Locating NTPD Log Files: A Sysadmin’s Guide to Troubleshooting Time Sync Issues


14 views

The default location for ntpd logs varies depending on your Linux distribution and configuration. While many services log to /var/log, ntpd often uses different mechanisms:


# Common locations to check:
/var/log/ntp.log
/var/log/ntpd.log
/var/log/messages      # May contain ntpd entries
/var/log/syslog        # Common system log location
/var/log/daemon.log    # On Debian-based systems

On systems using systemd (most modern distributions), ntpd logs are typically handled by journald:


# View ntpd logs with journalctl
journalctl -u ntpd
journalctl -u ntpd --since "2023-08-01" --until "2023-08-02"

# Follow live logs
journalctl -u ntpd -f

Ntpd can be configured to log to specific files in /etc/ntp.conf:


# Example ntp.conf logging directives
logfile /var/log/ntp.log
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

After modifying ntp.conf, remember to restart the service:


systemctl restart ntpd
# or on older systems:
service ntpd restart

If you still can't locate logs, try these debugging approaches:


# Check running ntpd process for log options
ps aux | grep ntpd

# Verify if syslog is filtering ntpd messages
grep -i ntpd /etc/rsyslog.conf /etc/syslog.conf

# Check for SELinux/AppArmor restrictions
audit2why -a | grep ntpd

When logs aren't available, use these ntpd commands:


# Check synchronization status
ntpq -pn

# Query peer information
ntpdc -c peers

# Check kernel variables
ntpdc -c kerninfo

# Monitor drift
ntptime

The ntpd daemon (Network Time Protocol daemon) doesn't create its own dedicated log file by default in most Linux distributions. This often confuses administrators expecting to find logs in /var/log/ like other services.

Depending on your system configuration, ntpd logs might appear in:

/var/log/messages      # Most RHEL-based systems
/var/log/syslog        # Most Debian-based systems
/var/log/daemon.log    # Alternative location on Debian/Ubuntu

To enable dedicated logging, edit your /etc/ntp.conf file:

# Add these lines to your ntp.conf
logfile /var/log/ntpd.log
logconfig =syncall +clockall +sysall +peerall

Then create the log file and restart ntpd:

sudo touch /var/log/ntpd.log
sudo chown ntp:ntp /var/log/ntpd.log
sudo systemctl restart ntpd

For modern systems using systemd, try:

journalctl -u ntpd -f            # Follow logs in real-time
journalctl -u ntpd --since today # Today's logs
journalctl -u ntpd -b            # Since last boot

Check current logging level:

ntpq -c "rv 0 logconfig"

Output example:

logconfig=+sysall +peerall +clockall +syncall

Create a custom rsyslog rule in /etc/rsyslog.d/ntp.conf:

:programname, isequal, "ntpd" /var/log/ntpd.log
& stop

Then restart rsyslog:

sudo systemctl restart rsyslog