Hi, probably the distributed default config should include the workaround below not to break e.g. logwatch suddenly. +++ This bug was initially created as a clone of Bug #583607 +++ Hi, after upgrading systems from RHEL 5.4 to 5.5, logwatch reports are no longer catching entries of /var/log/secure and /var/log/messages, because rsyslog was updated to 3.x which now reports in the new timestamp without any adjustments. Just note, that default config provided by Red Hat is also not changing the timestamp entry. This results, that logwatch is now broken imho using default rsyslog configuration of 5.5 Just note that the RHEL 5.5 changelog does not mention any changes regarding rsyslog. BTW: I'm happy that RHEL 5.5 ships rsyslog 3.x, but had not expect such imcompatibility without any notice. +++ This bug was initially created as a clone of Bug #448789 +++ Logwatch parses the timestamps of the log files it processes. The traditional Unix syslog timestamp looks like this: May 28 14:14:46 HOSTNAME ... The rsyslog package refers to this timestamp format as "RSYSLOG_TraditionalFileFormat". It has several glaring deficiencies: it doesn't collate, it doesn't contain timezone information, and it has only single-second precision. rsyslog also supports a more modern timestamp format, called "RSYSLOG_FileFormat", which is essentially the ISO8601 date/time format. It looks like this: 2008-05-28T14:14:46.316223-04:00 HOSTNAME ... This timestamp format overcomes the deficiencies of the traditional timestamp format. However, logwatch does not understand this timestamp format; logwatch expects all system logs to have the traditional timestamp format. Logwatch should be enhanced (preferably by upstream) to understand the RSYSLOG_FileFormat for timestamps, so that system administrators have the option of using that format for system logs without breaking logwatch. If I submitted an enhancement patch for logwatch to understand the RSYSLOG_FileFormat, and the patch was reasonable, would you accept it? Would upstream? --- Additional comment from varekova on 2008-05-29 09:14:52 EDT --- Hello, thanks for your interest, the best solution is to discuss this problem on logwatch development mailing list - logwatch-devel. The upstream guys should be the persons who decide whether it is better to add this support or not. Could you forward this question to the upstream list? If there is any problem, please add here a comment. --- Additional comment from pb on 2010-04-19 04:59:27 EDT --- According to http://www.rsyslog.com/doc-v3compatibility.html the new timestamp was chosen by default since version 3.x now. Workaround to get old timestamp: add to first line of /etc/rsyslog.conf: $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Just note that rsyslog shipped with Fedora 12 has per default a proper timestamp config in /etc/rsyslog.conf
Filed SR#2029498 for speed up this issue
Filed sr#2062280
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: The previous rsyslog release introduced a new format of the message timestamps. However, certain utilities such as logwatch may have been unable to parse this new format properly. To prevent this, the "$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat" directive has been added to the /etc/rsyslog.conf configuration file to ensure that the old format is used by default.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0228.html