Replace syslog-ng with rsyslog on Debian Jessie

If you use syslog-ng on Debian Jessie with systemd for whatever reason (rsyslog is default) and want to change to rsyslog finally you might run into the problem that after installing it you don’t see any logs arriving in /var/log/syslog. Unfortanely restarting the logging system and other daemons won’t help you because the issue is that the device /dev/log where most of the daemons and software is logging to changes from a normal device to a symlink somewhere at the systemd directory.

You have two possibilities to check if you are affected by this issue. First one is very easy just make an ls to the /dev/log device like this

ls -l /dev/log

The output should show you a symlink to /run/systemd/journal/dev-log if not chances are high you are affected.

If you are on the very beginning of this problem or related problems you might not have any idea at all to look at this device than it is handy to use strace. Just pick a program you now from it logs to logging system and attach yourself with strace like this.

strace -p

Then just grep within the output for log which will bring you up at some point to a like like this.

connect(7, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = -1 ECONNREFUSED (Connection refused)

This would guide you to the log device quite fast. Fixing it is the easiest part. You can either reboot your machine or if you have machines like me which can not get restarted without a lot of effort just replace the symlink manually or by a system like puppet, ansible or whatever you use.

rm /dev/log && ln -s /run/systemd/journal/dev-log /dev/log

This will fix the issue and logs will arrive at /var/log/syslog again.

Leave a Reply

Your email address will not be published. Required fields are marked *