/var/log/auth.log stops recording authentication errors

As the title says, /var/log/auth.log stops recording authentication errors. It all began with I accidentally deleting it. Then I created it using touch command and changed the owner:group to syslog:adm. I have had rsyslog installed. But it just does not record anything.

Any idea to fix it? The OS is Ubuntu Server 22.04.3 LTS. Thanks.

Asked By: zzzhhh


Have you restarted rsyslog or kill -HUPped it after recreating the file? You probably should.

In POSIX-compliant systems, deleting a file while some other process is using it will make the file inaccessible to new processes, but any process that already has the file open (like rsyslog in your case) will be able to keep using it as normal. The file deletion will be completed by the filesystem driver only after all the processes having the file open will have either terminated or closed the file.

This behavior enables things like updating program binaries while they are in use: any processes started with the old version of the binary will keep using the old version until terminated, and new processes will start with the new version automatically.

The side effect is that any deleted-while-still-open files will keep using disk space until the files are closed (or the processes holding them open are ended). If a logfile that gets a lot of message gets inadvertently deleted while still open, such a file can grow to an arbitrarily large size. You can see such deleted-while-still-open files with sudo lsof +L1.

Answered By: telcoM
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.