To capture traffic from my rsyslog encryption exercise and ensure the traffic was encrypted, I used tcpdump on the server, and wireshark on my local machine.

tcpdump -nnvvvS -s 0 -U -w /tmp/<capture file name> -i <interface> dst <destination IP> and dst port <port number>

tcp dump helpfully counts packets for you, so when I had several I turned off tcpdump (ctrl-C), and moved my capture file to my local machine, and opened it up in wireshark.

Logwatch is a great tool, until you want to change the default or do something different than how the basic install is configured.

Then the location of the conf files can be quite confusing.  Here are the basics you (and I) have to remember:

• Default conf files are in /usr/share/logwatch
• Other conf files and local changes to default conf files should be placed in /etc/logwatch/conf
• /etc/cron.daily/0logwatch (YMMV) overrides all, especially the mail or file output option...

rsyslog can be used to log locally and send the logs to a remote server.  Doing that while encrypting the traffic is a bit more challenging.

Kristian Reese has a wonderful guide here: https://kristianreese.com/2019/07/11/How-to-configure-rsyslog-7-4-9-with-TLS/

It gave me the basics, but my situation was going to a cloud commercial SIEM, and I couldn't generate the CA and the keys.

To "find" files greater than 1024k and "sort" by largest size first:

find / -mount -size +1024k -type f -exec ls -la {} \;|sort -rnb -k 5|more

To find directories that are consuming large amount of space (with files) and sort by largest first:

du -x / |sort -rnb |more

To see how much space is being used in a specific directory:

du -sh /var/logs

After all the cleanup, I didn’t free the diskspace, and used this command to identify processes holding open deleted files:

sudo /usr/sbin/lsof | grep deleted