[Logwatch] missing log files not flagged as an error

Tom Metro tmetro+logwatch at gmail.com
Thu Jun 21 09:40:08 MST 2007

How does logwatch determine which files/services to process on a given 

I like the fact that logwatch was the first log monitoring package that 
I installed on my Debiam system that actually did something useful out 
of the box (in part thanks to the design of logwatch and in part thanks 
to the distribution packaging), but as I'm getting into customizing the 
configuration I'm wondering what mechanism it uses to determine what 
files/services to process?

Obviously the logfile group config files specify what log files to look 
at, and the service filter config files determines what services will 
get reports, but what drives the process? Does logwatch iterate over 
logfile group config files and invoke service filters as necessary? Does 
it iterate over service filter config files and process referenced 
logfile groups? That you define "Service" variables in logwatch.conf 
suggests that it is the latter that happens when "Service" is set to 
"All." (I can answer this question by digging into the code, but this 
should really be explained in HOWTO-Customize-LogWatch.)

The system where I tried out logwatch had syslog files in a non-standard 
  location, so not surprisingly I didn't get any reports for services 
logged through syslog. But I also didn't get any errors.

It strikes me that a monitoring service should never fail silently. In 
order to be effective, a log monitoring tool needs to instill confidence 
that it is seeing the intended data. So missing log files, and possibly 
even missing log lines (below some statistically determined threshold?) 
should be flagged as an error.

I realize this presents some challenges. It makes it more difficult to 
define a logfile group config file that references many possible log 
file locations, any or most of which might be absent. (But it could be 
an error if *all* were absent.) It also means that you'd need some 
mechanism for specifying what packages *should* be producing logs on a 
given system, which means yet another config file (or playing games with 
the mode bits (permissions) on logfile group/service config files), 
and/or some distribution-specific code that queries the database of 
installed packages.

The closest thing I could find to this topic in the list archives was 
this dev list posting:

   I would like to have also (on demand) generated list of entries that
   are missing, like new daemons, new subjects (i.e. [DATE] new-daemon:
   log entry). It could be usefull for generating new filters...

which I guess is a separate, but related issue. I think the user is 
describing a scenario in which a log file is processed, found to have 
entries for services A, B, and C, and A and B have service filters, but 
C doesn't, so all of its log lines are silently ignored.


Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Logwatch mailing list