🟡 Medium   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Ubuntu 26.04 LTS

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Logs stop arriving at centralized SIEM, reducing observability and incident response capability.

Environment & Reproduction

Seen after TLS cert changes, destination edits, or firewall updates.

logger 'rsyslog test message'

Root Cause Analysis

Forwarding action misconfiguration, blocked egress, or TLS validation failure prevents delivery.

Quick Triage

Check rsyslog service status, syntax validity, and output queue stats.

systemctl status rsyslog
rsyslogd -N1
journalctl -u rsyslog -n 80 --no-pager

Step-by-Step Diagnosis

Inspect forwarding config and test network path to collector endpoint.

grep -R '@@' /etc/rsyslog.d /etc/rsyslog.conf -n
ss -tpn | grep rsyslogd || true
nc -zv  6514
Illustrative mockup for ubuntu-26-04-lts — rsyslog_forward_fail
rsyslog forwarding queue backlog — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Correct forwarding target/TLS settings and restart rsyslog.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudoedit /etc/rsyslog.d/60-forward.conf
sudo rsyslogd -N1
sudo systemctl restart rsyslog
logger 'rsyslog forward validation'
Illustrative mockup for ubuntu-26-04-lts — rsyslog_forward_restored
Remote log forwarding restored — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Use RELP for reliable forwarding in high-loss networks.

sudo apt install -y rsyslog-relp

Verification & Acceptance Criteria

Test messages arrive at collector and local queue backlog clears.

logger 'collector acceptance test'
journalctl -u rsyslog -n 40 --no-pager

Rollback Plan

Restore previous forwarding config and restart service.

sudo cp /etc/rsyslog.d/60-forward.conf.bak /etc/rsyslog.d/60-forward.conf
sudo systemctl restart rsyslog

Prevention & Hardening

Monitor forwarding queues and certificate expiry for logging pipelines.

Related to journald-only setups and missing rsyslog output modules.

Related tutorial: View the step-by-step tutorial for Ubuntu 26.04 LTS.

View all Ubuntu 26.04 LTS tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

rsyslog forwarding, TLS, and Ubuntu logging architecture docs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.