2

I've a problem since the ssh logins and other info are not logged under /var/log/* (especially auth.log)

I've been reading all the questions here and there, but the configuration seems to be fine, the permission is set correctly, and I'm cross cheking with other servers of mine and conf are identical.

Note: in order to access the machine where i've to ssh the main machine than does the forwarding based on the port: e.g. ssh root@myserver -p 221 . the myserver has the conf to fowrard the 221 to the serverwithproblem:22. for the other server i still see the logs, so it couldn't be that.

Basically, I can't figure out what's going on.

here is the rsync.conf:

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#           For more information see
#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
#cron.*             /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
mail.*              -/var/log/mail.log
user.*              -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info           -/var/log/mail.info
mail.warn           -/var/log/mail.warn
mail.err            /var/log/mail.err

#
# Logging for INN news system.
#
news.crit           /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice         -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg             :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#   news.=crit;news.=err;news.=notice;\
#   *.=debug;*.=info;\
#   *.=notice;*.=warn   /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warn   |/dev/xconsole

/etc/rsyslog.d/*.conf is empty.

sshd_config is set to this:

# Logging
SyslogFacility AUTH
LogLevel INFO

the ownership of the /var/log/auth is set to root:adm . any idea where the problem is?

EsseTi
  • 255
  • 3
  • 13
  • What happens if you try `logger -p auth.err test message`? Does that get logged correctly? Have you tried restarting/reloading the syslog service? – Paul Haldane Nov 15 '16 at 10:32
  • edit: the string is not in the log file – EsseTi Nov 15 '16 at 10:33
  • That suggests there's a problem with rsyslogd. At a glance the config looks OK. Is the rsyslogd process running? Have you tried restarting the rsyslogd service? What Linux distribution is this? Have a look at the rsyslog site for troubleshooting suggestions. – Paul Haldane Nov 15 '16 at 13:49
  • rsyslog is running (checked with service rsyslog status). version is debian jessy. i just updated it. i tried also to do a service rsyslog rotate (and deleting the auth.log file before doin so) and no file is added. – EsseTi Nov 15 '16 at 14:04
  • 1
    if i start it by using debug mode rsyslogd -dn >~/tmp/rsys.log it works. i can add messages. that's strange. – EsseTi Nov 15 '16 at 14:21

2 Answers2

1

After some diggin i found that the init script checks for a file under /etc/default/rsyslog

mine was set as this

# Options for rsyslogd
# -x disables DNS lookups for remote messages
# See rsyslogd(8) for more details
RSYSLOGD_OPTIONS=""

by commenting the RSYSLOGD_OPTIONS="" (add a # at the beginning) it started working properly again!

EsseTi
  • 255
  • 3
  • 13
0

I gave up debugging it, actually in my case rsyslogd works fine when started from command line but doesn't work properly (skips logs, doesn't log auth and user logs ever, etc) .

I made sure permissions are ok, debugged it for 2 hours without noticing any problem except less activity than it should show (when not started from command line). 

apt-get remove rsyslog
apt-get install syslog-ng

This switches out the buggy rsyslog with syslog-ng, it's a very close drop-in replacement

John
  • 111
  • 5