logwatch and logrotate might create a blind spot in reporting

From : http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-01/0295.html

Date: Tue, 25 Jan 2005 16:21:44 +0200 (EET) To: BUGTRAQ



I’m sorry, if this is old news to you, but I couldn’t find similar cases in BUGTRAQ archives.

logwatch (www.logwatch.org) is widely recommended tool for creating nice reports of various, often security related logfiles. logwatch is included at least in recent Red Hat/Fedora linux distributions, probably others as well.

logrotate script is used to periodically rotate and delete logfiles.

Default configuration in recent Red Hat/Fedora distributions is following:

Above defaults create blind spot every Sunday morning between 00:00:00 - 04:01:59 (system local time), when entries added to any system logs are discarded from logwatch reports.

Situation is even worse on a busy server, in case you need to rotate some or all logfiles daily. In that case, the blind spot happens every day.

This is a problem only for organizations or system administrators relying solely on logwatch reports, as all logged information is still present in system logs.

There are some ways to make logwatch reports more reliable:

Sami Pitko

—–BEGIN PGP SIGNATURE—– Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFB9lMLRtCggsJm46kRAljFAJ9AKPDPt1d0SObw0ogYKJBwOytrOgCgpx1X CsonunvinrWSaDoageCQtF8= =c0On —–END PGP SIGNATURE—–

Thanks for reading this post!

Did you find an issue in this article?

- click on the following Github link
- log into Github with your account
- click on the line number containing the error
- click on the "..." button
- choose "Reference in new issue"
- add a title and your comment
- click "Submit new issue"

Your feedback is much appreciated! πŸ€œπŸΌπŸ€›πŸΌ

You can also drop me a line below!