[rsyslog] rsyslog v7.3 processing rules from files included using $IncludeConfig in reverse order?

Nathan Stratton Treadway Wed, 20 Feb 2013 09:40:27 -0800

I'm trying out the rsyslog 7.3.6-0adiscon1 package installed from the
http://ubuntu.adiscon.com/v7-devel/ repository, and I seem to be running
into strange behavior in the processing order for actions and filters
defined in "included" configuration files.


Specifically, the rsyslog.conf file has the standand Ubuntu 
  $IncludeConfig /etc/rsyslog.d/*.conf
line at the end, and in /etc/rsyslog.d/ I have three files:
  10-pincup.conf  20-ufw.conf  50-default.conf

The last two of those are unchanged from the default versions
distributed by Ubuntu, while the first one contains my local rules for
this particular system.

In that file I save log messages from various network sources to various
custom files, then I end with the line

:source, !isequal, "pincup" ~

so that the only log messages processed by the two default config files
are those from the local host.  

This configuration worked fine with Ubuntu's standard rsyslog 5.8.x...
but when I installed the 7.3.6 package, my standard system log files
suddenly started getting log messages from other systems, as if the "~"
discard action was being ignored....

After some investigation (including switching from ~ to STOP, and
from a property-based filter to a ReinerScript filter, etc.), I
discovered that the issue seems to be that the rules from each
newly-parsed config file are added to the top of the ruleset list,
rather than the bottom.  (So the rules show up in the expected order
within each config file, but the "blocks" of rules appear in the wrong
order.)

For example, here's a bit of the "rsyslog -d" output from my system:

