Debian 12 logs “tail -f /var/log/syslog” are no longer available, the reason is that rsyslog was replaced by journald “journalctl”. It is the change with which the logging system from rsyslog with the traditional log files was replaced by systemd-journald. rsyslog was first available with Debian 8 (Jessie).
With Debian 12 you will quickly notice that many log files are missing under /var/log, such as mail.log, kern.log or with ran tail -f /var/log/syslog, also other rsyslog logs cannot be found either.
tail: cannot open '/var/log/syslog' for reading: No such file or directoryHow can the system logs be viewed? To do this, you use journalctl, which serves as a user frontend for systemd-journald.
How to use journalctl
Here are some example commands for using journalctl.
- journalctl: displays the entire system log.
- journalctl -f: follows the system log in real time,
similar totail -f /var/log/syslog - journalctl -b: displays the log for the last boot process.
- journalctl -u servicename: displays the log for a systemd service, e.g. journalctl -u apache2.service
- journalctl –since=yesterday: displays the log since yesterday.
journalctl offers many more options, help is available on the man page.
$ man journalctl
$ journalctl --helprsyslog on Debian 11 vs journald on Debian 12
What previously worked with rsyslog until Debian 11 with tail -f /var/log/syslog is now journalctl -ef under Debian 12.
Examples with journalctl
As before until Debian 11 using rsyslog with ran tail -f /var/log/mail.log is now comparable with “journalctl” in Debian 12.
$ journalctl -u postfix@-.service -fWhat was previously possible with ran tail -f /var/log/auth.log is now comparable to the “journalctl” command on Debian 12.
$ journalctl -f -u ssh.servicejournald stores log messages in binary format and manages them under /var/log/journal. Where journalctl -e shows the latest messages from the journal.
The rsyslog package is no longer needed on most systems and may be removable. If you want to use rsyslog and journald (journalctl) protocols, see the steps below.
Rsyslog in Debian 12
However, it is still possible to use the rsyslog package on Debian 12. After installation, rsyslog in Debian 12 works as usual.
$ sudo apt install rsyslogAfter installing rsyslog on Debian 12, syslog is started and is enabled to run at system startup by default.
$ systemctl status rsyslogNote that systemd-journald will continue to log if rsyslog is installed and enabled. Therefore, on Debian 12, the logs with rsyslog and systemd-journald end up being written to the hard drive twice. It may also be necessary to configure rsyslog in /etc/rsyslog.conf.
If you have upgraded your Debian 11 to Debian 12 (bookworm), you can find the rsyslog.conf file from Debian 11 (bullseye) here.
If you want to save storage space, you can deactivate systemd-journald logging. This can be achieved by deleting the log directory /var/log/journal, which prevents journald from continuing to persist logging.
Viewing logs using journalctl with multitail
One of the things we miss from syslogs is the ability to use multitail with color-highlighted log entries. But don’t despair, this is also possible, as the next examples using journalctl show.
Follow the postfix log in multitail scheme using journalctl on Debian.
$ multitail -cS postfix -l "journalctl -f -u postfix@-.service"Display log with apache scheme using journalctl in multitail on Debian.
$ multitail -cS apache -l "journalctl -f -u apache2.service"May you might view Debian rsyslog (syslog) using journalctl in multitail.
$ multitail -cS syslog -l "journalctl -f"
You might also be interested in the related post here.
Thank you! I will stay on Debian 11 and move to a non-systemd operating system (yes, they do exist)…