I accidentally deleted /var/log/syslog, Now rsyslog Won't Log anything
I accidentally deleted /var/log/syslog, thinking that the system would automatically recreated it (it doesn't).
I used touch /var/log/syslog
and restarted rsyslog, but the system still isn't logging anything. I also restarted the entire server to no avail.
the output of ls -l /var/log/syslog
is
-rwxrwxr-x 1 root root 0 Oct 27 13:16 syslog
How can I get the system to start loggging to syslog again?
NOTE TO FUTURE READERS
restarting rsyslog did indeed fix the issue. The reason it didn't work for me the first time was because I created the file "syslog" using touch /var/log/syslog
.
The solution was delete /var/log/syslog
. Then run sudo service rsyslog restart
TLDR; DONT CREATE THE FILE YOURSELF. DELETE syslog, then restart rsyslog (which will create syslog for you). Problem solved.
Solution 1:
rsyslog should re-create the file (with correct permissions)after restarting:
# mv /var/log/syslog /tmp/
# /etc/init.d/rsyslog restart
[ ok ] Restarting rsyslog (via systemctl): rsyslog.service.
# dir /var/log/syslog
-rw-r----- 1 root adm 327 Oct 27 13:28 /var/log/syslog
Perhaps try forcing a log entry to make sure it's running:
# /usr/bin/logger -p0 foo
# tail /var/log/syslog
...
Oct 27 13:31:39 myserver root: foo
Solution 2:
Even though the file had been deleted, the file handle that the rsyslog was using was likely still open and being written to. lsof
can be used to verify this, and can also tell you what files are open by the process if you want to see where logs are being written. pidof rsyslogd | xargs lsof -p
Solution 3:
This could be an issue with SELinux. When you touch a file you create a MAC label that is not compatible with the MAC permissions needed for the logging elements. Allowing the startup to create the file attaches the correct MAC label. Even if you had changed the file permissions (DAC) you still probably would have had problems.