Package: rsyslog
Version: 8.24.0-1
Severity: important
File: /usr/sbin/rsyslogd
Hello there!
We found a number of Debian 9 servers that stopped logging after OS updates in
2018-06. If my memory serves me (and it probably doesn't), it would appear that
syslog was removed but rsyslog wasn't installed as a replacement. When we
installed rsyslog there was an error in the file
/etc/rsyslogs/named.conf
I don't understand what the error is. We didn't create the file manually, it
was a part of a Debian package at some point.
That error prevents rsyslogd from writing to auth.log and other important log
files. There is no output to stout to say there was an issue starting or
running.
Here's the error:
# service rsyslog status
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset:
enabled)
Active: active (running) since Wed 2018-10-24 15:56:51 CDT; 3s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 13874 (rsyslogd)
Tasks: 4 (limit: 4915)
CGroup: /system.slice/rsyslog.service
└─13874 /usr/sbin/rsyslogd -n
Oct 24 15:56:51 sochi systemd[1]: Starting System Logging Service...
Oct 24 15:56:51 sochi liblogging-stdlog[13874]: [origin software="rsyslogd"
swVersion="8.24.0" x-pid="13874" x-info="http://www.rsyslog.com";] start
Oct 24 15:56:51 sochi liblogging-stdlog[13874]: action 'logging' treated as
':omusrmsg:logging' - please use ':omusrmsg:logging' syntax instead, 'logging'
will not be supported in the future
Oct 24 15:56:51 sochi systemd[1]: Started System Logging Service.
Oct 24 15:56:51 sochi liblogging-stdlog[13874]: error during parsing file
/etc/rsyslog.d/named.conf, on or before line 1: warnings occured in file
'/etc/rsyslog.d/named.conf' around line 1 [
Oct 24 15:56:51 sochi liblogging-stdlog[13874]: error during parsing file
/etc/rsyslog.d/named.conf, on or before line 1: syntax error on token '{'
[v8.24.0 try http://www.rsyslog.com/e/2207
Oct 24 15:56:51 sochi liblogging-stdlog[13874]: CONFIG ERROR: could not
interpret master config file '/etc/rsyslog.conf'. [v8.24.0 try
http://www.rsyslog.com/e/2207 ]
Here is that named.conf file:
# cat /etc/rsyslog.d/named.conf
logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category update { bind_log; };
category update-security { bind_log; };
category security { bind_log; };
category queries { bind_log; };
category lame-servers { null; };
};
By moving that file to an unexpected extension, we can restart rsyslogd and
things are working again
mv /etc/rsyslog.d/named.conf /etc/rsyslog.d/named.conf.bak
Thanks Debian and everyone!
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-7-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rsyslog depends on:
ii init-system-helpers 1.48
ii libc6 2.24-11+deb9u3
ii libestr0 0.1.10-2
ii libfastjson4 0.99.4-1
ii liblogging-stdlog0 1.0.5-2+b2
ii liblognorm5 2.0.1-1.1+b1
ii libsystemd0 232-25+deb9u4
ii libuuid1 2.29.2-1+deb9u1
ii lsb-base 9.20161125
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages rsyslog recommends:
ii logrotate 3.11.0-0.1
Versions of packages rsyslog suggests:
pn rsyslog-doc <none>
pn rsyslog-gnutls <none>
pn rsyslog-gssapi <none>
pn rsyslog-mongodb <none>
pn rsyslog-mysql | rsyslog-pgsql <none>
pn rsyslog-relp <none>
-- no debconf information
