IPv4 & IPv6 Leasing - Any RIR, Any LocationOrder Now
Hostperl

Configure Logwatch Daily Digests on AlmaLinux VPS

By Raman Kumar

Share:

Updated on Jul 3, 2026

Configure Logwatch Daily Digests on AlmaLinux VPS

Why Logwatch Belongs on Every AlmaLinux VPS

Most server problems don't announce themselves. A disk filling up, a service restarting repeatedly, or a spike in failed SSH logins — these things happen quietly until they don't. Logwatch solves that by parsing your system logs each day and sending you a plain-language email summarising what actually happened.

On AlmaLinux (which runs on RHEL 9 internals), Logwatch works well out of the box. The default configuration covers the logs most hosting customers care about: SSH access, cron jobs, disk activity, mail delivery, and service failures. This tutorial walks you through installing it, customising the digest, and making sure the emails actually land in your inbox.

If you're running a Hostperl VPS and you're not already receiving daily log summaries, this is one of the highest-value things you can configure in under 30 minutes.

What You'll Need Before Starting

  • An AlmaLinux 8 or 9 VPS with root or sudo access
  • A working mail transfer agent — Postfix is the most common and is what this guide assumes
  • An external email address to receive digests (a Gmail or business address works fine)
  • Basic familiarity with SSH and text editors like nano or vi

If Postfix isn't installed yet, you can add it with dnf install postfix -y and enable it with systemctl enable --now postfix. Configuring Postfix for external relay is outside this guide's scope, but if your VPS is on a clean IP with proper DNS records, the default Postfix setup will send mail directly without needing a relay.

For context on IP reputation and mail deliverability, our email deliverability checklist for VPS hosting covers the DNS records you should have in place before sending any server-generated mail.

Step 1 — Install Logwatch on AlmaLinux

Logwatch is available in the standard EPEL repository. First, make sure EPEL is enabled:

dnf install epel-release -y

Then install Logwatch:

dnf install logwatch -y

Verify the installation and check the version:

logwatch --version

You should see output similar to Logwatch 7.x. The main configuration file lives at /etc/logwatch/conf/logwatch.conf, though it starts empty — the real defaults ship in /usr/share/logwatch/default.conf/logwatch.conf. You override only what you need in /etc/logwatch/conf/logwatch.conf, which keeps upgrades clean.

Step 2 — Configure the Daily Digest Settings

Open the local config file for editing:

nano /etc/logwatch/conf/logwatch.conf

Add or adjust the following lines. Each setting overrides the corresponding default:

# Where to send the daily digest
MailTo = you@yourdomain.com

# Who the email appears to come from
MailFrom = logwatch@yourhostname.com

# Detail level: Low, Med, or High
Detail = Med

# Report range — yesterday's logs
Range = yesterday

# Output format — mail sends via email, stdout prints to terminal
Output = mail

# Format: text or html
Format = text

# Service filter — use All to include every service Logwatch knows
Service = All

Save and close the file. The Detail = Med setting is a practical starting point — Low gives headline summaries, while High produces verbose output that can run to hundreds of lines on a busy server. Most hosting customers find Medium the right balance: enough detail to spot problems without drowning in noise.

Step 3 — Send a Test Report

Before setting up a cron schedule, confirm that Logwatch can generate a report and that email delivery is working:

logwatch --output mail --mailto you@yourdomain.com --detail Med --range today

This generates a report for today's logs and sends it immediately. Check your inbox within a minute or two. If nothing arrives, check your spam folder first, then verify Postfix is running:

systemctl status postfix

You can also watch the mail queue directly:

mailq

If messages are stuck in the queue, /var/log/maillog will tell you why. Common causes are DNS resolution failures or the destination mail server rejecting connections on port 25.

Once you've confirmed delivery, print a report to the terminal to review its structure:

logwatch --output stdout --detail Med --range yesterday

This is useful when you want to inspect the digest content without sending an email during testing.

Step 4 — Schedule Logwatch with Cron

Logwatch ships with a cron file at /etc/cron.daily/0logwatch that should already be in place after installation. Check whether it exists:

cat /etc/cron.daily/0logwatch

You should see a script that calls Logwatch with the options from your configuration file. If it's present and executable, the daily digest will run automatically overnight — typically around 04:02 on AlmaLinux systems using the default cron.daily timing.

If you'd prefer a specific time, you can disable the cron.daily file and add your own entry:

chmod -x /etc/cron.daily/0logwatch
crontab -e

Then add a line like this to send the report at 06:30 every morning:

30 6 * * * /usr/sbin/logwatch --output mail --mailto you@yourdomain.com --detail Med --range yesterday

Save the crontab. The report will now arrive at a predictable time each day, which makes it easier to build a quick morning review habit.

Step 5 — Filter Services to Reduce Report Noise

On a VPS running multiple services, an All-services report can include dozens of sections you rarely look at. You can scope Logwatch to specific services that matter most for your workload.

To include only SSH, disk usage, and cron job activity, edit your config file:

Service = sshd
Service = disk
Service = cron

Common services available on AlmaLinux VPS setups include:

  • sshd — login attempts, including failed and successful
  • postfix — mail delivery summaries
  • httpd — Apache access and error log summaries
  • disk — disk usage by mount point
  • cron — cron job execution and failures
  • iptables or kernel — firewall drops and kernel messages
  • dnf — package install and update activity

You can list all services Logwatch knows about on your system:

ls /usr/share/logwatch/scripts/services/

Not all of them will produce output unless the corresponding log data exists on your server.

