{"id":17775,"date":"2023-07-09T09:00:36","date_gmt":"2023-07-09T06:00:36","guid":{"rendered":"https:\/\/kifarunix.com\/?p=17775"},"modified":"2024-03-10T10:25:14","modified_gmt":"2024-03-10T07:25:14","slug":"enable-rsyslog-logging-on-debian-12","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/enable-rsyslog-logging-on-debian-12\/","title":{"rendered":"Enable Rsyslog Logging on Debian 12"},"content":{"rendered":"\n<p>This step by step tutorial will take you through how to enable Rsyslog logging on Debian 12. Debian 12 bookworm uses <a href=\"https:\/\/www.freedesktop.org\/software\/systemd\/man\/systemd-journald.service.html\" target=\"_blank\" rel=\"noreferrer noopener\">systemd-journald<\/a> logging by default. As such, it has deprecated the use of Rsyslog for logging so as to prevent the log messages being written twice on disk.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#enabling-rsyslog-logging-on-debian-12\">Enabling Rsyslog Logging on Debian 12<\/a><ul><li><a href=\"#rsyslog-vs-journald\">Rsyslog vs Journald<\/a><ul><li><a href=\"#rsyslog\">Rsyslog<\/a><\/li><li><a href=\"#systemd-journald\">Systemd-Journald<\/a><\/li><\/ul><\/li><li><a href=\"#install-rsyslog-on-debian-12\">Install Rsyslog on Debian 12<\/a><\/li><li><a href=\"#rsyslog-log-rotation\">Rsyslog Log Rotation<\/a><\/li><li><a href=\"#disable-systemd-journald-logging\">Disable Systemd-Journald Logging<\/a><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"enabling-rsyslog-logging-on-debian-12\">Enabling Rsyslog Logging on Debian 12<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rsyslog-vs-journald\">Rsyslog vs Journald<\/h3>\n\n\n\n<p>Rsyslog and Systemd-journald are both logging systems commonly used in Linux distributions for collecting and storing log data. However, they have different features, functionalities, and configurations.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"rsyslog\">Rsyslog<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>rsyslog is a traditional and widely-used logging system in Linux distributions.<\/li>\n\n\n\n<li>It uses a client-server architecture where log messages can be received from various sources and forwarded to remote syslog servers or stored locally.<\/li>\n\n\n\n<li>rsyslog supports a wide range of log inputs and outputs, including files, network protocols (like syslog, TCP, and UDP), and database backends.<\/li>\n\n\n\n<li>It provides flexible configuration options, allowing customization of log routing, filtering, and processing rules.<\/li>\n\n\n\n<li>rsyslog supports advanced features such as log rotation, compression, log rate limiting, and filtering based on severity levels or message content.<\/li>\n\n\n\n<li>Configuration is typically done through the \/etc\/rsyslog.conf file and additional configuration files in the \/etc\/rsyslog.d\/ directory.<\/li>\n\n\n\n<li><strong>rsyslog.service<\/strong> is responsible for starting, stopping, and managing the <code>rsyslog<\/code> daemon.<\/li>\n\n\n\n<li>By default, on many Linux distributions, <code>rsyslog<\/code> stores logs in <code>\/var\/log\/<\/code> directory, with different log files for various system components and services.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"systemd-journald\">Systemd-Journald<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>systemd-journald<\/code> is a new logging system that is part of the systemd initialization system, which is becoming the standard in many modern Linux distributions.<\/li>\n\n\n\n<li>It uses a binary log format and stores log data in a structured manner, making it efficient for log retrieval and analysis.<\/li>\n\n\n\n<li><code>systemd-journald<\/code> captures log messages directly from services and processes that use the systemd journal API.<\/li>\n\n\n\n<li>It provides advanced features such as log compression, rate limiting, and the ability to store metadata along with log entries.<\/li>\n\n\n\n<li><code>systemd-journald<\/code> integrates well with other systemd components and can capture additional system information like boot logs and kernel messages.<\/li>\n\n\n\n<li>Logs stored by <code>systemd-journald<\/code> are accessed using the <code>journalctl<\/code> command-line tool.<\/li>\n\n\n\n<li>Configuration options for <code>systemd-journald<\/code> are specified in the <code>\/etc\/systemd\/journald.conf<\/code> file.<\/li>\n\n\n\n<li>Starting, stopping, and managing the <code>systemd-journald<\/code> daemon is managed by the <code>systemd-journald.service<\/code>.<\/li>\n\n\n\n<li>By default, the log data is stored in <code>\/var\/log\/journal\/<\/code> directory. The logs are organized by system and user, with separate directories for each.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-rsyslog-on-debian-12\">Install Rsyslog on Debian 12<\/h3>\n\n\n\n<p>Since Rsyslog has been deprecated and made optional on Debian 12, it doesn&#8217;t come installed by default now on Debian 12.<\/p>\n\n\n\n<p>It is still however possible to install the&nbsp;rsyslog&nbsp;package and it will work as usual.<\/p>\n\n\n\n<p>Thus, execute the commands below to install <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install rsyslog<\/code><\/pre>\n\n\n\n<p>When installed, it is started and enabled to run on system boot by default;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status rsyslog<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf rsyslog.service - System Logging Service\n     Loaded: loaded (\/lib\/systemd\/system\/rsyslog.service; enabled; preset: enabled)\n     Active: active (running) since Sun 2023-07-09 07:20:41 CEST; 13s ago\nTriggeredBy: \u25cf syslog.socket\n       Docs: man:rsyslogd(8)\n             man:rsyslog.conf(5)\n             https:\/\/www.rsyslog.com\/doc\/\n   Main PID: 8868 (rsyslogd)\n      Tasks: 4 (limit: 2284)\n     Memory: 1.6M\n        CPU: 9ms\n     CGroup: \/system.slice\/rsyslog.service\n             \u2514\u25008868 \/usr\/sbin\/rsyslogd -n -iNONE\n\nJul 09 07:20:41 bookworm systemd[1]: Starting rsyslog.service - System Logging Service...