[Logwatch] missing log files not flagged as an error
tmetro+logwatch at gmail.com
Thu Jun 21 09:40:08 MST 2007
How does logwatch determine which files/services to process on a given
I like the fact that logwatch was the first log monitoring package that
I installed on my Debiam system that actually did something useful out
of the box (in part thanks to the design of logwatch and in part thanks
to the distribution packaging), but as I'm getting into customizing the
configuration I'm wondering what mechanism it uses to determine what
files/services to process?
Obviously the logfile group config files specify what log files to look
at, and the service filter config files determines what services will
get reports, but what drives the process? Does logwatch iterate over
logfile group config files and invoke service filters as necessary? Does
it iterate over service filter config files and process referenced
logfile groups? That you define "Service" variables in logwatch.conf
suggests that it is the latter that happens when "Service" is set to
"All." (I can answer this question by digging into the code, but this
should really be explained in HOWTO-Customize-LogWatch.)
The system where I tried out logwatch had syslog files in a non-standard
location, so not surprisingly I didn't get any reports for services
logged through syslog. But I also didn't get any errors.
It strikes me that a monitoring service should never fail silently. In
order to be effective, a log monitoring tool needs to instill confidence
that it is seeing the intended data. So missing log files, and possibly
even missing log lines (below some statistically determined threshold?)
should be flagged as an error.
I realize this presents some challenges. It makes it more difficult to
define a logfile group config file that references many possible log
file locations, any or most of which might be absent. (But it could be
an error if *all* were absent.) It also means that you'd need some
mechanism for specifying what packages *should* be producing logs on a
given system, which means yet another config file (or playing games with
the mode bits (permissions) on logfile group/service config files),
and/or some distribution-specific code that queries the database of
The closest thing I could find to this topic in the list archives was
this dev list posting:
I would like to have also (on demand) generated list of entries that
are missing, like new daemons, new subjects (i.e. [DATE] new-daemon:
log entry). It could be usefull for generating new filters...
which I guess is a separate, but related issue. I think the user is
describing a scenario in which a log file is processed, found to have
entries for services A, B, and C, and A and B have service filters, but
C doesn't, so all of its log lines are silently ignored.
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
More information about the Logwatch