Logwatch parses the timestamps of the log files it processes. The traditional Unix syslog timestamp looks like this: May 28 14:14:46 HOSTNAME ... The rsyslog package refers to this timestamp format as "RSYSLOG_TraditionalFileFormat". It has several glaring deficiencies: it doesn't collate, it doesn't contain timezone information, and it has only single-second precision. rsyslog also supports a more modern timestamp format, called "RSYSLOG_FileFormat", which is essentially the ISO8601 date/time format. It looks like this: 2008-05-28T14:14:46.316223-04:00 HOSTNAME ... This timestamp format overcomes the deficiencies of the traditional timestamp format. However, logwatch does not understand this timestamp format; logwatch expects all system logs to have the traditional timestamp format. Logwatch should be enhanced (preferably by upstream) to understand the RSYSLOG_FileFormat for timestamps, so that system administrators have the option of using that format for system logs without breaking logwatch. If I submitted an enhancement patch for logwatch to understand the RSYSLOG_FileFormat, and the patch was reasonable, would you accept it? Would upstream?
Hello, thanks for your interest, the best solution is to discuss this problem on logwatch development mailing list - logwatch-devel. The upstream guys should be the persons who decide whether it is better to add this support or not. Could you forward this question to the upstream list? If there is any problem, please add here a comment.
I've created 2 new bugs on this issue, because rsyslog shipped with RHEL 5.5 is 3.x version which has this new timestamp by default and breaks shipped logwatch: https://bugzilla.redhat.com/show_bug.cgi?id=583607 https://bugzilla.redhat.com/show_bug.cgi?id=583621 BTW: I would be very happy if I can get a copy of the enhancement patch, because I did not found one on the Internet.