.localdomain[127.0.0.1]
Jun 22 04:02:09 localhost postfix/smtpd[29837]: NOQUEUE: reject: RCPT from localhost.
localdomain[127.0.0.1]: 450 4.1.8 <root@localhost.localdomain>: Sender address rejected:
Domain not found; from=<root@localhost.localdomain> to=<info@localhost.localdomain>
proto=ESMTP helo=
Jun 22 04:02:09 localhost sendmail[29563]: n5LJ232e029563: to=info, ctladdr=root (0/0),
delay=00:00:06, xdelay=00:00:00, mailer=relay, pri=55638, relay=[127.0.0.1] [127.0.0.1],
dsn=4.1.8, stat=Deferred: 450 4.1.8
Domain not found
Jun 22 04:02:09 localhost postfix/smtpd[29837]: disconnect from localhost.localdomain[127.0.0.1]
上記のログから、なぜかroot@localhostになっている。本来であれば@以降は、ドメイン名が来なくてはいけないのではと思ったが平日なので次の休日に行うことにする。ログメールが来ないから、動作に支障をきたすわけではないので。
次の休日、postfixの設定ファイルを再度確認したり、編集してみたりしたが結果は同じ。
気になるのが、1行目のlocalhost sendmailとなっているところ、なぜsendmailなのか、sendmailはサーバーの設定で停止しているはずなのに?
今度は、Logwatchの設定ファイルを編集してみたりしたが結果は同じ。
やはり、sendmailが怪しいのか。しかし、停止しているはず。あっという間に1日目が終了。
2日目に突入。
無事解決
まさかとは思うが、有効になっているmtaを確認してみる。確認方法は、GNOME端末から以下のコマンドで確認できる。
# alternatives --config mta と入力
以下のように、表示された。
[root@localhost ~]# alternatives --config mta
2 プログラムがあり 'mta' を提供します。
選択 コマンド
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix
Enter を押して現在の選択 [+] を保持するか、選択番号を入力します:2
2 プログラムがあり 'mta' を提供します。
選択 コマンド
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix
Enter を押して現在の選択 [+] を保持するか、選択番号を入力します:2
なんと、sendmailが有効になっているではないか?
理由はわからないが、選択番号を2のpostfixにして、Enterをする。
再度、確認をする。
[root@localhost ~]# alternatives --config mta
2 プログラムがあり 'mta' を提供します。
選択 コマンド
-----------------------------------------------
* 1 /usr/sbin/sendmail.sendmail
+ 2 /usr/sbin/sendmail.postfix
Enter を押して現在の選択 [+] を保持するか、選択番号を入力します:
2 プログラムがあり 'mta' を提供します。
選択 コマンド
-----------------------------------------------
* 1 /usr/sbin/sendmail.sendmail
+ 2 /usr/sbin/sendmail.postfix
Enter を押して現在の選択 [+] を保持するか、選択番号を入力します:
今度は、postfixが有効になった。再度Logwatchを実行させてみる。実行方法は、以下の通り。
# /usr/sbin/logwatch と入力
メールクライアントを確認すると、無事Logwatchからメールが届いていた。maillogは以下の通り
Jul 19 04:02:08 localhost postfix/qmgr[2517]: 7627AF651D: from=<root@hogehoge.com>,
size=8300, nrcpt=1 (queue active)
Jul 19 04:02:16 localhost postfix/local[25143]: 7627AF651D: to=<info0@hogehoge.com>,
orig_to=<root>, relay=local, delay=12, delays=4.1/0.01/0/8.3, dsn=2.0.0, status=sent
(delivered to maildir)
Jul 19 04:02:16 localhost postfix/qmgr[2517]: 7627AF651D: removed
size=8300, nrcpt=1 (queue active)
Jul 19 04:02:16 localhost postfix/local[25143]: 7627AF651D: to=<info0@hogehoge.com>,
orig_to=<root>, relay=local, delay=12, delays=4.1/0.01/0/8.3, dsn=2.0.0, status=sent
(delivered to maildir)
Jul 19 04:02:16 localhost postfix/qmgr[2517]: 7627AF651D: removed
あと、同時にCron DaemonさんからCron <root@localhost> run-parts /etc/cron.dailyというメールが届きました。内容は、以下の通りです。
/etc/cron.daily/0logwatch:
You have old files in your logwatch tmpdir (/var/cache/logwatch):
logwatch.kFIOupkL
The directories listed above were most likely created by a
logwatch run that failed to complete successfully. If so, you
may delete these directories.
You have old files in your logwatch tmpdir (/var/cache/logwatch):
logwatch.kFIOupkL
The directories listed above were most likely created by a
logwatch run that failed to complete successfully. If so, you
may delete these directories.
これは、いままでメールできなかった分が/var/cache/logwatchに残ってますよ!ということで、ファイルに残されているlogを削除すると、翌日から来なくなります。
これで、無事Logwatchが動くようになりました。