Configure Logwatch Daily Digests on Ubuntu VPS

Why Daily Log Digests Matter on a VPS

Running a VPS without regular log summaries is like managing a busy site without checking your error logs. Problems compound quietly — failed SSH attempts, disk pressure, service restarts — and you only notice them when something breaks in front of a customer.

Logwatch solves this with minimal overhead. It reads your system logs overnight, produces a plain-language summary, and emails it to you each morning. No dashboards to maintain, no agents to babysit.

For small teams and solo operators managing one or several servers, it's one of the most practical monitoring habits you can build. This tutorial covers a full Logwatch setup on Ubuntu 22.04 or 24.04 LTS, including installation, configuration, custom reporting intervals, and delivery via a working mail relay. If you're on a Hostperl VPS, the steps apply directly without any platform-specific adjustments.

What You'll Need Before Starting

• Ubuntu 22.04 or 24.04 VPS with root or sudo access
• A working outbound mail setup — either Postfix configured as a send-only relay, or an SMTP relay service such as SendGrid or Mailgun
• An email address you actually read daily

If your VPS doesn't have outbound mail configured yet, see our guide on setting up a Postfix mail relay on Ubuntu VPS before continuing. Logwatch can write reports to stdout or a file, but email delivery is the whole point of Logwatch daily digests on Ubuntu VPS.

Step 1 — Install Logwatch

Logwatch is in the standard Ubuntu repositories. Install it with:

sudo apt update
sudo apt install logwatch -y

This pulls in Perl and a handful of dependencies. The installer creates two directories: /usr/share/logwatch/ for scripts and filters, and /etc/logwatch/ for your local configuration. Don't touch anything under /usr/share/logwatch/ — those files get overwritten on package updates. All your customisation goes under /etc/logwatch/.

Confirm the install worked:

logwatch --version

You should see something like Logwatch 7.x.x.

Step 2 — Review the Default Configuration

The default config lives at /usr/share/logwatch/default.conf/logwatch.conf. Don't edit it. Instead, copy the sections you want to change into /etc/logwatch/conf/logwatch.conf, which takes precedence.

Create your local override file:

sudo nano /etc/logwatch/conf/logwatch.conf

Paste in the following, adjusting values for your setup:

# Destination email address
MailTo = you@yourdomain.com

# Sender address — use something your mail relay accepts
MailFrom = logwatch@yourhostname.com

# Subject line prefix
MailSubject = "[Logwatch] Daily Report - $date"

# How much detail to include: Low, Med, High
Detail = Med

# Time range to cover: today, yesterday, All
Range = yesterday

# Output format: mail, file, stdout
Output = mail

# Report format: text or html
Format = text

# Services to include (comma-separated, or All)
Service = All

# Temporary working directory
TmpDir = /var/cache/logwatch

Save and exit (Ctrl+X, then Y). The Detail = Med setting gives you enough context without burying useful lines in noise. Switch to High later if you're chasing a specific issue.

Step 3 — Test the Report Before Scheduling

Before setting up any cron job, run Logwatch manually to confirm delivery works end to end.

sudo logwatch --detail Med --mailto you@yourdomain.com --range yesterday --format text

Within a minute or two you should receive an email covering SSH login attempts, disk usage, package updates, sudo usage, and more. If nothing arrives, check your mail queue:

mailq

A stuck queue usually points to a Postfix problem, not Logwatch. Common causes are an incorrect relay host, an authentication failure, or a missing PTR record on your VPS IP. Sort out the mail relay first, then come back.

To review the output on screen before enabling email delivery:

sudo logwatch --detail Med --range yesterday --output stdout | less

Step 4 — Schedule Daily Delivery with Cron

Logwatch ships with a default cron entry at /etc/cron.daily/00logwatch. On most Ubuntu installs it already exists. Check it:

cat /etc/cron.daily/00logwatch

You'll typically see:

#!/bin/bash
/usr/sbin/logwatch --output mail

If this file exists and your /etc/logwatch/conf/logwatch.conf is configured correctly, you're already scheduled. The cron.daily directory runs somewhere between midnight and 6am, depending on your anacron settings.

To set a specific delivery time — say, 7am Auckland time — add your own cron entry instead:

sudo crontab -e

Add this line, adjusting for your timezone:

0 7 * * * /usr/sbin/logwatch --output mail --mailto you@yourdomain.com --detail Med --range yesterday

Make sure your server's timezone is set correctly first:

sudo timedatectl set-timezone Pacific/Auckland

Then verify with timedatectl. A digest labelled "yesterday" that covers the wrong 24-hour window wastes your attention.

