This step by step tutorial will take you through how to enable rsyslog logging on Debian 12. Debian 12 bookworm uses systemd-journald logging by default. As such, it has deprecated the use of Rsyslog for logging so as to prevent the log messages being written twice on disk. So, how can you enable rsyslog logging on Debian 12 and higher?
Rsyslog and Systemd-journald are both logging systems commonly used in Linux distributions for collecting and storing log data. However, they have different features, functionalities, and configurations.
- rsyslog is a traditional and widely-used logging system in Linux distributions.
- It uses a client-server architecture where log messages can be received from various sources and forwarded to remote syslog servers or stored locally.
- rsyslog supports a wide range of log inputs and outputs, including files, network protocols (like syslog, TCP, and UDP), and database backends.
- It provides flexible configuration options, allowing customization of log routing, filtering, and processing rules.
- rsyslog supports advanced features such as log rotation, compression, log rate limiting, and filtering based on severity levels or message content.
- Configuration is typically done through the /etc/rsyslog.conf file and additional configuration files in the /etc/rsyslog.d/ directory.
- rsyslog.service is responsible for starting, stopping, and managing the rsyslog daemon.
- By default, on many Linux distributions, rsyslog stores logs in /var/log/ directory, with different log files for various system components and services.
- systemd-journald is a new logging system that is part of the systemd initialization system, which is becoming the standard in many modern Linux distributions.
- It uses a binary log format and stores log data in a structured manner, making it efficient for log retrieval and analysis.
- systemd-journald captures log messages directly from services and processes that use the systemd journal API.
- It provides advanced features such as log compression, rate limiting, and the ability to store metadata along with log entries.
- systemd-journald integrates well with other systemd components and can capture additional system information like boot logs and kernel messages.
- Logs stored by systemd-journald are accessed using the journalctl command-line tool.
- Configuration options for systemd-journald are specified in the /etc/systemd/journald.conf file.
- Starting, stopping, and managing the systemd-journald daemon is managed by the systemd-journald.service.
- By default, the log data is stored in /var/log/journal/ directory. The logs are organized by system and user, with separate directories for each.
Since Rsyslog has been deprecated and made optional on Debian 12, it doesn’t come installed by default now on Debian 12. It is still however possible to install the rsyslog package and it will work as usual. Thus, execute the commands below to install:
apt install rsyslog
When installed, it is started and enabled to run on system boot by default;
~] systemctl status rsyslog
● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; preset: enabled) Active: active (running) since Tue 2023-09-12 12:27:52 UTC; 25min ago TriggeredBy: ● syslog.socket Docs: man:rsyslogd(8) man:rsyslog.conf(5) https://www.rsyslog.com/doc/ Main PID: 589 (rsyslogd) Tasks: 4 (limit: 4644) Memory: 3.4M CPU: 27ms CGroup: /system.slice/rsyslog.service └─589 /usr/sbin/rsyslogd -n -iNONE Sep 12 12:27:52 syslog-smartcon systemd: Starting rsyslog.service - System Logging Service... Sep 12 12:27:52 syslog-smartcon systemd: Started rsyslog.service - System Logging Service. Sep 12 12:27:52 syslog-smartcon rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2302.0] Sep 12 12:27:52 syslog-smartcon rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="589" x-info="https://www.rsyslog.com"] start
Once started, you should now be able to see more log files written to /var/log.
Note that, when rsyslog is installed and enabled, systemd-journald is still logging as well. As such, you will end up with logs being written twice on disk. See sample SSH logs:
tail -f /var/log/auth.log 2023-09-12T12:27:52.472393+00:00 syslog-smartcon sshd: Server listening on 0.0.0.0 port 22. 2023-09-12T12:28:15.202602+00:00 syslog-smartcon sshd: Accepted password for rrastik from 192.168.48.208 port 56661 ssh2 2023-09-12T12:28:15.209173+00:00 syslog-smartcon sshd: pam_unix(sshd:session): session opened for user rrastik(uid=0) by (uid=0) 2023-09-12T12:28:15.225313+00:00 syslog-smartcon systemd-logind: New session 1 of user root.
journalctl --since=today | grep sshd Sep 12 12:27:52 syslog-smartcon sshd: Server listening on 0.0.0.0 port 22. Sep 12 12:28:15 syslog-smartcon sshd: Accepted password for rrastik from 192.168.48.208 port 56661 ssh2 Sep 12 12:28:15 syslog-smartcon sshd: pam_unix(sshd:session): session opened for user rrastik(uid=0) by (uid=0) Sep 12 12:28:15 syslog-smartcon sshd: pam_env(sshd:session): deprecated reading of user environment enabled
If you want to save some disk space, you can disable systemd-journald logging. This can be done by removing the logging directory, /var/log/journal , thus preventing journald from using its own message persistence logic.
rm -rf /var/log/journal
And that is it. You are now back to traditional logging on Debian 12 and higher.
My recomandation for rsyslog config:
############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth/auth.log *.*;auth,authpriv.none;cron.none;lpr.none;mail.none;user.none;local5.none -/var/log/syslog cron.* /var/log/cron/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr/lpr.log mail.* -/var/log/mail/mail.log user.* -/var/log/user/user.log # local5.* -/var/log/esets/nod32.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail/mail.info mail.warn -/var/log/mail/mail.warn mail.err /var/log/mail/mail.err