Sorry it is one of the very old options only configurable inside the main.mk file.
The option you can configure has the name “logwatch_max_filesize”. The default value is 500000 what translates to 488 kB.
Just a little bit more on this. So, logwatch “count” starts at a match (can even be an “OK” green match). From there on, every line is captured (line counts) in case there is a change of state.
In other words, as long as no message matches for a log, nothing gets counted.
If you have a very chatty log (typical of Windows, but can really be bad with products like Netwrix adding to the chat), then once a match is found and count starts, it can fill up really fast (if the log is very chatty with messages). You can exceed max size quickly, even if you bump it up considerably in certain cases.
So, with that said, we switched away from using logwatch for Windows hosts and use Logwatch Event Console Forwarding instead. You handle things differently though when things are coming to the Event Console. Has its pros and cons (but mostly pro for us anyhow). Because even with a “firehose” like style (events), we still get a lot of chat from the Windows hosts, so we bulk the messages for notification rather than hammering notifications out (though we do pass then individually to our MS Teams firehose channel).
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.