Step 6 — Increase SSH Monitoring Sensitivity

SSH brute-force attempts are the single most common thing you'll see in a VPS log digest. If you're getting hundreds of failed login lines, that's normal — and it's worth pairing Logwatch with active blocking.

For the Logwatch side, set a higher detail level just for SSH:

nano /etc/logwatch/conf/services/sshd.conf

Add:

Detail = High

This overrides the global detail setting for SSH alone, giving you full IP-level breakdown of who's been attempting logins without inflating every other section.

For active blocking, Fail2Ban complements Logwatch well — it acts on login failures in real time, while Logwatch gives you the daily summary view. Our guide on configuring Fail2Ban on AlmaLinux VPS covers that setup in full.

Step 7 — Verify the Daily Digest Format and Content

After your first scheduled run, open the digest email and check what's included. A well-configured report on a typical hosting VPS will show sections roughly like this:

################### Logwatch 7.x (mm/dd/yyyy) ####################
        Processing Initiated: Wed Jan 15 06:30:01 2026
        Date Range Processed: yesterday
                              ( 2026-Jan-14 )
        Period is day.
        Detail Level of Output: 10 (Med)
        Type of Output/Format: mail / text
        Logfiles for Host: your-vps-hostname
##################################################################

 --------------------- Disk Space Begin ------------------------
 /dev/sda1       40G   12G   26G  32% /
 ---------------------- Disk Space End -------------------------

 --------------------- SSHD Begin --------------------------
 Failed logins from:
   192.0.2.47: 23 times
   198.51.100.12: 11 times

 Users logging in through sshd:
   root:
      203.0.113.5: 3 times
 ---------------------- SSHD End ---------------------------

The format is intentionally plain. If you'd prefer an HTML email, change Format = text to Format = html in your config — though some mail clients render the HTML version inconsistently, so text is generally more reliable for server monitoring use.

Troubleshooting Common Logwatch Issues on AlmaLinux

No email received. Run logwatch --output stdout --detail Low --range today to confirm Logwatch itself is working. If you see output, the issue is Postfix or email delivery. Check mailq and /var/log/maillog.

Report arrives but is nearly empty. This usually means Logwatch ran before logs were fully written, or the date range doesn't match your log rotation schedule. Try switching to Range = all temporarily to confirm log data is being read.

SELinux blocking Logwatch. On AlmaLinux with SELinux enforcing, Logwatch can sometimes fail to read certain log files. Check for denials with ausearch -m avc -ts recent. If SELinux is the cause, the audit log will show it clearly.

Duplicate reports. If you have both the cron.daily file active and a custom crontab entry, you'll get two reports per day. Disable one: chmod -x /etc/cron.daily/0logwatch.

For a broader look at what to monitor on your VPS beyond log digests, the VPS monitoring guide for hosting customers covers disk, memory, and uptime tracking alongside log-based visibility.

Optional: Archive Reports to a Local File

If you want a local copy of each digest — useful for auditing or when email delivery is unreliable — you can write reports to a file instead of (or in addition to) emailing them:

logwatch --output file --filename /var/log/logwatch-reports/$(date +%Y-%m-%d).txt --detail Med --range yesterday

Create the directory first:

mkdir -p /var/log/logwatch-reports

Add this as a second cron entry if you want both email and file output. Reports accumulate quickly, so pair this with logrotate or a simple cleanup cron to remove files older than 30 days:

0 7 * * * find /var/log/logwatch-reports/ -name "*.txt" -mtime +30 -delete

Running a VPS without daily log visibility is managing blind. Hostperl's Linux VPS plans give you full root access to configure Logwatch, Fail2Ban, and any other monitoring tools you need — without restrictions.

Need more headroom for a demanding workload? Our dedicated server plans offer isolated resources with the same hands-on access and NZ-based support. Get in touch if you're not sure which fits your setup.

Frequently Asked Questions

Does Logwatch slow down my server?

No. Logwatch reads existing log files and runs as a one-off process, typically completing in under a minute. It has no persistent daemon and no ongoing resource usage.

Can I use Logwatch with Nginx instead of Apache?

Yes, but Nginx doesn't have a built-in Logwatch service script like Apache (httpd) does. You'd need to add a custom service script or parse Nginx logs separately. For most hosting setups, the SSH, disk, and cron sections are the most immediately useful regardless of web server.

What's the difference between Logwatch and a full monitoring tool like Netdata?

Logwatch is a log summariser — it tells you what happened in plain language after the fact. Netdata and similar tools give you real-time metrics and alerting. They serve different purposes and work well together. Our VPS monitoring overview explains where each approach fits.

Will Logwatch work on AlmaLinux 10?

AlmaLinux 10 reached general availability in 2026. Logwatch from EPEL should install and function normally, though you should verify the EPEL 10 repository is available on your system before attempting installation.

How do I stop getting reports about a service I don't use?

Add a line to /etc/logwatch/conf/logwatch.conf specifying only the services you want, or create a service-specific config in /etc/logwatch/conf/services/ with Detail = 0 to suppress that service's output entirely.