Debugging Missing Log Files in Debian Wheezy: Syslog, Auth.log and Kern.log Not Updating After Upgrade


2 views

After upgrading from Debian Squeeze to Wheezy, you might notice your critical system logs (/var/log/syslog, /var/log/auth.log, /var/log/kern.log, /var/log/messages) have stopped updating. First verify this isn't a permission issue:

ls -l /var/log/syslog
tail -f /var/log/syslog

Wheezy defaults to rsyslog. Check if it's running:

service rsyslog status
ps aux | grep rsyslog

If stopped, attempt restart:

service rsyslog restart

Compare your working Squeeze config with Wheezy's default (/etc/rsyslog.conf). Key differences often include:

# Old Squeeze format
auth.*                        /var/log/auth.log
*.*;auth.none                 /var/log/syslog

# New Wheezy format needs:
auth,authpriv.*               /var/log/auth.log
*.info;mail.none;authpriv.none;cron.none  /var/log/syslog

Wheezy introduced stricter AppArmor profiles. Check for denials:

grep rsyslog /var/log/kern.log
aa-status | grep rsyslog

Temporary fix while testing:

sudo aa-complain /usr/sbin/rsyslogd

Modern rsyslog requires explicit module loading. Ensure these exist in /etc/rsyslog.conf:

$ModLoad imuxsock # provides local system logging
$ModLoad imklog   # provides kernel logging

After making changes, test with logger command:

logger "Test message to syslog"
tail -n1 /var/log/syslog

For persistent logging across reboots, ensure rsyslog starts at boot:

update-rc.d rsyslog defaults

When your Debian system stops writing to critical log files after upgrading to Wheezy, first verify the logging subsystem status:

# Check rsyslog service status
sudo service rsyslog status

# Verify disk space and inodes
df -h
df -i

# Test manual logging
logger "Test message from command line"
tail -n 1 /var/log/syslog

The transition from sysklogd to rsyslog in Wheezy often causes configuration conflicts. Examine these key areas:

# Check for competing logging daemons
ps aux | grep -E 'syslog|klog'

# Verify rsyslog configuration
ls -la /etc/rsyslog.*
cat /etc/rsyslog.conf | grep -v '^#' | grep -v '^$'

Squeeze's legacy configurations might not translate properly. Compare the old and new configs:

# Backup current config
sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.bak

# Generate fresh default config
sudo apt-get install --reinstall rsyslog
sudo cp /usr/share/rsyslog/rsyslog.conf /etc/

New security restrictions in Wheezy often block log access:

# Check file permissions
ls -la /var/log/

# Verify AppArmor profiles
sudo aa-status
sudo grep -r 'denied' /var/log/audit/audit.log

If you're running Wheezy-backports with systemd, check for journald conflicts:

# Check journald configuration
journalctl --verify
cat /etc/systemd/journald.conf

Here's a comprehensive fix combining the most effective solutions:

# Full remediation script
sudo apt-get update
sudo apt-get --reinstall install rsyslog
sudo rm /var/lib/rsyslog/imjournal.state
sudo systemctl restart rsyslog
sudo chmod 640 /var/log/{syslog,auth.log,kern.log}
sudo chown syslog:adm /var/log/{syslog,auth.log,kern.log}

For persistent issues, consider creating a custom rsyslog rule:

# /etc/rsyslog.d/50-default.conf addition
auth,authpriv.* /var/log/auth.log
kern.* /var/log/kern.log
*.info;mail.none;authpriv.none;cron.none /var/log/syslog