It seems that some of the system log files (/var/log/syslog
, /var/log/auth.log
, /var/log/kern.log
, ...) have been removed in the latest version of Debian, Debian Bookworm. What should be done to access these logs? Has the way they are stored and viewed changed?
2 Answers
In Debian 12, the traditional syslog system has been replaced with systemd-journald. This means that the old log files like syslog, messages, auth.log are no longer used. Instead, all system logs are now stored in a centralized journal, which is accessible using the journalctl command.
To view the system logs, you can use the following command:
journalctl
This will display all of the logs in the journal. You can also filter the logs by using options like -p (priority) and -u (unit). For example, to view only the logs from the syslog unit, you would use the following command:
journalctl -u syslog
You can also specify a start and end time for the logs you want to view. For example, to view the logs from the past hour, you would use the following command:
journalctl --since "1 hour ago"
You can also install rsyslog and then enable the logs again, by modifying the rsyslog configuration.
When you install the rsyslog package using apt-get there is already default configuration in place for the log files you require.
This is what's in my /etc/rsyslog.conf, and i didn't change anything
auth,authpriv.* /var/log/auth.log
cron.* -/var/log/cron.log
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Emergencies are sent to everybody logged in.