I’m a bit old-style and I like logwatch, and all my servers send me an email every day with a handy summary of what happened on the server. And sometimes I even read those emails! It is probably not as useful as logcheck, but it is easier to use.
Anyway, from the man page:
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.
I have been using it virtually for ever, and I was setting up a new server last weekend and of course I had to get that daily email. But turns out a fresh install of Debian 12 comes with systemd-journald –my other servers were upgraded, so they still use the old logging system–, and there aren’t logs for sshd that logwatch can process. At least not in the usual place.
In reality systemd-journald is not that different from what you get with rsyslog, but some of the differences are annoying, like being a binary log that means you can’t use the text processing tools you are used to in simple files, you need to use journalctl. And that is what prevents logwatch from checking sshd’s logs, because there is not auth.log file.
I don’t like the direction most Linux distributions are taking embracing systemd and its ecosystem, but I trust Debian, even if some decisions are controversial. In theory systemd-journald improves on a few things, but in practice none of those really make a difference to me, and I’m only left with the annoyance of things that used to work that now they don’t.
This time I decided to see if I can still use it, instead of just installing rsyslog like in the other servers. And turns out, logwatch can interact with journalctl.
We only have to add a file in /etc/logwatch/conf/services with the name of the service ending in .conf, in this case sshd.conf, with the following content:
LogFile =
LogFile = none
*JournalCtl = "--output=cat --unit=ssh.service"
With Logfile you specify a logfile group, and it is required. You can provide as many entries as you want and they will be merged. We don’t really have a log file, that’s why we need to provide two entries: one empty to clear any value, and the other with a magic string none for no logfile group (we could also create a logfile group pointing to an empty log file, but this is cleaner).
Then *JournalCtl refers to a script in /usr/share/logwatch/scripts/ that will interface with journalctl, and will enable logwatch to process the missing logs.
Once the file is in place, you can run logwatch with /etc/cron.daily/00logwatch and you should get your email, including the report of the sshd logs (you can also just run logwatch and get the report on the console, but testing end-to-end is nice in this case).
I assume I will find other cases in which journalctl gets in the way and I may end installing rsyslog anyway, but for now things work!