More Control Over Logwatch Report Dates

I’ve been happily running Logwatch on several servers with the default ‘yesterday’ date range for several years. However I needed to run it for a client with a larger date range to check out a problem. But the options available for logwatch are only ‘today’, ‘yesterday’ and ‘all’. Or so it told me. And even worse, the ‘yesterday’ option takes the date from the previous day, and pulls out all the info on that date. So if you run your logwatch report at 4pm, you’re missing out on 16 hours worth of data! But it turns out logwatch is smarter than that … Logwatch is a perl program, and it turns out that if you have the perl Date::Manip library installed, you can hand logwatch dates in much more varied formats. If you used your package manager (yum, apt-get etc) to install logwatch, the chances are you’ve got it already. But if you don’t then you can install it with either of these sample commands

apt-get install libdate-manip-perl
yum install libdate-manip-perl
... or if you're not using a package manager ... 
perl -MCPAN -e ‘install Date::Manip’

I personally use the package manager approach. Anyway, with that in place, logwatch will now accept date strings that Date:Manip understands, which is quite a lot apparently. My first task was to track down something that had happened sometime between one week ago, and one day ago. The string to use is  “between -7 days and -1 days”. You can use this either in the /etc/logwatch/conf/logwatch.conf file or as a command line option. Notice that in this case, we ask it to look in archived logs (name.log.1, name.log.2.gz etc) so that it can extend its search to the relevant days.

Range="between -7 days and -1 days"
Archives=yes

or as a command line option.

logwatch --range="between -7 days and -1 days" --archives

You must use the quotes, and the conf file only accepts double quotes. Command line will accept single quotes.

Sweet. Now how about fixing logwatch’s technically correct, but ‘not quite what I expected’ handling of your daily reports? If you replace Range=yesterday with Range=”since 23 hours ago for those hours”, you’ll get a report of the last 24 hours. You can check this by running a report (which will send you an email), and then running it again immediately afterwards and comparing the two reports. You can see that the number of emails sent out has increased by one!

There are many more options for Date::Manip, these are just two use cases. Experiment and have fun. Need a report of system logins between 2am and 5pm on June 20th? No problem as long as the logs are still there …

Leave a Comment