Red Hat Bugzilla – Bug 128617
logwatch config results in some logs not being watched
Last modified: 2007-11-30 17:10:46 EST
Description of problem:
logwatch.conf is configured not to search archives by default. In
fact the comments read:
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'...
But the comment is not correct.
The setting does much on days when the logs get rotated (weekly).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. 4am Day 1: logwatch runs to process logs from Day 0 (yesterday)
2. 4am Day 1: logrotate rotates logfile to logfile.1, etc.
3. 4am Day 2: logwatch runs to process logs from Day 1 (yesterday)
Anything before 4am on Day 1 isn't watched
Logwatch should report on all log entries produced "yesterday."
I had an intrusion attempt that logwatch didn't report from
/var/log/secure because the attempt occured at 1:30am. I began to
wonder why logwatch didn't report it. (Nevertheless, I don't consider
this bug a security bug.)
Note that I am only recommending "Archives = Yes" in the default
config. I am not recommending "Range = All" even slightly.
All RH and FC releases prior to FC3-test1 should be affected as well.
This bug is fixed in the current fc version (logwatch-6.1.2-1).