Step 5 — Filter Services You Actually Care About

By default, Logwatch includes every service it has a filter for. On a typical VPS running Apache or Nginx, PHP-FPM, and a mail stack, the report can run to several pages. You may want to pare it down.

To exclude services, create a directory for per-service overrides:

sudo mkdir -p /etc/logwatch/conf/services/

For example, to suppress the pam_unix section (often verbose on busy servers):

sudo nano /etc/logwatch/conf/services/pam_unix.conf

Add:

$ignore_repeat = 1
Detail = 0

Setting Detail = 0 removes that service's output entirely. Use the same pattern for any section generating more noise than signal.

To get more detail on SSH activity specifically:

sudo nano /etc/logwatch/conf/services/sshd.conf

Add:

Detail = High

Per-service overrides take effect on the next run — no daemon restart needed.

Step 6 — Add a Custom Log File

Logwatch monitors standard system log directories by default (/var/log/messages, /var/log/secure, /var/log/auth.log, etc.). To include a custom application log — say, /var/log/myapp/error.log — define a custom log group.

Create a log file definition:

sudo nano /etc/logwatch/conf/logfiles/myapp.conf

Add:

LogFile = /var/log/myapp/error.log
Archive = /var/log/myapp/error.log.*
MaxAge = 7

Then create a matching service filter:

sudo nano /etc/logwatch/conf/services/myapp.conf

Add:

Title = "My App Errors"
LogFile = myapp

The filter script that parses log lines into the report goes at /etc/logwatch/scripts/services/myapp. It's a Perl script that reads from STDIN. For most VPS operators, the built-in filters cover everything needed, so custom scripts are optional.

Step 7 — Verify Logs Are Rotating Correctly

Logwatch reads yesterday's logs, so logrotate must be rotating them on schedule. If it isn't, the digest will either miss entries or report the same data twice.

Check your logrotate configuration:

sudo logrotate --debug /etc/logrotate.conf 2>&1 | head -40

For a full walkthrough, see our tutorial on configuring logrotate on Ubuntu VPS. Logwatch and logrotate are tightly coupled — misconfigure one, and the other produces misleading output.

Reading Your Daily Digest Effectively

A well-configured digest takes about two minutes to review each morning. Here's what to focus on:

• SSH failed logins: A spike from a single IP overnight warrants a Fail2Ban check. See our guide on setting up Fail2Ban custom jails if you haven't already.
• Disk usage warnings: Logwatch reports filesystem utilisation. Cross-reference with your disk usage monitoring setup if you're seeing consistent growth.
• Postfix/mail activity: Watch for unexpected outbound volume — it can indicate a compromised script or contact form on a hosted site.
• Sudo usage: Every sudo command appears in the digest. Any command you don't recognise needs investigation.
• Package manager activity: Unattended upgrades show here. Confirm that automatic security patches applied cleanly.

The goal isn't to read every line — it's to spot anything outside your normal baseline. After a week of daily digests, you'll know what's normal for your server and what isn't.

Troubleshooting Common Issues

No email arriving: Run mailq and check /var/log/mail.log. Usually a Postfix relay problem, not Logwatch.

Empty or near-empty report: Check that Range = yesterday matches the period your logs cover. A newly provisioned server or cleared logs leave nothing to report.

Report shows the wrong date: Timezone mismatch. Run timedatectl and correct with sudo timedatectl set-timezone.

Logwatch binary not found in cron: Use the full path /usr/sbin/logwatch in your cron entry rather than just logwatch.

Duplicate daily emails: Both /etc/cron.daily/00logwatch and a custom crontab entry are running. Remove the one you don't want.

Frequently Asked Questions

Can Logwatch send HTML-formatted emails?

Yes. Set Format = html in /etc/logwatch/conf/logwatch.conf. The HTML output is slightly easier to scan but adds a little message size. Either format works fine for daily review.

Does Logwatch work on Ubuntu 24.04?

Yes. The package is available in the standard Ubuntu 24.04 repositories and installs without modification. Configuration file paths are identical to Ubuntu 22.04.

How do I stop Logwatch running automatically?

Remove or rename /etc/cron.daily/00logwatch — for example, sudo mv /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch.disabled. This preserves the file without running it.

Will Logwatch slow down my VPS?

No. It runs once daily, processes logs in memory, and typically finishes in under 30 seconds on a standard VPS. CPU and memory impact during the run is negligible.

Can I send the digest to multiple addresses?

Yes. Set MailTo = first@domain.com second@domain.com — space-separated addresses are accepted.