In previous versions of openSUSE (up through Leap 42.2/SLE12SP2), both logwatch
and logrotate were run via scripts in the /etc/cron.daily directory; logwatch
was always run first because its symlink is named "0logwatch".

This changed in 42.3/SP3 (and continues in 15) when logrotate was changed to
use a systemd timer instead of cron.daily.  Now it is possible for logrotate to
run before logwatch, and if a log file is rotated, logwatch reports on just the
few log entries in the new log file (which may be entirely skipped, depending
on the range and archive settings used with logwatch), rather than a whole 24
hours' worth.


Example: Apache access log; assume it's large enough to be rotated.  Rotation
happens at midnight (logrotate.timer) and the file is renamed to e.g.
access_log-20181018.xz.

When cron.daily runs (at DAILY_TIME from /etc/sysconfig/cron, let's say 04:00,
or at boot and 24 hours thereafter if DAILY_TIME is not set), logwatch reports
on /var/log/apache2/access_log, which only contains entries after midnight. 
With the default range of "yesterday", nothing will be reported*.

*It would be via logwatch's archive processing (enabled by default), except
that the shipped version of logwatch does not handle xz archives, only gz &
bz2.


Fix: replace the /etc/cron.daily/0logwatch symlink with a systemd timer?  There
are systemd service/timer definitions in the logwatch git[1], although they may
need some tweaking to conform to SUSE and/or upstream systemd standards, and to
make it run before logrotate does.

Additionally, the git master has also added xz archive support, and a few other
fixes/improvements.  I don't know when an actual release will be cut, though --
there's an unanswered post in their forum asking that very thing.

[1] https://sourceforge.net/p/logwatch/git/ci/master/tree/
systemd stuff is under the scheduler subdirectory