Linux – I accidentally deleted /var/log/syslog, Now rsyslog Won’t Log anything

bashlinuxloggingrsyslogubuntu-16.04

I accidentally deleted /var/log/syslog, thinking that the system would automatically recreated it (it doesn't).

I used touch /var/log/syslog and restarted rsyslog, but the system still isn't logging anything. I also restarted the entire server to no avail.

the output of ls -l /var/log/syslog is

-rwxrwxr-x 1 root root 0 Oct 27 13:16 syslog

How can I get the system to start loggging to syslog again?

NOTE TO FUTURE READERS

restarting rsyslog did indeed fix the issue. The reason it didn't work for me the first time was because I created the file "syslog" using touch /var/log/syslog.

The solution was delete /var/log/syslog. Then run sudo service rsyslog restart

TLDR; DONT CREATE THE FILE YOURSELF. DELETE syslog, then restart rsyslog (which will create syslog for you). Problem solved.

Best Answer

rsyslog should re-create the file (with correct permissions)after restarting:

# mv /var/log/syslog /tmp/

# /etc/init.d/rsyslog restart
[ ok ] Restarting rsyslog (via systemctl): rsyslog.service.

# dir /var/log/syslog
-rw-r----- 1 root adm 327 Oct 27 13:28 /var/log/syslog

Perhaps try forcing a log entry to make sure it's running:

# /usr/bin/logger -p0 foo
# tail /var/log/syslog
...
Oct 27 13:31:39 myserver root: foo

Related Solutions

Redhat – Redirecting Syslog events from RHEL 6 to RHEL 5: is it possible to provide with the same event format

the difference is that apparently 6 is using rsyslog insteal of the old syslog. You can customize rsyslog with templates:

$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
*.*     @192.168.1.1;sysklogd

from kkoncepts.net

Postgresql – syslog writing to general instead of specific file

It looks to me like you have a typo in your postgresql.conf file. Make sure that you're actually using

syslog_facility = 'local0'

Also, old syslogd required that hard tabs be used instead of spaces in your config file, so make sure that you aren't actually using spaces, or that your editor isn't converting tabs into spaces (such as the expandtab option in vim).

You also mention both old syslogd and rsyslog, so check to see which one you are actually using. Rsyslog's config file was designed to be backward compatible with syslogd, but does use a different file. So if you are using rsylog then add your logging line to /etc/rsyslog.conf instead.

In order to prevent those messages from also showing up in /var/log/messages you'll need to explicitly filter out that facility. In order to do that, modify your config for messages to this:

*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none;\
    local0.none          -/var/log/messages

That translates to, "Do not write any severity levels from the local0 facility to this file." Or, in effect, exclude anything local0.*.

Best Answer

Related Solutions

Redhat – Redirecting Syslog events from RHEL 6 to RHEL 5: is it possible to provide with the same event format

Postgresql – syslog writing to general instead of specific file

Related Topic