Rsyslog not creating log files

Question

I'm hardening an Ubuntu 14.04 VM to CIS standards and am having a problems getting rsyslog to create the necessary files.

Note: I'm getting better with Linux but I'm no master yet, please excuse any ignorance.

I inserted a file /etc/rsyslog.d/CIS.conf with the following contents:

*.emerg :omusrmsg:*
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages

I also modified /etc/rysyslog.conf. The contents are thus:

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support

$KLogPermitNonKernelFacility on

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$RepeatedMsgReduction on

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf

the repeating contents of /var/log/syslog is:

Apr  6 10:03:10 ubuntu rsyslogd-2039: Could no open output pipe '/dev/xconsole': No such file or directory [try http://www.rsyslog.com/e/2039 ]
Apr  6 10:15:17 ubuntu rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="3074" x-info="http://www.rsyslog.com"] exiting on signal 15.
Apr  6 10:15:17 ubuntu rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="3152" x-info="http://www.rsyslog.com"] start
Apr  6 10:15:17 ubuntu rsyslogd: rsyslogd's groupid changed to 104
Apr  6 10:15:17 ubuntu rsyslogd: rsyslogd's userid changed to 101

I tried commenting out the xconsole line in /etc/rsyslog.d/50-default.conf and then restarting rsyslog. After doing that, I now don't see any xconsole errors appearing.

What else can I do to try to pinpoint why rsyslog isn't creating these files?

Thanks!

not sure about rsyslog, but classic syslog used to refuse to create the initial file; you'd have to `touch` it first. rsyslog may be doing the same thing, and/or may have a behavior flag/switch that allows it to create the file. — Jeff Schaller, Apr 07 '16 at 16:33
maybe this is a different "rsyslogd" but http://linux.die.net/man/5/rsyslog.conf says that the file path should start with a "/" -- yours have a hyphen in front. Does removing the hypen help any? — Jeff Schaller, Apr 07 '16 at 17:09
http://www.rsyslog.com/doc/v8-stable/compatibility/v3compatibility.html#output-file-syncing says more about this. Not sure what exactly "if rsyslogd finds sync selector lines, it ignores them by default" means - if it ignores the hyphen or ignores the whole selector line. — Jeff Schaller, Apr 07 '16 at 17:12

score 10 · Answer 1 · edited May 25 '19 at 06:22

10

Create /dev/xconsole and set its correct ownership and permissions:

sudo touch /dev/xconsole
sudo chgrp syslog /dev/xconsole
sudo chmod 664 /dev/xconsole

Restart the rsyslog service as follows:

Ubuntu 14.04

sudo service rsyslog restart

Ubuntu 16.04 and later, using systemd

sudo systemctl restart rsyslog

Verify the error message no longer appears:

tail -n100 /var/log/syslog | grep rsyslog

edited May 25 '19 at 06:22

G-Man Says 'Reinstate Monica'

22,130
27
68
117

answered Sep 22 '17 at 03:03

venzen

201
2
6

No, /dev/xconsole is not a regular file, you need mknod to create it ```mknod -m 640 /dev/xconsole p``` will do the trick – fraff May 20 '21 at 09:16

score 0 · Answer 2 · answered Jun 13 '18 at 05:47

0

May be it is a permission issue to the /dev/xconsole folder. Try using chmod to change permission and restart it. It might work.

answered Jun 13 '18 at 05:47

starStruck

1
1

Rsyslog not creating log files

2 Answers2