[Logwatch] Services List Description

Tom Metro tmetro+logwatch at gmail.com
Wed Jul 11 09:14:57 MST 2007

eupabf at clix.pt wrote:
> the following services usually come on my report...
> I would like to know if is there any Logwatch Services List that 
> explains what does report each default service script. What kind of 
> information and where it colects it.

I asked a similar question a few weeks back. After some experimentation, 
I determined the answer.

Here's how to figure out what logwatch is reporting on:

Start by looking at /usr/share/logwatch/default.conf/logwatch.conf[1]. 
Examine the lines that look start with "Service = ". You'll likely see 
one that looks like, "Service = All", meaning that logwatch should 
attempt to generate reports for all services for which there are 
configuration files. You may then see a few lines that look like 
'Service = "-<service>"' where <service> is some service logwatch is 
being told to skip.

(1. Everywhere you see a path listed for a logwatch config file, you 
actually need to check potentially 3 locations. See section "3. 
Directory Structure" in 
http://www2.logwatch.org:81/tabs/docs/HOWTO-Customize-LogWatch.html for 
an explanation.)

Next examine each file in /usr/share/logwatch/default.conf/services/ and 
look for a line like "LogFile = <group>". There is typically one such 
line, but there may be multiple. These identify the log group 
configuration file that defines where the data comes from for this service.

Next look in /usr/share/logwatch/default.conf/logfiles/ for a file named 
<group>.conf corresponding to the above "LogFile" directive. In this log 
file group config file you'll find more lines that look like "LogFile = 
<file>" and lines like "Archive = <file>". These identify the actual log 
files examined for the above service. If the file name has no path or a 
relative path, then it is relative to the path set by "LogDir" in 

There may be a debug switch for logwatch that will speed up the above 
process by printing the list of log files that were successfully opened 
and for which services. If there isn't, there should be.

At this point you know what services logwatch is attempting to report 
on, and what files it is examining for each service.

You also need to know that logwatch does not produce any reports for a 
service if 1. the log files referenced in the log file group config file 
don't exist, 2. the log files are empty, 3. the log files have no data 
relevant to the particular service, or 4. the service filter determined 
that there was nothing worth reporting for the specified detail level.

This is why despite having probably 80+ services in your 
default.conf/services/ directory you only see reports from a dozen or 
fewer services.

As for the *what* gets reported, I'm aware of no documentation 
describing what the individual filters report. You'll have to determine 
that through experimentation and examining the service filter code.


Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Logwatch mailing list