“/var/log/messages” log file missing in Linux Ubuntu Natty Narwhal (english post)

[clicca qui per il post in lingua italiana]

Hi there,
After a clean install of Linux Ubuntu 11.04 (Natty Narwhal) I realized that the log file /var/log/messages was missing. I realized that it was a deliberate choice as well!
Ubuntu community’s (or Canonical’s) kernel guys took that decision (modifing rsyslog configuration file provided as default after install) saying that this change avoids logs to be duplicated in two log files (/var/log/syslog and /var/log/messages).
Just to be frank, polite and clear… I totally disagree this choice: as a matter of fact, you can have duplicated rows in both log files “syslog” and “messages”, but the purpose of these files is quite different, and I don’t find it correct to mix them up, for two reasons:

  1. /var/log/messages is not only a convention. It became a standard for all *nix/linux systems (no matter if you run a server or a desktop class distribution).
    /var/log/syslog purpose is to be the audit log, and it will be log everythings (such as cron/at jobs, “info” msg, and so on …)
    /var/log/messages is the usual place for system applications warning messages, even if non-kernel related, boot messages (non-kernel) similar to info you may report with command ‘dmesg’. This is THE place to look at, if you feel that something is going wrong!
  2. All standard applications and programs (including applications out-of-the-box, third part’s, etc..), monitoring programs, Network monitors & SNMP frameworks (such as Hobbit/XyMon, Nagios, Zabbix, and so on) usually go to look for it in order to catch statuses and error conditions. It’s not a solution to symbolic link syslog to messages, because that mentioned programs/daemons would parse milions of unuseful lines of logs in vain, degrading the overall system performances consequently.

Since I feel that neather Canonical nor Ubuntu community can decide to change this importand standard overnight (at least without discuss a change in a worldwide commission of IT standards or something like that – see ISO, ANSI, etc.), here is how to take rsyslog back to write /var/log/messages like in the past:

  • edit file /etc/rsyslog.d/50-default.conf (with “sudo vi /etc/rsyslog.d/50-default.conf” if you are logged as normal user)
  • Change the following paragraph:


#
# Some “catch-all” log files.
#
#*.=debug;
#       auth,authpriv.none;
#       news.none;mail.none     -/var/log/debug
#*.=info;*.=notice;*.=warn;
#       auth,authpriv.none;
#       cron,daemon.none;
#       mail,news.none          -/var/log/messages
….
 

                      • to read the following:


                      #
                      # Some “catch-all” log files.
                      #
                      *.=debug;
                              auth,authpriv.none;
                              news.none;mail.none     -/var/log/debug
                      *.=info;*.=notice;*.=warn;
                              auth,authpriv.none;
                              cron,daemon.none;
                              mail,news.none          -/var/log/messages

                        (in other words, uncomment the lines under the text ‘Some “catch-all” log files.’)

                      • restat rsyslog with the following command:
                            sudo restart rsyslog
                      • Done! Now /var/log/messages will be written again.

                      Anyway, I hope that this annoying problem will be fixed in Oneiric (and this should nicely be a valid patch for natty-backports)

                      Yours faithfully,
                      Gabriele
                      http://www.gabrielezappi.net
                      GNU/Linux user #380098

                      Lascia un commento

                      Il tuo indirizzo email non sarà pubblicato.