rsyslog on debian server

rsyslog on debian server
Debian

Enable Rsyslog Logging on Debian

This step by step tutorial will take you through how to enable rsyslog logging on Debian 12. Debian 12 bookworm uses systemd-journald logging by default. As such, it has deprecated the use of Rsyslog for logging so as to prevent the log messages being written twice on disk. So, how can you enable rsyslog logging on Debian 12 and higher?

Rsyslog vs Journald

Rsyslog and Systemd-journald are both logging systems commonly used in Linux distributions for collecting and storing log data. However, they have different features, functionalities, and configurations.

Rsyslog
rsyslog is a traditional and widely-used logging system in Linux distributions.
It uses a client-server architecture where log messages can be received from various sources and forwarded to remote syslog servers or stored locally.
rsyslog supports a wide range of log inputs and outputs, including files, network protocols (like syslog, TCP, and UDP), and database backends.
It provides flexible configuration options, allowing customization of log routing, filtering, and processing rules.
rsyslog supports advanced features such as log rotation, compression, log rate limiting, and filtering based on severity levels or message content.
Configuration is typically done through the /etc/rsyslog.conf file and additional configuration files in the /etc/rsyslog.d/ directory.
rsyslog.service is responsible for starting, stopping, and managing the rsyslog daemon.
By default, on many Linux distributions, rsyslog stores logs in /var/log/ directory, with different log files for various system components and services.
Systemd-Journald
systemd-journald is a new logging system that is part of the systemd initialization system, which is becoming the standard in many modern Linux distributions.
It uses a binary log format and stores log data in a structured manner, making it efficient for log retrieval and analysis.
systemd-journald captures log messages directly from services and processes that use the systemd journal API.
It provides advanced features such as log compression, rate limiting, and the ability to store metadata along with log entries.
systemd-journald integrates well with other systemd components and can capture additional system information like boot logs and kernel messages.
Logs stored by systemd-journald are accessed using the journalctl command-line tool.
Configuration options for systemd-journald are specified in the /etc/systemd/journald.conf file.
Starting, stopping, and managing the systemd-journald daemon is managed by the systemd-journald.service.
By default, the log data is stored in /var/log/journal/ directory. The logs are organized by system and user, with separate directories for each.

Install Rsyslog on Debian system

Since Rsyslog has been deprecated and made optional on Debian 12, it doesn’t come installed by default now on Debian 12. It is still however possible to install the rsyslog package and it will work as usual. Thus, execute the commands below to install:

apt install rsyslog

When installed, it is started and enabled to run on system boot by default;

~] systemctl status rsyslog

● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-09-12 12:27:52 UTC; 25min ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 589 (rsyslogd)
      Tasks: 4 (limit: 4644)
     Memory: 3.4M
        CPU: 27ms
     CGroup: /system.slice/rsyslog.service
             └─589 /usr/sbin/rsyslogd -n -iNONE

Sep 12 12:27:52 syslog-smartcon systemd[1]: Starting rsyslog.service - System Logging Service...
Sep 12 12:27:52 syslog-smartcon systemd[1]: Started rsyslog.service - System Logging Service.
Sep 12 12:27:52 syslog-smartcon rsyslogd[589]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
Sep 12 12:27:52 syslog-smartcon rsyslogd[589]: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="589" x-info="https://www.rsyslog.com"] start

Once started, you should now be able to see more log files written to /var/log.

Disable Systemd-Journald Logging

Note that, when rsyslog is installed and enabled, systemd-journald is still logging as well. As such, you will end up with logs being written twice on disk. See sample SSH logs:

tail -f /var/log/auth.log

2023-09-12T12:27:52.472393+00:00 syslog-smartcon sshd[659]: Server listening on 0.0.0.0 port 22.
2023-09-12T12:28:15.202602+00:00 syslog-smartcon sshd[937]: Accepted password for rrastik from 192.168.48.208 port 56661 ssh2
2023-09-12T12:28:15.209173+00:00 syslog-smartcon sshd[937]: pam_unix(sshd:session): session opened for user rrastik(uid=0) by (uid=0)
2023-09-12T12:28:15.225313+00:00 syslog-smartcon systemd-logind[596]: New session 1 of user root.

journalctl --since=today | grep sshd

Sep 12 12:27:52 syslog-smartcon sshd[659]: Server listening on 0.0.0.0 port 22.
Sep 12 12:28:15 syslog-smartcon sshd[937]: Accepted password for rrastik from 192.168.48.208 port 56661 ssh2
Sep 12 12:28:15 syslog-smartcon sshd[937]: pam_unix(sshd:session): session opened for user rrastik(uid=0) by (uid=0)
Sep 12 12:28:15 syslog-smartcon sshd[937]: pam_env(sshd:session): deprecated reading of user environment enabled

If you want to save some disk space, you can disable systemd-journald logging. This can be done by removing the logging directory, /var/log/journal , thus preventing journald from using its own message persistence logic.

rm -rf /var/log/journal

And that is it. You are now back to traditional logging on Debian 12 and higher.

rsyslog configuration (optional)

My recomandation for rsyslog config:

###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth/auth.log
*.*;auth,authpriv.none;cron.none;lpr.none;mail.none;user.none;local5.none               -/var/log/syslog
cron.*                          /var/log/cron/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr/lpr.log
mail.*                          -/var/log/mail/mail.log
user.*                          -/var/log/user/user.log
# local5.*                        -/var/log/esets/nod32.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail/mail.info
mail.warn                       -/var/log/mail/mail.warn
mail.err                        /var/log/mail/mail.err

SUBSCRIBE FOR NEW ARTICLES

@
comments powered by Disqus