Problem solve Get help with specific problems with your technologies, process and projects.

Logwatch: Taking the pain out of log analysis

This column reviews the benefits of Logwatch, an open source security log analysis tool.

More security tools

Visit our resource center for news, tips and expert advice on how to install and use open source security tools  in your organization. 

Visit our Security IT Download section and review other viable freeware tools.

Each month, the editor of our downloads section recommends the security freeware that he finds most valuable. This month, Scott Sidel reviews the benefits of Logwatch.

If you've been searching for a tool to help simplify your security log analysis process consider, Logwatch. This powerful tool specifies which events are important to you, and then scans the log files and reports on those key events. It can parse through systems and application log files, and its output is easily customizable by modifying variables in the /etc/logwatch/conf directory. Additionally, Logwatch comes with many pre-written log parsing PERL scripts.

Logwatch ships as a standard part of several Linux systems and is also downloadable as a binary RPM or as source. While it runs on Unix/Linux, it can analyze logs from nearly any system. Simply create a log repository via syslog (exported Windows logs can be read and examined too) and Logwatch can read logs originating from multiple appliances and systems.

Why it's a cool tool
The value of logs is proportionate to the amount of review they get, so the more often they are reviewed, the more likely it is that critical security events will be noticed. But no one can review logs for very long without their eyes glazing over and brain lock occurring. Logwatch saves you from such brain drain. All you need to do is come up with a list of what you are looking for and then automate the "looking" process with Logwatch.

Additionally, Logwatch can help fill in the information gap if you can't afford an expensive security event management correlation engine. For example, Logwatch can email a report on brute force login attempts, like this:

anonymous/password from (IP HERE): 16 Time(s)
guest/password from (IP HERE): 7 Time(s)
root/password from (IP HERE): 31 Time(s)

This beats looking through systems logs manually to discover how many failed login attempts are occurring.

About the Author:
Scott Sidel, CISSP, CEH, NSA-IAM, is an information systems security officer with Lockheed Martin and a contributing editor to

Next Steps

Video streaming service uses log analytics to manage 1,000 servers

This was last published in September 2006

Dig Deeper on Open source security tools and software