rsyslog and logwatch don’t play well together

Notice a hell of a lot fewer log messages being reported since you’ve upgraded to a modern syslog supporting RFC 3339-style high-precision timestamps? Yeah, me too.

It seems as though logwatch doesn’t support these timestamps, so it silently filters out all messages recorded by my rsyslog daemons. What’s worse is that I can’t easily figure out a way to disable that behavior. It’s implemented using an executable filter, and — while there’s plenty of documentation about how to override configuration in /etc/logwatch — there’s no documentation about how to *remove* a filter.

Oh well. I never much liked logwatch, anyway. I mostly don’t like any log monitoring scheme that requires me to read through hundreds of daily e-mails that almost always report everything is normal. That’s not sustainable…

Written by Lee Verberne

2009-07-21 at 20:09

Posted in Linux

Tagged with logwatch, rsyslog

Leave a Reply Cancel reply

Enter your comment here...

Please log in using one of these methods to post your comment:

Email (Address never made public)

Name

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

tech stuff.