Solution rsyslogd: action ‘action-6-builtin:omfile’ resumed (module ‘builtin:omfile’)

One day, on the same server running Ubuntu 20.04, I noticed a lot of messages in /var/log/syslog:

CRON[1835247]: (root) CMD (/bin/bash /usr/local/bin/fail2ban_banned_db unban_db)
rsyslogd: action 'action-6-builtin:omfile' resumed (module 'builtin:omfile') [v8.2001.0 try ]
rsyslogd: action 'action-6-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2001.0 try ]

Before the messages there was sometimes a line about running the fail2ban script, but sometimes there wasn’t, but there were unsuccessful attempts to connect to postfix, for example, which most likely also caused fail2ban by looking at the file permissions:

ls -lt /var/log

I saw that the /var/log/fail2ban.log file had an owner of root and a group of adm, and it and its archived versions were empty.

Looking at the /etc/rsyslog.conf configuration, I saw:

$FileOwner syslog
$FileGroup adm

So I changed the owner to syslog:

chown syslog /var/log/fail2ban.log

After I changed its owner to syslog, the above messages stopped appearing, and entries about IP address blocking were successfully added to the /var/log/fail2ban.log file.

Also in the file /etc/logrotate.d/fail2ban I changed the line:

create 640 root adm


create 640 syslog adm

So that after rotating the logs, a new file is created with the owner syslog.

Leave a comment

Leave a Reply