This is old-school, but I’ve been using Logwatch to keep an eye on things for a long time. I’ve been updating some boxes to AlmaLinux 10 and finding that my Logwatch e-mails don’t contain as much content as they used to (including very little in the httpd section, for example).
It appears that back in AlmaLinux 8, both Logwatch and Logrotate ran out of /etc/cron.daily:
Now, in AlmaLinux 10, logrotate runs as a systemd timer, and logwatch still runs out of cron. In my case, 3 hours after logrotate has run. Logwatch doesn’t look at the rotated files:
This may mostly affect the http reporting section, because it in logrotate it rotates daily.
But basically I think there’s an interaction here that is making it so that logwatch doesn’t see most of what happened in /var/log/nginx/access.log.
I realize this is probably an upstream thing, but I’m not sure where to start here. Things I can think of:
Both could be timers, with logrotate depending on logwatch so logwatch runs first. The “problem” with this is that it would only work until logrotate runs, so no reruns, but I don’t normally need to rerun logwatch.
Logwatch could actually look at rotated log files.
Solution : Change the logrotate execution time
logwatch runs daily in the early morning (usually around 4 AM) via cron. Therefore, change the logrotate timer to a later time, such as 6 AM, so logwatch runs first.
Edit logrotate.timer
Open the timer configuration file with the following command:
sudo systemctl edit logrotate.timer --full
Change the OnCalendar time
Modify the OnCalendar= line in the file as follows to set it to run daily at 6:00 AM.
[Timer]
OnCalendar=daily 06:00:00
AccuracySec=1h
Persistent=true
Save the file and exit the editor.
I’m not all that familiar with timers and the syntax doesn’t make it obvious that you can simply add a time to OnCalendar when looking at the file.
I just installed both of these packages with defaults on a clean new AlmaLinux 10 box. I realize that this is all old-school stuff, but the combination of current defaults seems to have caused this change in behavior.
@kevbo
Hello, the following might be the best solution.
However, I haven’t tested it in my environment.
If you have any questions, please feel free to ask.
thanks
AlmaLinux 10: Run logwatch before logrotate (systemd timer method)
1. Disable logwatch in cron.daily
chmod -x /etc/cron.daily/0logwatch
2. Create a custom systemd service and timer
(a) Create the service file:
/etc/systemd/system/logwatch-before-logrotate.service
-------------------------------
[Unit]
Description=Run logwatch before logrotate
[Service]
Type=oneshot
ExecStart=/usr/sbin/logwatch
-------------------------------
(b) Create the timer file:
/etc/systemd/system/logwatch-before-logrotate.timer
-------------------------------
[Unit]
Description=Run logwatch before logrotate (daily)
[Timer]
OnCalendar=*-*-* 23:45:00
Persistent=true
[Install]
WantedBy=timers.target
-------------------------------
* Set the OnCalendar time to BEFORE the time for logrotate.timer (usually 00:00).
3. Reload systemd and enable the timer
systemctl daemon-reload
systemctl enable --now logwatch-before-logrotate.timer
4. Check the schedule
systemctl list-timers | grep logwatch
systemctl list-timers | grep logrotate
- If logwatch-before-logrotate.timer is listed before logrotate.timer, setup is complete.
That's it! Now logwatch will always run before logrotate and your reports will contain all logs as expected.