lfd on example.com SYSLOG Check Failed - Problem with logging.

[peterk]

Hello,

For the past few days I have been receiving emails with the following message:

Time: Sat Feb 25 20:17:35 2023 +0100
Error: Failed to detect code [Uzu5u0Wiuq8DgDhIZ0MP7H9xUNYs] in SYSLOG_LOG [var/log/messages]

SYSLOG may not be running correctly on server.example.com

The issue is strange because I have not done anything with the server recently.
I also noticed that the logger also does not save information in var/log/messages

When I perform the test nothing is saved in the log.

[root@gamma log]# logger -p auth.notice "test-log"
[root@gamma log]# grep "test-log" var/log/messages
[root@gamma log]#

I have tried several ways from the forum to solve the problem but nothing works.

 

[cPRex]

Hey there! This could be an issue with rsyslog, as outlined here:

https://support.cpanel.net/hc/en-us/articles/360059952274-System-logs-are-no-longer-being-written-to-nor-are-files-being-created

It looks like you've performed the first test in that article already, so can you try the stat portion to see if that helps?

 

[peterk]

Hello,

I tried this solution but unfortunately it does not work.
It looks like rsyslog is working but not saving any information.

The system is a new installation from two weeks ago, I did not make any changes to etc/rsyslog.conf or etc/systemd/journald.conf
All settings are default.

 

[peterk]

Hello,

I found the solution to my problem - maybe it will be useful to someone.
The problem was caused by the journal system, its files were corrupted, below is how I fixed it.

I verified the files by:
journalctl --verify

This is where the errors occurred.

Next rotate files:
journalctl --rotate

Then I delete the old entries:
journalctl --vacuum-time=1s

I then delete all files from the directory:
var/log/journal

Then delete the file:
var/lib/rsyslog/imjournal.state

(This file stores the rsyslog state for journal file reading)
The files will be restored after restarting the services.

Now you just need to restart the services:

systemctl restart systemd-journald.socket
systemctl restart systemd-journald
systemctl restart rsyslog

And everything is back to normal.

 

[cPRex]

I'm glad you were able to come up with a good workaround!