Rsyslog Error in Linux: Quick Fix for Logging Failure

What the rsyslog Error Means

An rsyslog error in Linux indicates a failure in the system logging daemon. This can manifest as:

• The rsyslog service is not running or crashes immediately after starting
• System messages are not being written to files (/var/log/syslog, /var/log/messages)
• Logs are either missing or contain only old entries
• The output of systemctl status rsyslog shows a failed or inactive state

A typical message in systemd logs:

● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2026-02-16 10:30:00 MSK; 1min 30s ago

Common Causes

1. Service not running — rsyslog is disabled or not enabled for autostart.
2. Configuration errors — syntax error in /etc/rsyslog.conf or files in /etc/rsyslog.d/.
3. Insufficient permissions — the syslog (or root) user cannot write to the /var/log directory.
4. Port conflict — another process is already using port 514 (UDP/TCP), which rsyslog requires.
5. Corrupted modules — broken or incompatible modules in /etc/rsyslog.d/ or /usr/lib/rsyslog/.
6. Insufficient disk space — the partition containing /var/log is 100% full.
7. SELinux/AppArmor issues — security policies are blocking writes.

Method 1: Check and Restart the Service

Most often, the problem is solved by simply restarting the service.

1. Check the current status:

systemctl status rsyslog

2. If the service is not active, try to start it:

sudo systemctl start rsyslog

3. Enable autostart (if not already enabled):

sudo systemctl enable rsyslog

4. After starting, verify the service is running:

systemctl is-active rsyslog && echo "Rsyslog is running" || echo "Rsyslog is not running"

5. Send a test message and ensure it appears in the logs:

logger "Test message from FixPedia"
tail -f /var/log/syslog | grep "Test message"

Method 2: Check Configuration Syntax

Incorrect syntax in configuration files is a frequent cause of rsyslog failures.

1. Validate the configuration without restarting:

sudo rsyslogd -N1

If the output contains error or invalid, it means there are issues.

2. Check the main configs:

# Main config
sudo rsyslogd -N1 -f /etc/rsyslog.conf

# All files in /etc/rsyslog.d/
for f in /etc/rsyslog.d/*.conf; do
  echo "Checking $f"
  sudo rsyslogd -N1 -f "$f" || echo "Error in $f"
done

3. If you find an error, fix the file. Common issues:
   • Extra or missing quotes
   • Incorrect directive syntax (e.g., *.* instead of *.*;)
   • Typos in module names (e.g., imtcp instead of imtcp)
4. After corrections, re-check the syntax and restart:

sudo systemctl restart rsyslog

Method 3: Check Permissions and Disk Space

Rsyslog must be able to write to the log directory.

1. Check permissions on /var/log:

ls -ld /var/log

Expected output: drwxr-xr-x with owner root. Log subdirectories should be writable by the syslog user.

2. Verify the syslog user exists:

id syslog

If the user is missing, reinstall the rsyslog package.

3. Check disk space:

df -h /var/log

If the partition is 100% full, clean up old logs or increase the partition size.

4. Check log file ownership:

ls -l /var/log/syslog /var/log/messages

The owner should be syslog or root. If not, correct it:

sudo chown syslog:adm /var/log/syslog
sudo chmod 640 /var/log/syslog

Method 4: Restore Default Configuration

If the configuration is severely corrupted, it's easier to restore the original files.

1. Debian/Ubuntu:

sudo apt-get install --reinstall rsyslog

This restores files from the package. The /etc/rsyslog.conf config will be replaced, but files in /etc/rsyslog.d/ will remain.

2. RHEL/CentOS/Fedora:

sudo yum reinstall rsyslog
# Or for newer versions:
sudo dnf reinstall rsyslog

3. After reinstalling, check the configuration (Method 2) and restart the service.
4. If you had custom settings, compare the new config with an old backup (if available) and migrate only the necessary changes.

Method 5: Diagnostics via journalctl

Systemd stores logs for all services, including rsyslog, even if it's not running.

1. View rsyslog logs directly:

sudo journalctl -u rsyslog --no-pager -n 50

2. Search for specific errors:

sudo journalctl -u rsyslog | grep -i "error\|failed\|invalid"

3. If rsyslog fails to start due to a module, you'll see something like:

rsyslogd: could not load module 'imtcp', errors: 1

In this case, check if the required module is installed:

dpkg -l | grep rsyslog   # Debian/Ubuntu
rpm -qa | grep rsyslog   # RHEL/CentOS

4. If the issue is port 514, check if it's already in use:

sudo ss -tulpn | grep :514

If the port is occupied by another process, stop it or change rsyslog's port in the config.

Prevention

To avoid recurring errors:

1. Test configurations before applying — always run rsyslogd -N1 after editing configs.
2. Make backups — save original configs: sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.backup.
3. Monitor logs — set up alerts for service failures (e.g., via systemd Restart=on-failure in the unit file).
4. Update cautiously — after updating rsyslog, check configuration compatibility (syntax may change).
5. Enable only necessary modules — don't load modules you don't use, especially experimental ones.
6. Regularly check disk space — ensure log rotation is configured via logrotate (usually enabled by default).