Logwatch scans log files (usually on a daily basis) and reports on any unusual (according to it) activity that it finds. Later versions of the OS come with Logwatch already installed. Or, you can download the latest source from http://www.logwatch.org/. Place the tar file in an appropriate directory and untar it:
cd /rpm/logwatch
tar -xvzf logwatch-7.3.6.tar.gz
Basically, the logwatch install consists of copying files to the install directory. The distribution contains a shell script that can assist with this:
cd logwatch-7.3.6
./install_logwatch.sh
For our purposes, we assume you picked /usr/local/logwatch for the install directory (when asked by the script) and /tmp for the temporary directory.
Once you have run this script, logwatch will be installed in the directory that you pick (for preinstalled versions it is usually /usr/share/logwatch), plus /etc/logwatch. You should make any changes that you need to make in /etc/logwatch (the changes there will override the defaults found in the installed directory). The most common are described below. Also, a symlink from /etc/cron.daily to the logwatch script will be added, called 0logwatch. This will cause cron to run logwatch on a daily basis.
/etc/logwatch/conf/logwatch.conf:
The default logwatch configuration parameters are either found in /usr/local/ or /usr/share/ logwatch/default.conf/logwatch.conf and logwatch/dist.conf/logwatch.conf. Any changes that you make in /etc/logwatch/conf/logwatch.conf override these defaults. The easiest way to override the configuration parameters is to copy default.conf/logwatch.conf to /etc/logwatch/conf/logwatch.conf and then hack it directly.
############################################################################
#
# Local overrides to the default logwatch configuration.
#
# Defaults are in /usr/local/logwatch/default.conf/logwatch.conf and
# /usr/local/logwatch/dist.conf/logwatch.conf.
#
# All of these, and the default, options can be overridden on the logwatch
# command line.
#
############################################################################
# You can put comments anywhere you want to. They are effective for the
# rest of the line.
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case insensitive.
# Yes = True = On = 1
# No = False = Off = 0
# Default Log Directory
# All log-files are assumed to be given relative to this directory.
# This should be /var/log on just about all systems...
LogDir = /var/log
# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = root
# The alternate mailer install possibly messes this up.
mailer = "/usr/sbin/sendmail -t"
# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No
# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
# The 'Service' option expects either the name of a filter (in
# /etc/log.d/scripts/services/*) or 'All'. This should be left as All for
# most people.
Service = All
# By default we assume that all Unix systems have sendmail or a sendmail-like
# system. The mailer code Prints a header with "To:", "From:" and
# "Subject:". At this point you can change the mailer to any thing else that
# can handle that output stream.
mailer = "/usr/sbin/sendmail -t"
/etc/logwatch/conf/logfiles:
/etc/logwatch/conf/services:
/etc/logwatch/scripts/logfiles:
/etc/logwatch/scripts/services:
Any local modifications to logwatch to watch logfiles that it doesn't know about should be made in these directories. You can read the notes in the install directory and/or the source distribution directory to find out how to make up new logfile scanners.