Logwatch is not respecting MailFrom

After a tonne of investigation, I've tracked down the cause.

Logwatch processes /usr/share/logwatch/dist.conf/logwatch.conf after processing /usr/share/logwatch/default.conf/logwatch.conf.

Inside /usr/share/logwatch/dist.conf/logwatch.conf was three config lines:

  • mailer
  • TmpDir
  • MailFrom

It was here that MailFrom was set to root which was causing the issues. After updating it to [email protected] it all worked fine!

Unfortunately the Digital Ocean article is misleading on an important point. The logwatch configuration file should be copied (see e.g. https://help.ubuntu.com/community/Logwatch) to become /etc/logwatch/conf/logwatch.conf before being edited. Provided there is a config file at the /etc location, logwatch will prioritise the /etc file over the defaults (or even ignore the defaults, I'm not sure which). This is mentioned in the comments below the article, but like you, I didn't read the comments before going ahead with implementation. That's how I finished up here!

You should set your configuration inside /etc/logwatch/conf/logwatch.conf.

This overrides both /usr/share/logwatch/dist.conf/logwatch.conf and /usr/share/logwatch/default.conf/logwatch.conf.

From http://ftp.logwatch.org/tabs/docs/HOWTO-Customize-LogWatch.html

However, Logwatch, starting with version 7.0, implements a mechanism to allow modifying the local system easier. These modifications may be needed either because the configuration of the service that writes to the system log has been altered from its default, or because the Logwatch user prefers what is reported or how it is reported by Logwatch to be different.

You can customize the output of logwatch by modifying variables in the /etc/logwatch/conf directory.

Default values are specified in the /usr/share/logwatch/default.conf directory. Your distribution may have set additional defaults in the /usr/share/logwatch/dist.conf directory. All the variables available are declared in the files under these directories. You can change the default values to modify how or what is displayed with logwatch.