Description of problem: logwatch.conf is configured not to search archives by default. In fact the comments read: # This usually will not do much if your range is set to just # 'Yesterday' or 'Today'... But the comment is not correct. The setting does much on days when the logs get rotated (weekly). Version-Release number of selected component (if applicable): logwatch-5.1-4 How reproducible: Always Steps to Reproduce: 1. 4am Day 1: logwatch runs to process logs from Day 0 (yesterday) 2. 4am Day 1: logrotate rotates logfile to logfile.1, etc. 3. 4am Day 2: logwatch runs to process logs from Day 1 (yesterday) Actual Results: Anything before 4am on Day 1 isn't watched Expected Results: Logwatch should report on all log entries produced "yesterday." Additional info: I had an intrusion attempt that logwatch didn't report from /var/log/secure because the attempt occured at 1:30am. I began to wonder why logwatch didn't report it. (Nevertheless, I don't consider this bug a security bug.) Note that I am only recommending "Archives = Yes" in the default config. I am not recommending "Range = All" even slightly. All RH and FC releases prior to FC3-test1 should be affected as well.
This bug is fixed in the current fc version (logwatch-6.1.2-1).