\nJul 09 07:20:41 bookworm rsyslogd[8868]: imuxsock: Acquired UNIX socket '\/run\/systemd\/journal\/syslog' (fd 3) from systemd.  [v8.2302.0]\nJul 09 07:20:41 bookworm systemd[1]: Started rsyslog.service - System Logging Service.\nJul 09 07:20:41 bookworm rsyslogd[8868]: [origin software=\"rsyslogd\" swVersion=\"8.2302.0\" x-pid=\"8868\" x-info=\"https:\/\/www.rsyslog.com\"] start\n<\/pre><\/code>\n\n\n\n<p>Once started, you should now be able to see more log files written to <strong><code>\/var\/log<\/code><\/strong>.<\/p>\n\n\n\n<p>Before rsyslog package was installed, this is how \/var\/log directory looked like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/var\/log\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nalternatives.log\napt\nboot.log\nbtmp\ncups\ndpkg.log\nfaillog\nfontconfig.log\ngdm3\ninstaller\njournal\nlastlog\nprivate\nREADME\nspeech-dispatcher\nwtmp\n<\/pre><\/code>\n\n\n\n<p>After the rsyslog package was installed, you should see more log files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/var\/log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nalternatives.log\napt\nauth.log\nboot.log\nbtmp\ncups\ndpkg.log\nfaillog\nfontconfig.log\ngdm3\ninstaller\njournal\nkern.log\nlastlog\nprivate\nREADME\nspeech-dispatcher\nsyslog\nuser.log\nwtmp\n<\/pre><\/code>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rsyslog-log-rotation\">Rsyslog Log Rotation<\/h3>\n\n\n\n<p><strong>logrotate<\/strong> should still be able to rotate the rsyslog logs normally;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/logrotate.d\/rsyslog<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\/var\/log\/syslog\n\/var\/log\/mail.log\n\/var\/log\/kern.log\n\/var\/log\/auth.log\n\/var\/log\/user.log\n\/var\/log\/cron.log\n{\n\trotate 4\n\tweekly\n\tmissingok\n\tnotifempty\n\tcompress\n\tdelaycompress\n\tsharedscripts\n\tpostrotate\n\t\t\/usr\/lib\/rsyslog\/rsyslog-rotate\n\tendscript\n}\n<\/pre><\/code>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"disable-systemd-journald-logging\">Disable Systemd-Journald Logging<\/h3>\n\n\n\n<p>Note that, when rsyslog is installed and enabled, systemd-journald is still logging as well. As such, you will end up with logs being written twice on disk.<\/p>\n\n\n\n<p>See sample SSH logs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/auth.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n2023-07-09T07:43:56.805153+02:00 bookworm sshd[4002]: Accepted password for kifarunix from ::1 port 60980 ssh2\n2023-07-09T07:43:56.806404+02:00 bookworm sshd[4002]: pam_unix(sshd:session): session opened for user kifarunix(uid=1000) by (uid=0)\n2023-07-09T07:43:56.828788+02:00 bookworm systemd-logind[500]: New session 5 of user kifarunix.\n2023-07-09T07:43:56.856568+02:00 bookworm sshd[4002]: pam_env(sshd:session): deprecated reading of user environment enabled\n<\/pre><\/code>\n\n\n\n<pre class=\"wp-block-code\"><code>journalctl -f<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\nJul 09 07:43:56 bookworm sshd[4002]: Accepted password for kifarunix from ::1 port 60980 ssh2\nJul 09 07:43:56 bookworm sshd[4002]: pam_unix(sshd:session): session opened for user kifarunix(uid=1000) by (uid=0)\nJul 09 07:43:56 bookworm systemd-logind[500]: New session 5 of user kifarunix.\nJul 09 07:43:56 bookworm systemd[1]: Started session-5.scope - Session 5 of User kifarunix.\n<\/pre><\/code>\n\n\n\n<p>If you want to save some disk space, you can disable systemd-journald logging. This can be done by removing the logging directory, <strong>\/var\/log\/journal<\/strong>&nbsp;, thus preventing journald from using its own message persistence logic.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rm -rf \/var\/log\/journal<\/code><\/pre>\n\n\n\n<p>And that is it. You are now back to traditional logging on Debian 12!<\/p>\n\n\n\n<p>That closes are guide on enabling Rsyslog logging on Debian 12.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/forward-apache-logs-to-central-log-server-with-rsyslog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Forward Apache Logs to Central Log Server with Rsyslog<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-rsyslog-server-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Rsyslog Server on Ubuntu 22.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This step by step tutorial will take you through how to enable Rsyslog logging on Debian 12. Debian 12 bookworm uses systemd-journald logging by default.<\/p>\n","protected":false},"author":10,"featured_media":17780,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,72,331],"tags":[7026,7027,7028,7025],"class_list":["post-17775","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-monitoring","category-syslog","tag-debian-12-rsyslog","tag-disable-journald-on-rsyslog","tag-enable-rsyslog-on-debian-12","tag-install-rsyslog-debian-12","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17775"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=17775"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17775\/revisions"}],"predecessor-version":[{"id":20816,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17775\/revisions\/20816"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/17780"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=17775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=17775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=17775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}