Rsyslog cassé après upgrade Debian 9

Support Debian
#1

Après un upgrade Debian 9 le paquet rsyslog ne redémarre pas:

    vm293 ~ > journalctl -xe
-- Support: https://www.debian.org/support
-- 
-- L'unité (unit) rsyslog.service a terminé son arrêt.
sept. 26 18:37:08 vm293.jn-hebergement.com systemd[1]: Starting System Logging Service...
-- Subject: L'unité (unit) rsyslog.service a commencé à démarrer
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- L'unité (unit) rsyslog.service a commencé à démarrer.
sept. 26 18:37:08 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
sept. 26 18:37:08 vm293.jn-hebergement.com systemd[1]: Failed to start System Logging Service.
-- Subject: L'unité (unit) rsyslog.service a échoué
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- L'unité (unit) rsyslog.service a échoué, avec le résultat failed.
sept. 26 18:37:08 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Unit entered failed state.
sept. 26 18:37:08 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Failed with result 'exit-code'.
sept. 26 18:37:09 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Service hold-off time over, scheduling restart.
sept. 26 18:37:09 vm293.jn-hebergement.com systemd[1]: Stopped System Logging Service.
-- Subject: L'unité (unit) rsyslog.service a terminé son arrêt
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- L'unité (unit) rsyslog.service a terminé son arrêt.
...
#2

Il n’y aurait pas un peu plus de détails dans sudo journalctl -u rsyslog.service ?
Aucune trace d’erreur plus parlantes à 18:37 dans d’autres logs (sudo zgrep “18\:37” /var/log/* 2>/dev/null) ?
Parce que là, c’est un peu sec comme message pour diagnostiquer.

#3

Pas vraiment:

vm293 ~ > journalctl -u rsyslog.service
-- Logs begin at Tue 2019-09-24 18:56:46 CEST, end at Fri 2019-09-27 09:24:44 CEST. --
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Starting System Logging Service...
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Failed to start System Logging Service.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Unit entered failed state.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Failed with result 'exit-code'.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Service hold-off time over, scheduling restart.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Stopped System Logging Service.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Starting System Logging Service...
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Failed to start System Logging Service.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Unit entered failed state.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Failed with result 'exit-code'.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Service hold-off time over, scheduling restart.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Stopped System Logging Service.
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: Starting System Logging Service...
sept. 26 17:14:34 vm293.jn-hebergement.com systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
...

Même message répété x fois

Pour les autres logs (joli le coup du zgrep sur l’heure ;-):

vm293 ~ > sudo zgrep “18\:37” /var/log/* 2>/dev/null
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15128]: [uid:0 sid:15080 tty:/dev/pts/0 cwd:/root filename:/usr/bin/sudo]: sudo zgrep “18:37” /var/log/alternatives.log /var/log/alternatives.log.1 /var/log/alternatives.log.2.gz /var/log/apache2 /var/log/apt /var/log/auth.log /var/log/auth.log.1 /var/log/auth.log.2.gz /var/log/auth.log.3.gz /var/log/auth.log.4.gz /var/log/btmp /var/log/btmp.1 /var/log/btmp.2.gz /var/log/btmp.3.gz /var/log/btmp.4.gz /var/log/clamav /var/log/cron.log /var/log/cron.log.1 /var/log/cron.log.2.gz /var/log/cron.log.3.gz /var/log/cron.log.4.gz /var/log/daemon.log /var/log/daemon.log.1 /var/log/daemon.log.2.gz /var/log/daemon.log.3.gz /var/log/daemon.log.4.gz /var/log/dbconfig-common /var/log/debug /var/log/debug.1 /var/log/debug.2.gz /var/log/dmesg /var/log/dpkg.log /var/log/dpkg.log.1 /var/log/fail2ban.log /var/log/fail2ban.log.1 /var/log/fail2ban.log.2.gz /var/log/fail2ban.log.3.gz /var/log/fail2ban.log.4.gz /var/log/fail2ban.log.5.gz /var/log/fontconfig.log /var/log/fsck /var/log/installer /var/log/ispconfig /var/log/kern.log /var/log/kern.log.1 /var/log/kern.log.2.gz /var/log/kern.log.3.gz /var/lo
/var/log/auth.log:Sep 27 09:27:26 vm293 sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/zgrep “18:37” /var/log/alternatives.log /var/log/alternatives.log.1 /var/log/alternatives.log.2.gz /var/log/apache2 /var/log/apt /var/log/auth.log /var/log/auth.log.1 /var/log/auth.log.2.gz /var/log/auth.log.3.gz /var/log/auth.log.4.gz /var/log/btmp /var/log/btmp.1 /var/log/btmp.2.gz /var/log/btmp.3.gz /var/log/btmp.4.gz /var/log/clamav /var/log/cron.log /var/log/cron.log.1 /var/log/cron.log.2.gz /var/log/cron.log.3.gz /var/log/cron.log.4.gz /var/log/daemon.log /var/log/daemon.log.1 /var/log/daemon.log.2.gz /var/log/daemon.log.3.gz /var/log/daemon.log.4.gz /var/log/dbconfig-common /var/log/debug /var/log/debug.1 /var/log/debug.2.gz /var/log/dmesg /var/log/dpkg.log /var/log/dpkg.log.1 /var/log/fail2ban.log /var/log/fail2ban.log.1 /var/log/fail2ban.log.2.gz /var/log/fail2ban.log.3.gz /var/log/fail2ban.log.4.gz /var/log/fail2ban.log.5.gz /var/log/fontconfig.log /var/log/fsck
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15129]: [uid:0 sid:15080 tty:/dev/pts/0 cwd:/root filename:/bin/zgrep]: zgrep “18:37” /var/log/alternatives.log /var/log/alternatives.log.1 /var/log/alternatives.log.2.gz /var/log/apache2 /var/log/apt /var/log/auth.log /var/log/auth.log.1 /var/log/auth.log.2.gz /var/log/auth.log.3.gz /var/log/auth.log.4.gz /var/log/btmp /var/log/btmp.1 /var/log/btmp.2.gz /var/log/btmp.3.gz /var/log/btmp.4.gz /var/log/clamav /var/log/cron.log /var/log/cron.log.1 /var/log/cron.log.2.gz /var/log/cron.log.3.gz /var/log/cron.log.4.gz /var/log/daemon.log /var/log/daemon.log.1 /var/log/daemon.log.2.gz /var/log/daemon.log.3.gz /var/log/daemon.log.4.gz /var/log/dbconfig-common /var/log/debug /var/log/debug.1 /var/log/debug.2.gz /var/log/dmesg /var/log/dpkg.log /var/log/dpkg.log.1 /var/log/fail2ban.log /var/log/fail2ban.log.1 /var/log/fail2ban.log.2.gz /var/log/fail2ban.log.3.gz /var/log/fail2ban.log.4.gz /var/log/fail2ban.log.5.gz /var/log/fontconfig.log /var/log/fsck /var/log/installer /var/log/ispconfig /var/log/kern.log /var/log/kern.log.1 /var/log/kern.log.2.gz /var/log/kern.log.3.gz /var/log/ker
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15137]: [uid:0 sid:15080 tty:(none) cwd:/root filename:/bin/grep]: /bin/grep -- “18:37”
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15145]: [uid:0 sid:15080 tty:(none) cwd:/root filename:/bin/grep]: /bin/grep -- “18:37”
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15153]: [uid:0 sid:15080 tty:(none) cwd:/root filename:/bin/grep]: /bin/grep -- “18:37”
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15161]: [uid:0 sid:15080 tty:(none) cwd:/root filename:/bin/grep]: /bin/grep -- “18:37”
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15169]: [uid:0 sid:15080 tty:(none) cwd:/root filename:/bin/grep]: /bin/grep -- “18:37”
/var/log/auth.log:Sep 27 09:27:26 vm293 snoopy[15177]: [uid:0 sid:15080 tty:(none) cwd:/root filename:/bin/grep]: /bin/grep -- “18:37”
#4

Peut-être une erreur de configuration. Il faut voir /etc/rsyslog.conf et les éventuels fichiers sous /etc/rsyslog.d
Cette commande exécutée en root peut aussi aider :

rsyslogd -N 1
#5

Je n’ai pas le temps d’éplucher maintenant, mais une recherche sur cette erreur là précisément renvoie des trucs à lire.

Oui, mais c’est bizarre que ça ne renvoie rien, il devrait y avoir au moins les messages d’hier…
A moins que tu ne conserve que le log du jour, c’est étrange, comme résultat.

#6 
vm293 ~ > rsyslogd -N 1
    rsyslogd: version 8.24.0, config validation run (level 1), master config /etc/rsyslog.conf
    rsyslogd: End of config validation run. Bye.

D’après ce que j’ai lu systemd attend un certain temps avant de relancer un service.

#7

chez moi

systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-09-27 09:30:07 CEST; 39min ago
     Docs: man:rsyslogd(8)
           https://www.rsyslog.com/doc/
 Main PID: 619 (rsyslogd)
    Tasks: 4 (limit: 4287)
   Memory: 4.0M
   CGroup: /system.slice/rsyslog.service
           └─619 /usr/sbin/rsyslogd -n -iNONE

sept. 27 09:30:01 debian systemd[1]: Starting System Logging Service...
sept. 27 09:30:04 debian rsyslogd[619]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.1907.0]
sept. 27 09:30:04 debian rsyslogd[619]: [origin software="rsyslogd" swVe

et dans le service

cat /lib/systemd/system/rsyslog.service
[Unit]
Description=System Logging Service
Requires=syslog.socket

Tu sembles ne pas avoir la socket

systemctl status syslog.socket
● syslog.socket - Syslog Socket
   Loaded: loaded (/lib/systemd/system/syslog.socket; static; vendor preset: disabled)
   Active: active (running) since Fri 2019-09-27 09:29:51 CEST; 42min ago
     Docs: man:systemd.special(7)
           https://www.freedesktop.org/wiki/Software/systemd/syslog
   Listen: /run/systemd/journal/syslog (Datagram)
    Tasks: 0 (limit: 4287)
   Memory: 0B
   CGroup: /system.slice/syslog.socket

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
#8

Exact:

vm293 ~ > systemctl status syslog.socket
● syslog.socket - Syslog Socket
   Loaded: loaded (/lib/systemd/system/syslog.socket; static; vendor preset: disabled)
   Active: failed (Result: service-start-limit-hit) since Fri 2019-09-27 09:55:35 CEST; 19min ago
     Docs: man:systemd.special(7)
           http://www.freedesktop.org/wiki/Software/systemd/syslog
   Listen: /run/systemd/journal/syslog (Datagram)

sept. 27 09:55:34 vm293.jn-hebergement.com systemd[1]: Listening on Syslog Socket.
sept. 27 09:55:35 vm293.jn-hebergement.com systemd[1]: syslog.socket: Unit entered failed state.
#9

Inutile de s’acharner sur ce sujet, il faut résoudre les problèmes évoqués dans l’autre fil de discussion : Problème systemd après upgrade debian

En l’occurrence le paquet rsyslog n’est pas complètement installé.