Package: rsyslog Version: 8.1901.0-1 Severity: important Dear Maintainer,
* What led up to the situation? I created /etc/rsyslog.d/20-rulesets.conf with the following functional content. ruleset(name="imudp"){ auth,authpriv.* action(type="omfile" dynaFile="AuthLog" template="MyMsgFormat") *.*;auth,authpriv.none action(type="omfile" dynaFile="Syslog" template="MyMsgFormat") daemon.* action(type="omfile" dynaFile="DaemonLog" template="MyMsgFormat") kern.* action(type="omfile" dynaFile="KernLog" template="MyMsgFormat") mail.* action(type="omfile" dynaFile="MailLog" template="MyMsgFormat") user.* action(type="omfile" dynaFile="UserLog" template="MyMsgFormat") mail.info action(type="omfile" dynaFile="MailInfo" template="MyMsgFormat") mail.warn action(type="omfile" dynaFile="MailWarn" template="MyMsgFormat") mail.err action(type="omfile" dynaFile="MailError" template="MyMsgFormat") *.=debug;\ auth,authpriv.none;\ news.none;mail.none action(type="omfile" dynaFile="DebugLog" template="MyMsgFormat") *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none action(type="omfile" dynaFile="Messages" template="MyMsgFormat") } input(type="imudp" port="514" ruleset="imudp") I created /etc/rsyslog.d/10-templates.conf with the following functional content. template (name="AuthLog" type="string" string="/srv/syslog/%HOSTNAME%/auth.log") template (name="DaemonLog" type="string" string="/srv/syslog/%HOSTNAME%/daemon.log") template (name="DebugLog" type="string" string="/srv/syslog/%HOSTNAME%/debug.log") template (name="KernLog" type="string" string="/srv/syslog/%HOSTNAME%/kern.log") template (name="MailError" type="string" string="/srv/syslog/%HOSTNAME%/mail.error") template (name="MailInfo" type="string" string="/srv/syslog/%HOSTNAME%/mail.info") template (name="MailLog" type="string" string="/srv/syslog/%HOSTNAME%/mail.log") template (name="MailWarn" type="string" string="/srv/syslog/%HOSTNAME%/mail.warn") template (name="Messages" type="string" string="/srv/syslog/%HOSTNAME%/messages") template (name="Syslog" type="string" string="/srv/syslog/%HOSTNAME%/syslog") template (name="UserLog" type="string" string="/srv/syslog/%HOSTNAME%/user.log") template (name="MyMsgFormat" type="string" string="%TIMESTAMP% %HOSTNAME:R,BRE,0,FIELD:^[^.]*\\.[^.]*--end:% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" ) There were other configuration changes but I do not believe them relevant to this report. If requested I will attach all configuration files. I restarted rsyslog.service to effect the configuration changes. That worked as desired except some network device clients got /srv/syslog/<bare hostname> and some /srv/syslog/<IP address>. To get /srv/syslog/<FQDN> as desired, /etc/rsyslog.d/10-templates.conf was changed, substituting %FROMHOST% for %HOSTNAME%. I restarted rsyslog.service to effect the configuration changes. * What was the outcome of this action? That worked as desired until new (Debian) clients appeared. They got /srv/syslog/<IP address> directories. * What outcome did you expect instead? I expected them to get /srv/syslog/<FQDN> directories * What workaround did you find? After stopping and starting rsyslog.service (maybe restarting would have worked), when new clients sent messages they were written to /srv/syslog/<FQDN> directories * Notes If requested I will create a test case -- System Information: Debian Release: 10.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages rsyslog depends on: ii init-system-helpers 1.56+nmu1 ii libc6 2.28-10 ii libestr0 0.1.10-2.1 ii libfastjson4 0.99.8-2 ii liblognorm5 2.0.5-1 ii libsystemd0 241-7~deb10u4 ii libuuid1 2.33.1-0.1 ii lsb-base 10.2019051400 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages rsyslog recommends: ii logrotate 3.14.0-4 Versions of packages rsyslog suggests: pn rsyslog-doc <none> pn rsyslog-gnutls <none> pn rsyslog-gssapi <none> pn rsyslog-mongodb <none> pn rsyslog-mysql | rsyslog-pgsql <none> pn rsyslog-relp <none> -- Configuration Files: /etc/logrotate.d/rsyslog changed: /var/log/syslog { compress daily dateext dateyesterday delaycompress missingok notifempty rotate 28 postrotate /usr/lib/rsyslog/rsyslog-rotate endscript } /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/mail.log /var/log/daemon.log /var/log/kern.log /var/log/auth.log /var/log/user.log /var/log/lpr.log /var/log/cron.log /var/log/debug /var/log/messages { compress delaycompress missingok notifempty rotate 4 sharedscripts weekly postrotate /usr/lib/rsyslog/rsyslog-rotate endscript } /etc/rsyslog.conf changed: module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none,cron.none -/var/log/syslog cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages *.emerg :omusrmsg:* -- no debconf information