This is what I do daily, every morning, on my Linux system. Firstly, I log in as root, then check the mail box for the days reports. Firstly, it is the tripwire report - I check to see if any significant changes have been made to the file system. If there has, then I must either restore from back up or modify the tripwire database to reflect these changes. Then I check the httpd server logs and also the logwatch logs which report all the messages of the daily system logs. Such as file system size, and illegal logins via ssh etc...

Finally, in this video, I update the tripwire logs - because all what has changed is the logs and mailbox - which is expected.