Tailscale: Dedicated Log Files for Linux
Status: Work in Progress – Feature complete and validated locally on several systems.
Upstream PR to tailscale/tailscale not yet submitted. This page will be updated when the issue and PR are filed.
The Problem
On Windows, the Tailscale client ships with native file-based logging out of
the box. On Debian and Ubuntu Linux – among the most widely deployed server
platforms in the world – tailscaled logs only to systemd’s journal.
That means:
On a Linux desktop or Linux admin workstation,
/var/log/syslogis a constant stream of USB events, Bluetooth, power management, and hardware noise – finding a tailscaled connectivity event in that environment means grepping through thousands of unrelated linesViewing logs requires
journalctland typically elevated privilegesStandard log aggregation pipelines (ELK, Splunk, Datadog, Graylog, etc.) cannot consume the logs without extra configuration
None of this is a theoretical concern. It is what actually happens when you
run tailscaled on a Linux Desktop/Laptop, or a headless Ubuntu server
in a production environment and something goes wrong at 2am.
There is also a silent failure possibility:
without proper ownership enforcement,
package upgrades can reset log directory permissions to root:root.
Since rsyslog typically runs as the syslog user, it loses write access and silently stops
logging – with no visible error anywhere.
The Solution
A small set of files that integrate with infrastructure already present on every recent Debian and Ubuntu system:
40-tailscaled.conf (rsyslog)
Filters log lines by programname == "tailscaled" and routes them to a
dedicated /var/log/tailscaled/tailscaled.log. Stops duplication in
/var/log/syslog.
journald drop-in (systemd)
Enables ForwardToSyslog for tailscaled without touching the system-wide
journald configuration.
tailscaled.logrotate
Daily rotation, 35-day retention. The create directive enforces
syslog:adm 0640 on every rotation, making the setup resilient across
package upgrades and the permission-reset bug.
postinstall script updates
Sets up the log directory with correct ownership on package install and
upgrade.
Key data points:
- No modifications to the
tailscaledbinary itself. - No new dependencies.
- No impact on non-Debian platforms.
Validation
The feature has been tested and confirmed working across four systems:
| Host | OS | Architecture | Notes |
|---|---|---|---|
| pc-host | Linux Mint 22.2 / Ubuntu 24.04 | x86_64 | 35 rotated logs verified, Dec 2025 – Feb 2026 |
| rockpro64-01 | Armbian 25 / Ubuntu 24.04 | aarch64 | ARM SBC with zram-based /var/log – extra sync timer required |
| system1 | Ubuntu 24.04 LTS server | x86_64 | Updated from old config, permissions and rotation verified |
| system2 | Ubuntu 24.04 LTS server | x86_64 | Found in broken state (ownership-reset bug in the wild), repaired and verified |
The system2 case is notable: it arrived with the log directory owned by
messagebus:adm – likely a side-effect of a package upgrade – which had
silently broken rsyslog’s ability to write logs. This is exactly the failure
mode the create directive in logrotate is designed to prevent.
The ARM case (Armbian on RockPro64) adds complexity because Armbian mounts
/var/log on compressed RAM (zram) to reduce flash write wear. Logs live
in RAM and are periodically synced to a persistent HDD-backed path. This
requires a custom systemd timer (sync 5 minutes after boot, then every
3 hours) to prevent log loss on power cuts. This Armbian-specific handling
is tracked separately and is not part of the upstream PR scope.
Why This Matters for a ~$160M Company
Windows ships with file logging. Linux does not. This is a gap that has
existed in the official Tailscale Debian/Ubuntu package for years.
It is the kind of thing that most likely gets missed when most of the
team is running macOS or Windows workstations rather than Linux Desktops
or headless Ubuntu servers in production.