[Discuss] Simple server monitoring: logwatch

[tmetro+blu at gmail.com (Tom Metro)]

Jerry Feldman wrote:
> ...for ultimate simplicity logwatch gives you a lot of information...

I use logwatch on to monitor my personal machines, and I have a
love-hate relationship with it. The good parts are that it is easy to
install, highly configurable, and not too hard to extend.

The bad part is that it has a poor "out of the box" experience, as
packaged by Debian/Ubuntu. The daily reports are too noisy. Filled with
things that are only informational. So after a while, you grow tired of
looking at them, they pile up, and then are completely ignored. So any
benefit is lost.

To make it useful you have to tune it to produce the informational
reports on a much lower frequency, like weekly, and have it send alerts
for the unexpected things as-needed.

The other down side is that the log filters bundled with logwatch
inevitably fall behind in their understanding of what messages other
packages generate. So you'll get an update to say smartd, and it'll
start logging some new message that the current smartd logwatch filter
doesn't recognize, so it gets reported as an anomaly. You then have to
file a bug[1], and either live with the noise, or fix the filter.

1. https://bugs.launchpad.net/bugs/1076461

It's designed for batch processing logs, which limits how short of an
update period you can practically use, which means it isn't an
appropriate solution for a production server.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/