Enable Rsyslog Logging on Debian 12

Kifarunix
|
Last Updated:
|
HowTos, Monitoring, Syslog
|
Leave a Comment

This step by step tutorial will take you through how to enable Rsyslog logging on Debian 12. Debian 12 bookworm uses systemd-journald logging by default. As such, it has deprecated the use of Rsyslog for logging so as to prevent the log messages being written twice on disk.

Enabling Rsyslog Logging on Debian 12

Rsyslog vs Journald

Rsyslog and Systemd-journald are both logging systems commonly used in Linux distributions for collecting and storing log data. However, they have different features, functionalities, and configurations.

Rsyslog

  • rsyslog is a traditional and widely-used logging system in Linux distributions.
  • It uses a client-server architecture where log messages can be received from various sources and forwarded to remote syslog servers or stored locally.
  • rsyslog supports a wide range of log inputs and outputs, including files, network protocols (like syslog, TCP, and UDP), and database backends.
  • It provides flexible configuration options, allowing customization of log routing, filtering, and processing rules.
  • rsyslog supports advanced features such as log rotation, compression, log rate limiting, and filtering based on severity levels or message content.
  • Configuration is typically done through the /etc/rsyslog.conf file and additional configuration files in the /etc/rsyslog.d/ directory.
  • rsyslog.service is responsible for starting, stopping, and managing the rsyslog daemon.
  • By default, on many Linux distributions, rsyslog stores logs in /var/log/ directory, with different log files for various system components and services.

Systemd-Journald

  • systemd-journald is a new logging system that is part of the systemd initialization system, which is becoming the standard in many modern Linux distributions.
  • It uses a binary log format and stores log data in a structured manner, making it efficient for log retrieval and analysis.
  • systemd-journald captures log messages directly from services and processes that use the systemd journal API.
  • It provides advanced features such as log compression, rate limiting, and the ability to store metadata along with log entries.
  • systemd-journald integrates well with other systemd components and can capture additional system information like boot logs and kernel messages.
  • Logs stored by systemd-journald are accessed using the journalctl command-line tool.
  • Configuration options for systemd-journald are specified in the /etc/systemd/journald.conf file.
  • Starting, stopping, and managing the systemd-journald daemon is managed by the systemd-journald.service.
  • By default, the log data is stored in /var/log/journal/ directory. The logs are organized by system and user, with separate directories for each.

Install Rsyslog on Debian 12

Since Rsyslog has been deprecated and made optional on Debian 12, it doesn’t come installed by default now on Debian 12.

It is still however possible to install the rsyslog package and it will work as usual.

Thus, execute the commands below to install 

sudo apt update
sudo apt install rsyslog

When installed, it is started and enabled to run on system boot by default;

systemctl status rsyslog

● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Sun 2023-07-09 07:20:41 CEST; 13s ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 8868 (rsyslogd)
      Tasks: 4 (limit: 2284)
     Memory: 1.6M
        CPU: 9ms
     CGroup: /system.slice/rsyslog.service
             └─8868 /usr/sbin/rsyslogd -n -iNONE

Jul 09 07:20:41 bookworm systemd[1]: Starting rsyslog.service - System Logging Service...
Jul 09 07:20:41 bookworm rsyslogd[8868]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
Jul 09 07:20:41 bookworm systemd[1]: Started rsyslog.service - System Logging Service.
Jul 09 07:20:41 bookworm rsyslogd[8868]: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="8868" x-info="https://www.rsyslog.com"] start

Once started, you should now be able to see more log files written to /var/log.

Before rsyslog package was installed, this is how /var/log directory looked like;

ls -1 /var/log/

alternatives.log
apt
boot.log
btmp
cups
dpkg.log
faillog
fontconfig.log
gdm3
installer
journal
lastlog
private
README
speech-dispatcher
wtmp

After the rsyslog package was installed, you should see more log files;

ls -1 /var/log

alternatives.log
apt
auth.log
boot.log
btmp
cups
dpkg.log
faillog
fontconfig.log
gdm3
installer
journal
kern.log
lastlog
private
README
speech-dispatcher
syslog
user.log
wtmp

Rsyslog Log Rotation

logrotate should still be able to rotate the rsyslog logs normally;

cat /etc/logrotate.d/rsyslog

/var/log/syslog
/var/log/mail.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		/usr/lib/rsyslog/rsyslog-rotate
	endscript
}

Disable Systemd-Journald Logging

Note that, when rsyslog is installed and enabled, systemd-journald is still logging as well. As such, you will end up with logs being written twice on disk.

See sample SSH logs;

tail -f /var/log/auth.log

...
2023-07-09T07:43:56.805153+02:00 bookworm sshd[4002]: Accepted password for kifarunix from ::1 port 60980 ssh2
2023-07-09T07:43:56.806404+02:00 bookworm sshd[4002]: pam_unix(sshd:session): session opened for user kifarunix(uid=1000) by (uid=0)
2023-07-09T07:43:56.828788+02:00 bookworm systemd-logind[500]: New session 5 of user kifarunix.
2023-07-09T07:43:56.856568+02:00 bookworm sshd[4002]: pam_env(sshd:session): deprecated reading of user environment enabled

journalctl -f

...
Jul 09 07:43:56 bookworm sshd[4002]: Accepted password for kifarunix from ::1 port 60980 ssh2
Jul 09 07:43:56 bookworm sshd[4002]: pam_unix(sshd:session): session opened for user kifarunix(uid=1000) by (uid=0)
Jul 09 07:43:56 bookworm systemd-logind[500]: New session 5 of user kifarunix.
Jul 09 07:43:56 bookworm systemd[1]: Started session-5.scope - Session 5 of User kifarunix.

If you want to save some disk space, you can disable systemd-journald logging. This can be done by removing the logging directory, /var/log/journal , thus preventing journald from using its own message persistence logic.

rm -rf /var/log/journal

And that is it. You are now back to traditional logging on Debian 12!

That closes are guide on enabling Rsyslog logging on Debian 12.

Other Tutorials

Forward Apache Logs to Central Log Server with Rsyslog

Install and Setup Rsyslog Server on Ubuntu 22.04

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Kifarunix
Linux Certified Engineer, with a passion for open-source technology and a strong understanding of Linux systems. With experience in system administration, troubleshooting, and automation, I am skilled in maintaining and optimizing Linux infrastructure.

Related Posts

Install and Setup HAProxy on Ubuntu 20.04

Install Consul server on Debian 11/Debian 10

Install WordPress 5.x with Apache on Fedora 29/Fedora 28

Easy Way to Install Wazuh Agents on Ubuntu/Debian

Install TeamPass Password Manager on Ubuntu 18.04

6 Top Tips That’ll Help Your Site Rank Higher

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy