Enabling log files

The freshly installed Ubuntu 14.04 on my BeagleBone had another major problem: the logfiles did not work. Doing

ps -ef | grep sys

showed me that the program (daemon) that is responsible for logging, rsyslogd, was running, but when I looked into /var/log, the typical files (such as auth.log) were missing.

My rsyslog.d conf file looked fine, though. I then looked at the configuration of rsyslog. The command

sudo nano /etc/rsyslog.d/50-default.conf

gave me a config file that included the lines

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

The first line says: Log anything "auth" and "authpriv" related to /var/log/auth.log. The second line says: Log anything, except "auth" and "authpriv" related (the ".none" is supposed to match both "auth" and "authpriv", go figure...) to /var/log/syslog. The minus sign in the latter path tells it not to flush the write buffer or so - I don't know, and I don't care. The configuration looks fine.

So why was logging not working? Answer: Some file permissions were wrong. Doing

ls -la /var/log/

returned, among other lines:

drwxrwxr-x  5 root crontab     4096 Jan  1  1970

That didn't seem right. Although rsyslog.d starts as "root:root", it quickly drops to the user/group "syslog:adm". That user and that group did not have write access to the log directory! So I changed the owner of the log directory:

sudo chown syslog:adm /var/log

and restarted the logging daemon

sudo service rsyslog restart

I tested if it works by logging something nonsensical.

logger hello
sudo nano /var/log/syslog

I saw that the line "hello" was logged, so everything seems to be working. The file /var/log/auth.log already contains evidence of roughly 1 failed login-attempt per 10 seconds. A slightly higher-than-normal rate of hacking attempts.