Logwatch with Metalog

In their default setup, logwatch and metalog do not work together particularly well. This guide will show you how to reconfigure them so that logwatch can easily read metalog generated log files.

This guide assumes you already have metalog installed and configured, but will assume that you haven't installed and configured logwatch.

Initial Setup
Install logwatch with:

Next we want to copy the files we intend to edit from the default logwatch configuration to :

Metalog Timestamp Format
As of, the default timestamp format has changed and is additionally now configurable. To set it back to the format that logwatch expects, add the following line to the top of : stamp_fmt = "%b %e %T"

Reconfigure log files
Since metalog, by default, uses a completely different logfile setup to syslog-ng, preferring directories and using "current" for the currently active log file, we need to reconfigure where logwatch looks for log files.

Messages / Everything
Let's start with "messages", which metalog calls "everything". Edit and add LogFile and Archive options so that they read as follows:

LogFile determines the currently active log file, while Archive tells logwatch where the archived logs are kept. Logwatch will happily deal with compressed archived logs in bzip2 or gzip formats.

...And The Rest
Now we want to update the remaining log file configs in the same manner.

Special Case: Mail Log
By default, metalog leaves all mail logs going to the "everything" log, but it also includes a section which is commented by default that sends mail logs to their own dedicated log.

If you use the default setup, edit the as follows:

If you have uncommented the optional section, edit the so that it reads:

Modifying Shared Scripts
Some of the shared scripts that come with logwatch don't work with the metalog format log files by default. The following sections show you how to modify these scripts to fix or work around these issues.

OnlyHost
Metalog doesn't record the machines hostname in its log files, but logwatch will filter some log files for any entries which don't contain the hostname. To fix this, we'll override the logwatch OnlyHost script with a modified version.

First, set up the custom scripts location:

Now create the custom version of the OnlyHost script as with the following content:

This version of the script simply returns the input, since there's no hostname entry in the metalog log files to filter on.

OnlyService, MultiService and RemoveService
The default (Only|Multi|Remove)Service scripts do not work with metalog log files, so as with the OnlyHost script, we'll override it with a version that does. Start by copying the existing scripts:

Now edit the scripts to read as follows, adding the last elsif section to each:

The removeservice script is slightly different. Here we add a condition to the unless construct so that it becomes: