All right i created a bug report with the details. https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/878857
Thanks for the help Peter On 20 October 2011 14:16, Rainer Gerhards <[email protected]> wrote: >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of Peter Horvath >> Sent: Thursday, October 20, 2011 3:14 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] Dynamic file names >> >> root 2722 1 0 12:19 ? 00:00:00 rsyslogd -c4 >> ubuntu 10.04 LTS default settings everywhere > > Even more puzzling. I suggest you ask on an Ubuntu list, and would appreciate > if you could post the result here. The Ubuntu package was broken in various > ways due to the way they dropped privileges but did not sync that with the > rest of their packages. The one you use may have such defects (to the best of > my knowledge they still have not solved all issues). > > Rainer >> >> On 20 October 2011 13:37, Rainer Gerhards <[email protected]> >> wrote: >> >> -----Original Message----- >> >> From: [email protected] [mailto:rsyslog- >> >> [email protected]] On Behalf Of Peter Horvath >> >> Sent: Thursday, October 20, 2011 2:18 PM >> >> To: rsyslog-users >> >> Subject: Re: [rsyslog] Dynamic file names >> >> >> >> Thank you, that makes it working however: >> >> >> >> This is the default settings >> >> $FileOwner syslog >> >> $FileGroup adm >> >> $FileCreateMode 0640 >> >> $DirCreateMode 0755 >> >> $Umask 0022 >> >> $PrivDropToUser syslog >> >> $PrivDropToGroup syslog >> >> >> >> If I comment out the privileges drop it is working But if I just >> change the >> >> already created files from >> >> -rw-r----- 1 syslog syslog 0 2011-10-20 11:34 >> >> vhostname_access_log.20111020 >> >> -rw-r----- 1 syslog syslog 0 2011-10-20 11:34 >> >> vhostname_error_log.20111020 >> >> >> >> to >> >> >> >> -rw-r----- 1 syslog adm 0 2011-10-20 11:34 >> >> vhostname_access_log.20111020 >> >> -rw-r----- 1 syslog adm 0 2011-10-20 11:34 >> >> vhostname_error_log.20111020 >> >> >> >> insted commenting out, it is also starts working. >> > >> > Mhhh, this doesn't make much sense to me. The user should be able to >> open >> > files for writing if it has permissions... and it looks like it has. >> Can you >> > check if rsyslog actually runs under the syslog user? >> > >> > Rainer >> > >> > >> >> >> >> >> >> On 20 October 2011 12:53, Rainer Gerhards <[email protected]> >> >> wrote: >> >> >> -----Original Message----- >> >> >> From: [email protected] [mailto:rsyslog- >> >> >> [email protected]] On Behalf Of Peter Horvath >> >> >> Sent: Thursday, October 20, 2011 1:48 PM >> >> >> To: rsyslog-users >> >> >> Subject: Re: [rsyslog] Dynamic file names >> >> >> >> >> >> I continued to extend my config after i managed to solve this >> issue. >> >> >> >> >> >> Logs are comming in from localhost and remote host on TCP 514. >> >> >> >> >> >> Apaches send their logs to the syslog with the following config: >> >> >> >> >> >> ErrorLog "|/usr/bin/logger -p local6.warn -t >> httpd_error_vhostname" >> >> >> CustomLog "|/usr/bin/logger -p local6.info -t >> httpd_access_vhostname" >> >> >> combined >> >> >> >> >> >> Added the following lines to rsyslog conf $template >> >> >> ApacheLogFormat,"%msg:2:10000%\n" >> >> >> $template >> >> >> >> >> local6error,"/var/log/%programname:13:50%_error_log.%$YEAR%%$MONT >> >> >> H%%$DAY%" >> >> >> $template >> >> >> >> >> local6access,"/var/log/%programname:14:50%_access_log.%$YEAR%%$MO >> >> >> NTH%%$DAY%" >> >> >> >> >> >> if $syslogfacility-text == 'local6' and $programname startswith >> >> > 'httpd_error' >> >> >> then -?local6error;ApacheLogFormat #& ~ if $syslogfacility-text >> == >> > 'local6' >> >> >> and $programname startswith 'httpd_access' then - >> >> >> ?local6access;ApacheLogFormat #& ~ >> >> >> >> >> >> I getting this error message in syslog: >> >> >> rsyslogd: Could not open dynamic file >> >> >> '/var/log/vhostname_access_log.20111020' - discarding message >> >> >> rsyslogd: Could not open dynamic file >> >> >> '/var/log/vhostname_error_log.20111020' - discarding message >> >> >> >> >> >> I've already given /var/log to syslog user and the files are >> created >> >> > perfectly >> >> >> however it cannot write them for some reason. >> >> >> I tried to open files in a different location and also same >> effect, >> >> >> files >> >> > are >> >> >> created but rsyslog tells me could not open. >> >> >> Files are created with this mask. >> >> >> -rw-r----- 1 syslog syslog 0 2011-10-20 11:34 >> >> >> vhostname_access_log.20111020 >> >> >> -rw-r----- 1 syslog syslog 0 2011-10-20 11:34 >> >> >> vhostname_error_log.20111020 >> >> >> >> >> >> Am i missing something? >> >> >> >> >> >> Sorry if i am missing something obvious. >> >> > >> >> > I suggest to remove >> >> > >> >> > $PrivDropToUser syslog >> >> > $PrivDropToGroup syslog >> >> > >> >> > From your config and retry. When it then works, we know for sure >> it is >> >> > related to the permissions. >> >> > >> >> > Rainer >> >> >> >> >> >> >> >> >> On 13 October 2011 11:47, Ryan Kelly <[email protected]> wrote: >> >> >> >> I would like to get opinions about this: >> >> >> >> >> >> >> >> I have the following line in my rsyslog conf: >> >> >> >> $template DynFile,"/var/log/syslog-%HOSTNAME%" >> >> >> >> *.*;auth,authpriv.none ?DynFile >> >> >> >> >> >> >> >> And it is not working. >> >> >> > At a glance it looks ok. Try invoking rsyslog with -N1 to see >> if it >> >> >> > complains about your configuration. >> >> >> > >> >> >> >> After hours of different tries realized if i remove >> >> >> >> ;auth,authpriv.none It starts to work magically. >> >> >> >> $template DynFile,"/var/log/syslog-%HOSTNAME%" >> >> >> >> *.* ?DynFile >> >> >> >> >> >> >> >> However i had to touch the files manually because these error >> >> >> >> messages appeared in the log: >> >> >> >> rsyslogd: Could not open dynamic file '/var/log/syslog-XXX' - >> >> >> >> discarding message >> >> >> > The dynamic files aren't created when rsyslog starts, so it >> needs >> >> >> > permission to write them after it drops permissions (the >> default >> >> >> > configuration in Ubuntu). If you try to write the file to >> /var/log >> >> >> > (which you are) you will get this error because /var/log is >> owned >> >> >> > by root and syslog cannot write new files there. At our site we >> >> >> > work around this by creating a new folder owned by syslog. >> >> >> > >> >> >> >> It is an Ubuntu 10.04 LTS with the repo install of rsyslog >> 4.2.0 >> >> >> > The important lines to note are these: >> >> >> > $PrivDropToUser syslog >> >> >> > $PrivDropToGroup syslog >> >> >> > >> >> >> > Which are why the file can't be created dynamically in >> /var/log. >> >> >> > >> >> >> >> Do you have any idea what the problem with my original try and >> why >> >> >> >> rsyslog cannot open logfiles? >> >> >> > >> >> >> > -Ryan Kelly >> >> >> > _______________________________________________ >> >> >> > rsyslog mailing list >> >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> >> > http://www.rsyslog.com >> >> >> > >> >> >> _______________________________________________ >> >> >> rsyslog mailing list >> >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> >> http://www.rsyslog.com >> >> > _______________________________________________ >> >> > rsyslog mailing list >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> > http://www.rsyslog.com >> >> > >> >> _______________________________________________ >> >> rsyslog mailing list >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> http://www.rsyslog.com >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
