Package: rsyslog
Version: 8.1901.0-1
Severity: important
Dear Maintainer,
* What led up to the situation?
I created /etc/rsyslog.d/20-rulesets.conf with the following functional
content.
ruleset(name="imudp"){
auth,authpriv.* action(type="omfile" dynaFile="AuthLog"
template="MyMsgFormat")
*.*;auth,authpriv.none action(type="omfile" dynaFile="Syslog"
template="MyMsgFormat")
daemon.* action(type="omfile" dynaFile="DaemonLog"
template="MyMsgFormat")
kern.* action(type="omfile" dynaFile="KernLog"
template="MyMsgFormat")
mail.* action(type="omfile" dynaFile="MailLog"
template="MyMsgFormat")
user.* action(type="omfile" dynaFile="UserLog"
template="MyMsgFormat")
mail.info action(type="omfile" dynaFile="MailInfo"
template="MyMsgFormat")
mail.warn action(type="omfile" dynaFile="MailWarn"
template="MyMsgFormat")
mail.err action(type="omfile" dynaFile="MailError"
template="MyMsgFormat")
*.=debug;\
auth,authpriv.none;\
news.none;mail.none action(type="omfile" dynaFile="DebugLog"
template="MyMsgFormat")
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none action(type="omfile" dynaFile="Messages"
template="MyMsgFormat")
}
input(type="imudp" port="514" ruleset="imudp")
I created /etc/rsyslog.d/10-templates.conf with the following functional
content.
template (name="AuthLog" type="string"
string="/srv/syslog/%HOSTNAME%/auth.log")
template (name="DaemonLog" type="string"
string="/srv/syslog/%HOSTNAME%/daemon.log")
template (name="DebugLog" type="string"
string="/srv/syslog/%HOSTNAME%/debug.log")
template (name="KernLog" type="string"
string="/srv/syslog/%HOSTNAME%/kern.log")
template (name="MailError" type="string"
string="/srv/syslog/%HOSTNAME%/mail.error")
template (name="MailInfo" type="string"
string="/srv/syslog/%HOSTNAME%/mail.info")
template (name="MailLog" type="string"
string="/srv/syslog/%HOSTNAME%/mail.log")
template (name="MailWarn" type="string"
string="/srv/syslog/%HOSTNAME%/mail.warn")
template (name="Messages" type="string"
string="/srv/syslog/%HOSTNAME%/messages")
template (name="Syslog" type="string"
string="/srv/syslog/%HOSTNAME%/syslog")
template (name="UserLog" type="string"
string="/srv/syslog/%HOSTNAME%/user.log")
template (name="MyMsgFormat" type="string"
string="%TIMESTAMP% %HOSTNAME:R,BRE,0,FIELD:^[^.]*\\.[^.]*--end:%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
There were other configuration changes but I do not believe them relevant to
this report. If requested I will attach all configuration files.
I restarted rsyslog.service to effect the configuration changes.
That worked as desired except some network device clients got
/srv/syslog/<bare hostname> and some /srv/syslog/<IP address>.
To get /srv/syslog/<FQDN> as desired, /etc/rsyslog.d/10-templates.conf was
changed, substituting %FROMHOST% for %HOSTNAME%.
I restarted rsyslog.service to effect the configuration changes.
* What was the outcome of this action?
That worked as desired until new (Debian) clients appeared. They got
/srv/syslog/<IP address> directories.
* What outcome did you expect instead?
I expected them to get /srv/syslog/<FQDN> directories
* What workaround did you find?
After stopping and starting rsyslog.service (maybe restarting would have
worked), when new clients sent messages they were written to /srv/syslog/<FQDN>
directories
* Notes
If requested I will create a test case
-- System Information:
Debian Release: 10.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rsyslog depends on:
ii init-system-helpers 1.56+nmu1
ii libc6 2.28-10
ii libestr0 0.1.10-2.1
ii libfastjson4 0.99.8-2
ii liblognorm5 2.0.5-1
ii libsystemd0 241-7~deb10u4
ii libuuid1 2.33.1-0.1
ii lsb-base 10.2019051400
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages rsyslog recommends:
ii logrotate 3.14.0-4
Versions of packages rsyslog suggests:
pn rsyslog-doc <none>
pn rsyslog-gnutls <none>
pn rsyslog-gssapi <none>
pn rsyslog-mongodb <none>
pn rsyslog-mysql | rsyslog-pgsql <none>
pn rsyslog-relp <none>
-- Configuration Files:
/etc/logrotate.d/rsyslog changed:
/var/log/syslog
{
compress
daily
dateext
dateyesterday
delaycompress
missingok
notifempty
rotate 28
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
compress
delaycompress
missingok
notifempty
rotate 4
sharedscripts
weekly
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/etc/rsyslog.conf changed:
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none,cron.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
*.emerg :omusrmsg:*
-- no debconf information
