#StackBounty: #nginx #debian #logwatch http logfile filter is not shown on report

Bounty: 50

I’m on debian 10.4 and I’ve a fresh installation of logwatch. Everything works as expected except logwatch (ver. 7.5.0) that output everything except http logs report.

I ran logwatch with --debug med and on debug output I’ve seen:

Preprocessing LogFile: http
'/tmp/logwatch.hVSrPWg3/http-archive' '/var/log/apache2/www.anonicloud.ch_access.log.1' '/var/log/apache2/other_vhosts_access.log' '/var/log/apache2/www.anonicloud.ch_access.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/expandrepeats ''| /usr/bin/perl /usr/share/logwatch/scripts/shared/applyhttpdate ''>/tmp/logwatch.hVSrPWg3/http

Preprocessing LogFile: http-error
'/var/log/apache2/error.log' '/var/log/apache2/www.anonicloud.ch_error.log'  | /usr/bin/perl /usr/share/logwatch/scripts/shared/applystddate '[%a %b %d %H:%M:%S(.d*)? %Y] '| /usr/bin/perl /usr/share/logwatch/scripts/shared/removeheaders '[w{3} w{3} d{2} dd:dd:dd(.d*)? d{4}] '>/tmp/logwatch.hVSrPWg3/http-error

… and …

Processing Service: http
( cat /tmp/logwatch.hVSrPWg3/http  |  /usr/bin/perl /usr/share/logwatch/scripts/services/http) 2>&1

export LOGWATCH_LOGFILE_LIST='/var/log/apache2/error.log /var/log/apache2/www.anonicloud.ch_error.log '
export LOGWATCH_ARCHIVE_LIST=''
export LOGWATCH_LOGFILE_LIST='/var/log/messages '
export LOGWATCH_ARCHIVE_LIST='/var/log/messages.1 /var/log/messages.2.gz /var/log/messages.3.gz '

So I argue that my http logfiles are correctly parsed.

But when I inspect the output I can’t find any reference like for other services:

# Why I can't find the same for http???
--------------------- fail2ban-messages Begin ------------------------
DEBUG: Inside Fail2Ban Filter
---------------------- fail2ban-messages End -------------------------

/usr/share/logwatch/default.conf/ignore.conf is empty (well everything commented out) and on my config files I haven’t excluded anything.

Edit: I’m behind an nginx reverse proxy; on my apache server I enabled mod_remoteip and replaced all %h with %a on log file format.

Any clue is strongly apreciated.


Get this bounty!!!