-1

As far as I can tell, syslogd in its default configuration throws away all log data on reboot. I have observed this data on Raspbian (Debian Linux-based) and on OPNsense (FreeBSD-based).

From my point of view, this behavior is undesirable. If the system becomes unresponsive and the only way out is to reboot it, or if the system were to reboot on its own for whatever reason, I would want to know what happened just before the reboot. If syslogd clears the log on boot, that is a bummer (and while I wonder what valid use case there would be to do that, it is not the point of my question.)

There is one similar question, How to get syslogd/klogd to append to syslog after reboot instead of overwriting?, but here the issue turned out to be unrelated to syslog.

So, how can I tell syslogd to preserve log data across reboots?

EDIT: Turns out I was already making too many assumptions. The question really should be: what prevents log data from being preserved across reboots? This has been observed when running journalctl on Raspbian and when viewing the main system log on OPNsense in the web GUI.

Improve this question
8
  • syslogd will write its buffers to the various destinations as soon as it receives the messages. If a system crashes hard between the time the message is received and when it is written to disk (or a networked destination), then you may lose data. Same situation if the system freezes and no processes, including syslogd, are able to do anything. There is certainly no mechanism for syslog to maintain its buffers between reboots.
    – doneal24
    Commented Apr 27 at 19:19
  • Granted, there may be some scenarios where data is lost, but that is not my point here: I am talking about scenarios where NOTHING is preserved across reboots: the first log entry is the first one after the reboot. How can I fix that?
    – user149408
    Commented Apr 27 at 19:22
  • 2
    Was /var/log/messages copied to /var/log/messages.1 or /var/log/messages-20240427 during the reboot? Replace messages with whatever filename you are looking for in /var/log. Were the contents of /var/log/messages available before the reboot?
    – doneal24
    Commented Apr 27 at 19:30
  • 1
    Normal distributions should certainly preserve syslog contents, but distributions specifically designed for SD-card/eMMC system disks (like Raspbian, don't know about OPNsense) may aggressively minimize system disk write operations to extend SD card/eMMC life. Such minimization might include sending normal syslogs to a RAM-based filesystem by default.
    – telcoM
    Commented Apr 27 at 19:41
  • 1
    @user149408 Use journalctl -b -1 -xe and journalctl --list-boots. Read man journalctl.
    – waltinator
    Commented Apr 27 at 21:28

1 Answer 1

Reset to default
0

Most Debian-based distributions these days use systemd, which has its own journald component for logging.

This article called systemd for Administrators, Part XVII (linked from the systemd web site) sheds some light on it: By default, systemd-journald stores log files in /var/log/journal if a directory of that name is present. Otherwise, journal data is not persisted but stored in a ring buffer in /run/log/journal. While I haven’t tested it out, my Debian system lacks the /var/log/journal directory while my Ubuntu system (which preserves log data across reboots) has it. Creating that directory should enable log persistence.

OPNsense, on the other hand, still seems to rely on System V init (run ps -ef on Linux, or ps jax on BSD, then examine PID 1 to find out). So all of this does not apply there.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .