Logwatch mail showing no iptables entries in Ubuntu/Mint and Oracle Linux

Updated: 29-05-2022 (dd-mm-yyyy)

For my home labs I use Logwatch a lot to keep a daily eye on the health and running of a handfull Linux vm’s and boxes. I use it on Debian derivatives like Raspberry PI OS, Raspbian, Linux Mint, Ubuntu. But also on Oracle Linux, etc.

After I recently did some hardening on all servers with UFW, I got iptables output from the Raspberry Pi’s, but not from the Linux Mint servers but also on recent Red Hat derivatives. On Ubuntu/Linux Mint After walking through all settings of both UWF and Logwatch I finally found the culprit, hope this may help someone. For Red Hat derivates like Oracle Linux you have to to something extra if you have a distro that uses firewalld.

It seems that on Raspian, the OS on the Raspberries, /var/log/messages still exists. On Ubuntu and Linux Mint, messages does not exist anymore, a long time ago already. But the Logwatch (version 7.4.3) provided in the OS repository provides a configuration of iptables which uses /var/log/messages for getting it’s IP tables information. Instead syslog should be used, available in all Debian derivates. This also applies to recent Red Hat derivates.

The whole story:

Install logwatch:

• Debian derivates:

sudo apt install logwatch -y

• Red Hat derivates (use yum instead of dnf if dnf is not working):

sudo dnf install logwatch -y

Set email and from name here, it’s pretty self explanatory:

sudo vim /usr/share/logwatch/default.conf/logwatch.conf

This is where you can find the iptables configuration for logwatch:

/usr/share/logwatch/default.conf/services/iptables.conf

With

less /usr/share/logwatch/default.conf/services/iptables.conf

you can see this:

# Which logfile group...
LogFile = messages
LogFile = iptables

With messages is meant: /var/log/messages

Now don’t go changing this file, because an update on Logwatch will overwrite your changes. You have to make an override which will stay there even with an update of Logwatch:

sudo cp /usr/share/logwatch/default.conf/services/iptables.conf /etc/logwatch/conf/services/

And then you make your changes to the latter with (using vim here, use your favorite editor):

sudo vim /etc/logwatch/conf/services/iptables.conf

and change the LogFile = messages to LogFile = syslog:

Which logfile group...
LogFile = syslog
LogFile = iptables

If you want host dns resolution from your iptables findings set this one to yes:

# Set this to yes to lookup IPs in kernel firewall report
$iptables_ip_lookup = Yes

Save your changes.

You can test the output just by using the logwatch command:

logwatch

If you have a Debian derivate, you should be good now.

If you have a Red Hat derivate that is using firewalld (like Oracle Linux/CentOS/AlmaLinux 8.x), you are not finished yet. You have to tell firewalld to log denied packets, because that’s off by default. Open this file and set LogDenied=off to all

sudo vim /etc/firewalld/firewalld.conf

Now reload the firewalld service:

sudo firewall-cmd --reload

Now you have to wait for your next Logwatch report to see some logging, because that logging has to be collected first.