Seems that the reason behind this is due to systemd-journald replacing rsyslog.
I found a fix: https://bbs.archlinux.org/viewtopic.php?id=227516
Directly copying and pasting here in case that post disappears:
======================================================
======================================================
Hello
Ever since systemd-journald replaced rsyslog - the logwatch package had more or less become useless.
Recently logwatch version 7.4.3-3 was released with support for journalctl
Reference: https://bugs.archlinux.org/task/53981
This version however does not implement conf file changes. So default logwatch still remains useless.
rsyslog had 4 main files in /var/log on which rsyslog heavily depended on --> messages, maillog, cron, secure.
I have created 4 conf files - each imitates their rsyslog equivalents.
First create an EMPTY log file called emptylog.
This will be fake log file which will be supplied to logwatch.touch /var/log/emptylog
Now create 4 files under /usr/share/logwatch/dist.conf/logfiles, as below:
/usr/share/logwatch/dist.conf/logfiles/messages.conf
/usr/share/logwatch/dist.conf/logfiles/maillog.confArchive =
LogFile =
LogFile = emptylog
# Facilities from /usr/include/sys/syslog.h
# default syslog directive for messages is: *.info;mail.none;authpriv.none;cron.none
# list all facilities except mail, authpriv and cron
*JournalCtl = "-q --no-pager -o short -p info SYSLOG_FACILITY=0 SYSLOG_FACILITY=1 SYSLOG_FACILITY=3 SYSLOG_FACILITY=4 SYSLOG_FACILITY=5 SYSLOG_FACILITY=6 SYSLOG_FACILITY=7 SYSLOG_FACILITY=8 SYSLOG_FACILITY=11 SYSLOG_FACILITY=16 SYSLOG_FACILITY=17 SYSLOG_FACILITY=18 SYSLOG_FACILITY=19 SYSLOG_FACILITY=20 SYSLOG_FACILITY=21 SYSLOG_FACILITY=22 SYSLOG_FACILITY=23"
# copied from existing message.conf under default.conf/logfiles directory
*ExpandRepeats
*RemoveService = talkd,telnetd,inetd,nfsd,/sbin/mingetty,netscreen,NetScreen
*ApplyStdDate = "%b %d %H:%M:%S "
/usr/share/logwatch/dist.conf/logfiles/secure.confArchive =
LogFile =
LogFile = emptylog
# Facilities from /usr/include/sys/syslog.h
# default syslog directive for maillog is: mail.*
*JournalCtl = "-q --no-pager -o short SYSLOG_FACILITY=2"
# copied from existing maillog.conf under default.conf/logfiles directory
*ExpandRepeats
*ApplyStdDate = "%b %d %H:%M:%S "
/usr/share/logwatch/dist.conf/logfiles/cron.confArchive =
LogFile =
LogFile = emptylog
# Facilities from /usr/include/sys/syslog.h
# default syslog directive for secure is: authpriv.*
*JournalCtl = "-q --no-pager -o short SYSLOG_FACILITY=10"
# copied from existing secure.conf under default.conf/logfiles directory
*ExpandRepeats
*ApplyStdDate = "%b %d %H:%M:%S "
Hope this gets implemented by default by package maintainer.Archive =
LogFile =
LogFile = emptylog
# Facilities from /usr/include/sys/syslog.h
# default syslog directive for cron is: cron.*
*JournalCtl = "-q --no-pager -o short SYSLOG_FACILITY=9"
# copied from existing cron.conf under default.conf/logfiles directory
*RemoveService = anacron
Hope it helps others.
Thank you.
PS: New "git" version of logwatch accepts /dev/null as log file name. (after which emptylog can be replaced with /dev/null)
Update: Update time format as Journalctl outputs leading 0 to date.