Rsyslog is not working properly, it does not log anything

Solution 1:

Most probably it's a file ownership problem. rsyslog starts running as root but then drops privileges and runs as user syslog (configuration directive $PrivDropToUser).

syslog files (auth.log, daemon.log, etc.) initially are owned by syslog:adm but if you change ownership to root (as it seems from your file list) then no matter if you HUP (i.e., reload) rsyslog or restart it, that it will be denied to open those files due to the lack of privileges.

If the change of ownership happened after log rotation, then check the create option of your logrotate configuration. Either configure it like create 0644 syslog adm in /etc/logrotate.d/rsyslog or even better, define it globally at /etc/logrotate.conf omitting the mode, owner and group, simply like this create (which is the default configuration by the way), in which case the same values of the file will be used. Consult man logrotate for the full details.

Some versions of rsyslog include a directive $omfileForceChown as a workaround for the external change of file ownership, but it's not recommended. The recommended way is to configure properly the ownership and permissions. Further information about this issue may be found following that link.

Solution 2:

If file permissions are all good and logrotate is correctly configured, your next step will be to have a look at rsyslog system calls. 

# find the start command 
me@d2-slprod02:~$ sudo systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-06-21 10:04:43 CEST; 2h 26min ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 18753 (rsyslogd)
    Tasks: 4
   Memory: 1.4M
      CPU: 291ms
   CGroup: /system.slice/rsyslog.service
           └─18753 /usr/sbin/rsyslogd -n

 # let's have a look at syscalls.
 sudo strace /usr/sbin/rsyslogd -n
 ...
 write(2, "rsyslogd: error during parsing f"..., 206rsyslogd: error during parsing file /etc/rsyslog.d/50-default.conf, on or before line 8: warnings occured in file '/etc/rsyslog.d/50-default.conf' around line 8 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
 ...

As soon as my typo was fixed in this file /etc/rsyslog.d/50-default.conf, syslog started to write to /var/log/syslog again!

Tags:

Rsyslog

Recent Posts