viernes, 16 de agosto de 2013

Fix empty log files in ubuntu

Today I was trying to configure a cronjob and when I try to check if the service was running I found that the syslog file /var/log/syslog was empty, some time ago I did fix a similar problem with /var/log/auth.log file not being owned by the user syslog and after finding this other log file also empty I start suspecting that there is a problem with my server configuration. After a little search this post came out and it was clear to me what the problem was.

The problem
It seems that several log files in ubuntu server are owned by the user messagebus but that user is not the right one, according to this documentation for dropping privileges in rsyslog the following lines in /etc/rsyslog.conf config file define the user and group used for impersonating as another user and/or group after startup:
$PrivDropToUser syslog
$PrivDropToGroup syslog
As you can see the owner of the log files mentioned before should be owned syslog user.

The solution
As indicated here by Dan Ballard first we need to list all files that have the incorrect owner using:
ls -l /var/log/ | grep messagebus
The previous command shows this output:
-rw-r----- 1 messagebus adm        0 oct 22  2012 kern.log
-rw-r----- 1 messagebus adm        0 oct 22  2012 mail.err
-rw-r----- 1 messagebus adm        0 oct 22  2012 mail.log
-rw-r----- 1 messagebus adm        0 mar 13 06:26 syslog
-rw-r----- 1 messagebus adm        0 oct 22  2012 ufw.log
Finally Mr. Ballard says that you just go and delete those files and restart syslog, but be careful with the rm command ¿ok?
use something like this to delete your log files:
sudo rm -vi /var/log/syslog
And this to restart syslog
service rsyslog restart
In my case I prefer not to delete those file but just change their owner using:
sudo chown syslog:syslog /var/log/syslog
sudo chown syslog:syslog /var/log/kern.log
sudo chown syslog:syslog /var/log/mail.err
sudo chown syslog:syslog /var/log/mail.log
sudo chown syslog:syslog /var/log/ufw.log
WARNING: Don't try to change the owner of all files under /var/log because some of them may need to be owned by other user.

Until next time.