From 4ec481c584f16a6dff744770b41e67e8bf30afb5 Mon Sep 17 00:00:00 2001 From: majorlinux Date: Wed, 13 May 2026 10:36:00 -0400 Subject: [PATCH] wiki: add rsyslog requirement to migration checklist and logwatch docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fedora 44 Hetzner images ship without rsyslog — logwatch produces zero output because /var/log/messages doesn't exist. Added rsyslog to baseline table and new diagnostic section to logwatch article. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../cloud/vps-migration-baseline-checklist.md | 3 +- .../monitoring/logwatch-fleet-setup.md | 28 ++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/02-selfhosting/cloud/vps-migration-baseline-checklist.md b/02-selfhosting/cloud/vps-migration-baseline-checklist.md index 07dbe9d..3062d3e 100644 --- a/02-selfhosting/cloud/vps-migration-baseline-checklist.md +++ b/02-selfhosting/cloud/vps-migration-baseline-checklist.md @@ -10,7 +10,7 @@ tags: - checklist status: published created: 2026-05-09 -updated: 2026-05-11T07:33 +updated: 2026-05-13T10:35 --- # VPS Migration Baseline Checklist @@ -61,6 +61,7 @@ Every server in the fleet should have these. Check each one after migration: | SSH hardening | `openssh-server` | `openssh-server` | `configure_ssh_hardening.yml` | Key-only, no root password | | Timezone | — | — | — | US servers: `America/New_York`; UK: `Europe/London`. Hetzner defaults to UTC. | | CA bundle (Fedora) | `ca-certificates` | `ca-certificates` | — | Verify `/etc/pki/tls/certs/ca-bundle.crt` symlink exists — see [Fedora CA bundle fix](../../05-troubleshooting/security/fedora-ca-bundle-missing-symlink.md) | +| Syslog (Fedora) | `rsyslog` | — (pre-installed) | — | Fedora 44 Hetzner images have journald only. Logwatch needs `/var/log/messages` + `/var/log/secure`. | ### After Migration diff --git a/02-selfhosting/monitoring/logwatch-fleet-setup.md b/02-selfhosting/monitoring/logwatch-fleet-setup.md index 9eb0786..a1cd239 100644 --- a/02-selfhosting/monitoring/logwatch-fleet-setup.md +++ b/02-selfhosting/monitoring/logwatch-fleet-setup.md @@ -9,7 +9,7 @@ tags: - ubuntu status: published created: 2026-05-09 -updated: 2026-05-11T07:37 +updated: 2026-05-13T10:35 --- # Logwatch Fleet Setup — Surviving Package Upgrades @@ -117,6 +117,32 @@ dpkg -V logwatch # Debian # Look for S.5....T. on the defaults file — means it was replaced # S = size, 5 = md5, T = timestamp changed + +# Check if logwatch produces any output at all +logwatch --output stdout --range yesterday | wc -l +# If 0 lines — logwatch has no log data to report (see rsyslog section below) +``` + +## Fedora: rsyslog Missing — Logwatch Produces Zero Output + +Fedora 44 cloud images (Hetzner, possibly others) ship with **journald only** — no rsyslog. This means `/var/log/messages`, `/var/log/secure`, and `/var/log/cron` do not exist. Logwatch scans those files, finds nothing, produces empty output, and sends no email. Exit code is still 0 — no error anywhere. + +This is particularly insidious because everything else can be correct (crond running, postfix relaying, logwatch config pointing to the right recipient) and you'll still get silence. + +```bash +# Diagnose +rpm -q rsyslog # "package rsyslog is not installed" +ls /var/log/messages # "No such file or directory" + +# Fix +dnf install -y rsyslog +systemctl enable --now rsyslog + +# Verify log files appear +ls /var/log/messages /var/log/secure /var/log/cron + +# Test logwatch +logwatch --output stdout --range today | wc -l # should be >0 ``` ## Fedora CA Bundle Missing — Postfix TLS Engine Unavailable