Package: logwatch Version: 7.4.1 SYMPTOM Log statements for the first hours of yesterday are ignored and not processed by logwatch.
CAUSE The configuration for syslog uses files /var/log/syslog and /var/log/syslog.1. Because log rotation does not occur exactly at midnight, the first portion of yesterday's log statements are in syslog.2, and logwatch does not process this file. GET-AROUND FOR SYSLOG ONLY sudo mkdir --parents /etc/logwatch/conf/logfiles; sudo echo "LogFile = syslog.2" | sudo tee /etc/logwatch/conf/logfiles/syslog.conf >/dev/null BIGGER PROBLEM 1 The way of locating logs does not take in account the logrotate rotate directive or the period of which logs are rotated. logwatch would need to scan every log until a too old modification date is found. Since logs can be rotated when reaching a certain size, which can be hundreds of times daily. Therefore, every index number up to logrotate's rotate setting must be scanned. Say a log has rotate 100 and is rotated every hour dues ot its size or configuration. Logwatch would then need to examine file indexes up to 48 (2 x 24 hours), ie. put 48 "LogFile= …" statements in the log configuration file. The logwatch architecture is lacking. BIGGER PROBLEM 2 The compressed extension is assumed to be .gz. Today, it is more likely to be .xz but can be anything, really. Logwatch should examine any file by stemming the original log filename, eg. look for syslog* and test the result against common file compress methods. BIGGER PROBLEM 3 If logrotate delaycompress is used, syslog.2 will be compressed and logwatch will not look in it. ie. every run would need the --archives option, and this is not the default. DATA When are logs rotated? maybe 6:25 am grep /etc/cron.daily /etc/crontab 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) Add a service that echoes all processed syslog lines sudo mkdir --parents /etc/logwatch/conf/services /etc/logwatch/scripts/services; echo -e "Title = \"All syslog\"\nLogFile = syslog" | sudo tee /etc/logwatch/conf/services/allsyslog.conf >/dev/null; Y="!"; echo -e "#$Y/bin/bash -eu\ncat" | sudo tee /etc/logwatch/scripts/services/allsyslog >/dev/null logwatch --service allsyslog | less delete the service sudo rm /etc/logwatch/conf/services/allsyslog.conf /etc/logwatch/scripts/services/allsyslog -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
