logwatch question

tom pollerman tompollerman at mail.landolls.com
Fri Mar 12 14:55:23 UTC 2004 

On Fri, 12 Mar 2004 13:34:23 -0500
Bill Tangren <bjt at aa.usno.navy.mil> wrote:

> tom pollerman wrote:
> > On Fri, 12 Mar 2004 11:33:16 -0500
> > tom pollerman <tompollerman at mail.landolls.com> wrote:

> >   Additionally, you can edit /etc/log.d/conf/logwatch.conf and
> >   change
> > 'Archives = Yes' to 'No' if you don't want archived log fies
> > reported.
> > 
> >                                                    Tom 
> > 
> > 
> 
> The issue is not THAT logwatch is reporting on mrtg, it is that it
> is reporting on mrtg for MORE THAN 'yesterday'. I want logwatch to
> use the archives if necessary, because there will be days when a log
> is archived before logwatch has a change to read it.
> 
> I just don't understand why it is reporting what it finds in logs
> going back several years, instead of just what was entered
> yesterday.
> 
> 
> 
  Bill,
 I don't run mrtg, so don't  know how it is logged. If Logwatch has
an "mrtg" entry in /etc/log.d/scripts/services then it should have a
corresponding /etc/log.d/conf/logfiles/ entry.
  But, this may give you some ideas...
     /etc/log.d/conf/logfiles/* contains the types of archived files
that Logwatch anaylizes for the services in
/etc/log.d/scripts/services/*.
    In each of the /etc/log.d/conf/logfiles/*.conf  file there is an
'Archive = xxx.*' and 'Archive = xxx.*.gz line. 
    So, for example for cron, it would look in ALL the cron.<anything>
and cron.<anything>.gz. If your archived cron files are, say: cron.1,
cron.2, cron.3, cron.4, ...etc and you only want cron.1 and cron.2,
you can try editing /etc/log.d/logfiles/cron.conf and changing the
'Archive = cron.* to 'Archive = cron.1' and add the additional
'Archive = cron.2'. 
   But, if all you want is for Logwatch to look at particular current
active logfile and its most recent logrotated logfile, you would have
'Archive = Yes' in /etc/log.d/conf/logwatch.conf and edit the
particular /etc/log.d/conf/logfiles/* , and change 'Archive = xxx.*'
to 'Archive = xxx.1' and comment out the 'Archive = xxx.*.gz' line.

                                                  Best,

                                                  Tom

More information about the redhat-list mailing list