Change the content of logwatch

Is there any way to change the content order of the logwatch mails? Sometimes I received more then 10k line in ftpd-xferlog so I want to place it to the end of the e-mail and for example the smartd would be the first.

Is there any way to configure it?

Thank you!

Hi dss

I could be wrong sorry, but my understanding is the logs are just a flat file, and displayed only the contents of the file.

I think if you want to do sorting, searching or more complex feat it then you will need to use a program designed for logs etc, and you can download the file to use or perhaps use snmp or syslog.

I hope that helps a little

Many thanks



I’m sorry, I think I have totally misunderstood your post sorry.

I think you can change your logwatch conf to achieve your goal, and the link to wiki for logwatch.

I hope that helps better

Many thanks


  1. Customizing the Configuration

Logwatch can be, and has been, used on many variants of the Linux and
UNIX systems. Some distributions that include Logwatch modify the
default configuration to comply with the settings of said
distributions. Therefore, most people will not need to make any
modifications to Logwatch.

However, Logwatch, starting with version 7.0, implements a mechanism
to allow modifying the local system easier. These modifications may
be needed either because the configuration of the service that writes
to the system log has been altered from its default, or because the
Logwatch user prefers what is reported or how it is reported by
Logwatch to be different.

You can customize the output of logwatch by modifying variables in the
/etc/logwatch/conf directory.

Default values are specified in the /usr/share/logwatch/default.conf
directory. Your distribution may have set additional defaults in the
/usr/share/logwatch/dist.conf directory. All the variables available
are declared in the files under these directories. You can change the
default values to modify how or what is displayed with logwatch.

One variable available to all services, and which by default is not
specified, is the ‘Detail’ variable (note that it is not preceded by
a ‘$’ symbol). Specifying a Detail value will override the global
Detail level, for that service only.

There are two mechanisms for customizing the variables:

  1. The /etc/logwatch/conf directory is first searched for files with the
    same name and relative location as the
    /usr/share/logwatch/default.conf directory. Variables declared in
    these files override the defaults.

    For example, if file /etc/logwatch/conf/services/sendmail.conf has the
    single entry:
    $sendmail_unknownusersthreshold = 5
    then the threshold for unknown users is set to five instead of the
    default of one. All other parameters are not modified.

    The configuration files have four different types of declarations,
    determined by the first character in each line:

    ‘#’: Rest of line is a comment, and is ignored.
    ‘$’: Rest of first field is a variable
    ‘*’: Denotes the name of an executable script

    Other than blank lines, the only other declarations are
    reserved variable names, such as LogFile, Archive, etc.

    In general, setting a variable overrides any value previously set.
    However, the following variables are cumulative:

    • In logwatch.conf: LogFile, Service
    • In services/service_name.conf: LogFile
    • In logfiles/service_name.conf: LogFile, Archive

    To remove all previous declarations of that variable, set the
    variable to the empty string. Duplicate values in the cumulative
    variables are deleted.

    If an executable script is declared in an /etc/logwatch/conf file,
    all of the executable script declarations in the corresponding file
    in /usr/share/logwatch/default.conf or /usr/share/logwatch/dist.conf
    are ignored.

    Because of the way variables and executable scripts are declared,
    the files in /etc/logwatch/conf/ can be created in one of two ways:

    • you can create a file with only the modified variables (and
      new executable script declarations, if needed), as described
      above, or

    • you can copy an entire configuration file from
      /usr/share/logwatch/default.conf to its corresponding location in
      /etc/logwatch/conf, and then modify those lines that require it.
      Because duplicates are removed from cumulative variables, and
      new executable script groups override the old ones, the output
      should be correct.

  2. The /etc/logwatch/conf/override.conf file is then searched. The first
    field in each line may be one of the following:

        This character indicates that the rest of the line is a
        comment, and is ignored.

    This string indicates that the rest of the line is a global
    configuration option, and uses the same syntax as the
    /usr/share/logwatch/default.conf/logwatch.conf file.

    (Where service_name is the name of a service.) This string
    indicates that the rest of the line is a configuration
    option for the specified service, and uses the same syntax
    as the /usr/share/logwatch/default.conf/services files.

    (Where service_name is the name of a service.) This string
    indicates that the rest of the line is a configuration
    option for the specified service, and uses the same syntax
    as the /usr/share/logwatch/default.conf/logfiles files.

    For example, if the file /etc/logwatch/conf/override.conf has the single
    logwatch: Detail = High
    then the default detail level for all services will be set to High.

    And, in file override.conf, the following declaration:
    logfiles/messages: LogFile = syslog

    will analyze the syslog file (in addition to the default messages file)
    for certain services. But the following two declarations combined:

    logfiles/messages: LogFile =
    logfiles/messages: LogFile = syslog

    will cause the messages file to be ignored for those same services,
    and only the syslog file will be used.

Thank you, that was I looking for! But why did I not find it… :slight_smile: