How to Locate and Configure NTPD Log Files on Linux Servers: A Sysadmin’s Guide


12 views

By default, ntpd (Network Time Protocol daemon) doesn't create its own dedicated log file on most Linux distributions. Instead, it typically logs to syslog. The exact logging behavior depends on your distribution and configuration:


# Check if ntpd is using syslog
grep -i ntp /etc/syslog.conf /etc/rsyslog.conf /etc/rsyslog.d/*.conf

Here's where to find ntpd-related logs on common distributions:


# Ubuntu/Debian
/var/log/syslog
/var/log/daemon.log

# RHEL/CentOS
/var/log/messages

# Systemd-based systems
journalctl -u ntpd
journalctl -u chronyd  # For systems using chrony

To create a dedicated ntpd log file, modify your rsyslog configuration:


# Create a new rsyslog config file
sudo nano /etc/rsyslog.d/ntp.conf

# Add these lines:
if $programname == 'ntpd' then /var/log/ntpd.log
& stop

# Restart rsyslog
sudo systemctl restart rsyslog

To increase ntpd's logging level, edit your ntpd configuration:


# Edit ntpd.conf
sudo nano /etc/ntp.conf

# Add these options:
logconfig =syncall +clockall +sysall +peerall
logfile /var/log/ntpd.log
statsdir /var/log/ntpstats/  # For statistics files

# Restart ntpd
sudo systemctl restart ntpd

For persistent logging, set up log rotation:


# Create logrotate config
sudo nano /etc/logrotate.d/ntpd

# Add these lines:
/var/log/ntpd.log {
    weekly
    missingok
    rotate 4
    compress
    delaycompress
    notifempty
    create 640 ntp ntp
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}

Common log entries and their meanings:

# Successful synchronization
ntpd[1234]: synchronized to 192.0.2.1, stratum 2

# Peer issues
ntpd[1234]: no server suitable for synchronization found

# Time jump detected
ntpd[1234]: time reset +2.343423 s

By default, ntpd doesn't write to a dedicated log file in most Linux distributions. Instead, it logs through syslog, which means you'll typically find ntpd messages in:

/var/log/syslog        # Debian/Ubuntu systems
/var/log/messages      # RHEL/CentOS systems
/var/log/daemon.log    # Some distributions

To check for ntpd entries, use:

grep ntpd /var/log/syslog
# or for systems using journalctl:
journalctl -u ntpd --no-pager

For more control over ntpd logging, you can configure it to write to a specific file. Edit your ntpd configuration file (usually /etc/ntp.conf) and add:

# Enable logging to a specific file
logfile /var/log/ntpd.log

After making changes, restart ntpd:

systemctl restart ntpd  # Systemd systems
service ntpd restart    # SysVinit systems

For more granular control over logging levels, use these options in ntp.conf:

# Log all peer communications
logconfig =syncall +clockall +peerall +sysall

# Alternative: Minimum logging
logconfig =syncstatus +sysevents

Common log levels include:

  • syncstatus: Clock synchronization status
  • peerevents: Peer connection events
  • sysevents: System events
  • all: Full debugging (verbose)

To prevent log files from growing too large, set up log rotation by creating /etc/logrotate.d/ntpd:

/var/log/ntpd.log {
    weekly
    missingok
    rotate 4
    compress
    delaycompress
    notifempty
    create 640 ntp ntp
    postrotate
        systemctl restart ntpd >/dev/null 2>&1 || true
    endscript
}

After configuration, verify logging is working with:

ntpq -c "rv 0 logconfig"

This will display the current logging configuration. For real-time monitoring:

tail -f /var/log/ntpd.log

If logging isn't working as expected:

  1. Verify ntpd has write permissions to the log file directory
  2. Check if SELinux/AppArmor is blocking access (use audit2allow on RHEL)
  3. Ensure sufficient disk space is available
  4. Confirm the log file path in ntp.conf is absolute

For debugging purposes, you can run ntpd in foreground with verbose logging:

ntpd -d -n -g -c /etc/ntp.conf