How to Access and Restore Missing System Logs (/var/log/syslog, auth.log, kern.log) in Debian 12 Bookworm


2 views

Debian 12 Bookworm made a significant shift in its logging system by transitioning from rsyslog to journald (systemd-journald) as the default logging service. This means traditional log files like /var/log/syslog, /var/log/auth.log, and /var/log/kern.log are no longer created by default.


# Check active logging service
systemctl status systemd-journald

Instead of text files, logs are now stored in a binary format and can be accessed using:


# Basic journalctl commands
journalctl -b       # Show logs since last boot
journalctl -k       # Kernel messages (replaces kern.log)
journalctl -u sshd  # Service-specific logs
journalctl -f       # Follow logs (like tail -f)

For those who prefer the classic log files, you can install rsyslog alongside journald:


# Install and configure rsyslog
sudo apt install rsyslog
sudo systemctl enable --now rsyslog

After installation, edit /etc/rsyslog.conf to enable the desired log files:


# Example configuration to restore auth.log
auth,authpriv.*     /var/log/auth.log

For persistent storage of journal logs (which are volatile by default):


# Create persistent journal storage
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald

Journalctl offers several output formats for different use cases:


# JSON output for parsing
journalctl -b -o json

# Verbose output
journalctl -o verbose

# Export logs to text file
journalctl > system_logs.txt

Since Debian Bookworm (12) uses systemd-journald by default, traditional log files like /var/log/syslog may appear missing. This isn't a deletion but a fundamental architecture change. Here's what's happening:


# Check active logging system
journalctl --list-boots
# vs traditional
ls /var/log/

For developers needing specific log types:


# System logs equivalent to syslog
journalctl -S today

# Authentication logs (replaces auth.log)
journalctl _SYSTEMD_UNIT=sshd.service

# Kernel logs (replaces kern.log)
journalctl -k

To maintain traditional log files while using journald:


# Install rsyslog (if not present)
sudo apt install rsyslog

# Enable and start the service
sudo systemctl enable --now rsyslog

# Verify both systems are running
systemctl status rsyslog journald

For production debugging:


# Time-range filtered logs
journalctl --since "2023-07-01" --until "2023-07-02"

# Priority-based filtering
journalctl -p err..alert

# Follow logs in real-time (like tail -f)
journalctl -f -u nginx

For managing journald storage:


# Check current disk usage
journalctl --disk-usage

# Set size limits in /etc/systemd/journald.conf
[Journal]
SystemMaxUse=500M
RuntimeMaxUse=200M