7

I've set up an Ubuntu 14.04 Server (from an Ubuntu 12.04 Server) but today I wanted to look in the auth.log but this file is not used. It seems that ´syslog´ was deleted.

How does Ubuntu 14.04 log? I need this for a server.

Thank you.

4 Answers4

4

14.04 uses rsyslog. When I upgraded from 12.04 to 14.04 I had to change the owner of the logfiles in /var/log from root to syslog.

(In /etc/rsyslog.conf the owner is defined as

$FileOwner syslog
$FileGroup adm

)

You should also take a look at /etc/rsyslog.d/50-default.conf where it is defined which events are logged to which files. There is also a line for /var/log/syslog. Maybe it's commented out.

fuenfundachtzig
  • 185
  • 7
  • 2
    When I upgraded, `rsyslog` was not installed at all. `/var/log/syslog`, `auth.log`, etc. were not being updated. `apt-get install rsyslog` resolved the issue (and automatically updated ownership of those files the same way you suggest). – Lorrin Nov 28 '14 at 08:22
1

I just performed a brand new install of Ubuntu 14.04 using the official server media.

Rsyslog was installed, and the auth.log a valid log file with the default configuration. It is configured by the file /etc/rsyslog.d/50-default.conf

If you do not have an auth.log then I must assume you did one of the following:

  • changed the config
  • used a syslog daemon other than rsyslog
  • used an Ubuntu installer that set different defaults.

Without knowing exactly what syslog daemon you are using it is difficult to tell.

If you are using rsyslog, then take a look at your /etc/rsyslog.conf, and any files in /etc/rsyslog.d. See where the auth,authpriv.* messages are being logged to.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I was just doing the same install for this and something else. – user9517 May 16 '14 at 17:42
  • I don't have the possibility to execute a new installation. Ihave checked the DPKG-Logs and ´klog´ and ´sysklogd´ have the ´rc´tag now and not the installed ´ii´tag. Can I install this packages on my server? –  May 16 '14 at 17:50
1

If you find a final message like this in /var/log/syslog:

Dec 29 19:27:32 host rsyslogd-2039: 
Could no open output pipe '/dev/xconsole': 
No such file or directory [try http://www.rsyslog.com/e/2039 ]

then that is the culprit. It happens because the default version of /etc/rsyslog.d/50-default.conf in Ubuntu 14.04.1 LTS (or at least an earlier version and kept in upgrades) expects you to use /dev/xconsole for error monitoring, but that's just not available in headless server environments.

To fix this, disable the corresponding section in /etc/rsyslog.d/50-default.conf, making it look like this:

# daemon.*;mail.*;\
#        news.err;\
#        *.=debug;*.=info;\
#        *.=notice;*.=warn       |/dev/xconsole

Then restart rsyslog (sudo service rsyslog restart) and logfiles should now work.

Source: this answer to AskUbuntu SE question "Missing /dev/xconsole causes rsyslog to stop as well as all other services".

Community
  • 1
tanius
  • 666
  • 7
  • 13
1

I ran into this issue when installing a brand new Ubuntu 14.04 and enabling fail2ban for ssh logins.

Ubuntu 14.04 uses rsyslog with default user syslog and group adm. However, the /var/log directory has permissions root:root 0755, meaning rsyslog cannot create a new logfile in the directory, such as the /var/log/auth.log file.

There are multiple ways to solve this.

Make /var/log/ writeable for all users

sudo chmod 0777 /var/log

Change owner/group of /var/log

sudo chown syslog:adm /var/log
sudo chmod 0775 /var/log

Touch /var/log/auth.log and change its owner/group to syslog:adm

sudo touch /var/log/auth.log
sudo chown syslog:syslog /var/log/auth.log

Change user/group rsyslog runs as (discouraged)

editor /etc/rsyslog.conf
$FileOwner root
$FileGroup root
Xyz
  • 111
  • 1
  • 10