0871.732383545:b776c700: requested to include config file 
'/etc/rsyslog.d/10-pincup.conf'
0871.732517955:b776c700: requested to include config file 
'/etc/rsyslog.d/20-ufw.conf'
0871.732591505:b776c700: requested to include config file 
'/etc/rsyslog.d/50-default.conf'
[...]
0917.503497866:b772c700: All Rulesets:
0917.503566448:b772c700: ruleset 0x9a46c38: rsyslog ruleset 
RSYSLOG_DefaultRuleset:
  *** these come from 50-default.conf ***
0917.503588349:b772c700: PRIFILT 'auth,authpriv.*'
0917.503606801:b772c700: pmask:  X  X  X  X FF  X  X  X  X  X FF  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.504087996:b772c700:   ACTION 0x9a57e80 [/var/log/auth.log]
0917.504160952:b772c700: END PRIFILT
0917.504179909:b772c700: PRIFILT '*.*;auth,authpriv.none'
0917.504244081:b772c700: pmask: FF FF FF FF  X FF FF FF FF FF  X FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF 
0917.504781962:b772c700:   ACTION 0x9a582b8 [-/var/log/syslog]
0917.504858269:b772c700: END PRIFILT
0917.504878792:b772c700: PRIFILT 'kern.*'
0917.504897311:b772c700: pmask: FF  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.505411512:b772c700:   ACTION 0x9a587a0 [-/var/log/kern.log]
0917.505445613:b772c700: END PRIFILT
0917.505508860:b772c700: PRIFILT 'mail.*'
0917.505528919:b772c700: pmask:  X  X FF  X  X  X  X  X  X  X  X  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.506016978:b772c700:   ACTION 0x9a58ca0 [-/var/log/mail.log]
0917.506051202:b772c700: END PRIFILT
0917.506115618:b772c700: PRIFILT 'mail.err'
0917.506135490:b772c700: pmask:  X  X  F  X  X  X  X  X  X  X  X  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.506613033:b772c700:   ACTION 0x9a591d0 [/var/log/mail.err]
0917.506686193:b772c700: END PRIFILT
0917.506705701:b772c700: PRIFILT 'news.crit'
0917.506769364:b772c700: pmask:  X  X  X  X  X  X  X  7  X  X  X  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.507247537:b772c700:   ACTION 0x9a596e0 [/var/log/news/news.crit]
0917.507278045:b772c700: END PRIFILT
0917.507341301:b772c700: PRIFILT 'news.err'
0917.507360987:b772c700: pmask:  X  X  X  X  X  X  X  F  X  X  X  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.507835800:b772c700:   ACTION 0x9a59bf0 [/var/log/news/news.err]
0917.507908215:b772c700: END PRIFILT
0917.507927939:b772c700: PRIFILT 'news.notice'
0917.507993929:b772c700: pmask:  X  X  X  X  X  X  X 3F  X  X  X  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.508473744:b772c700:   ACTION 0x9a5a100 [-/var/log/news/news.notice]
0917.508504482:b772c700: END PRIFILT
0917.508568785:b772c700: PRIFILT '*.emerg'
0917.508588513:b772c700: pmask:  1  1  1  1  1  1  1  1  1  1  1  1  1  1  1  1 
 1  1  1  1  1  1  1  1  1 
0917.509072048:b772c700:   ACTION 0x9a5a620 [:omusrmsg:*]
0917.509144156:b772c700: END PRIFILT
0917.509163584:b772c700: PRIFILT 
'daemon.*;mail.*;news.err;*.=debug;*.=info;*.=notice;*.=warn'
0917.509229145:b772c700: pmask: F0 F0 FF FF F0 F0 F0 FF F0 F0 F0 F0 F0 F0 F0 F0 
F0 F0 F0 F0 F0 F0 F0 F0 F0 
0917.509763098:b772c700:   ACTION 0x9a5acb0 [|/dev/xconsole]
0917.509796988:b772c700: END PRIFILT
  *** this one comes from 20-uwf.conf ***
0917.509857243:b772c700: PROPFILT
0917.509881378:b772c700:        Property.: 'msg'
0917.509910985:b772c700:        Operation: 'contains'
0917.509996944:b772c700:        Value....: '[UFW '
0917.510065328:b772c700: THEN
0917.510087874:b772c700:   ACTION 0x9a56e80 [/var/log/ufw.log]
0917.510117419:b772c700: END PROPFILT
  *** the rest come from 10-pincup.conf
0917.510182153:b772c700: PRIFILT 'auth,authpriv.*'
0917.510202050:b772c700: pmask:  X  X  X  X FF  X  X  X  X  X FF  X  X  X  X  X 
 X  X  X  X  X  X  X  X  X 
0917.510678269:b772c700:   ACTION 0x9a5da00 
[?CombinedAuthFilename;SimpleRsyslogFileFormat]
0917.510750621:b772c700:   ACTION 0x9a5e078 
[?CombinedExpandedAuthFilename;ExpandedRsyslogFileFormat]
0917.510824398:b772c700: END PRIFILT
0917.510847551:b772c700: PRIFILT '*.*;auth,authpriv.none'
0917.510866533:b772c700: pmask: FF FF FF FF  X FF FF FF FF FF  X FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF 
0917.511351709:b772c700:   ACTION 0x9a5e6f0 
[?ByHostSyslogFilename;SimpleRsyslogFileFormat]
0917.511424855:b772c700:   ACTION 0x9a5ed68 
[?ByHostExpandedSyslogFilename;ExpandedRsyslogFileFormat]
0917.511502152:b772c700:   ACTION 0x9a5f3b0 
[?CombinedSyslogFilename;SimpleRsyslogFileFormat]
0917.511533532:b772c700:   ACTION 0x9a5fa08 
[?CombinedExpandedSyslogFilename;ExpandedRsyslogFileFormat]
0917.511658793:b772c700: END PRIFILT
0917.511694980:b772c700: IF
0917.511714814:b772c700:     var '$fromhost'
0917.511753598:b772c700:   !=
0917.511796742:b772c700:     string 'pincup'
0917.511910577:b772c700: THEN
0917.511968390:b772c700:   STOP
0917.512001057:b772c700: END IF
0917.512020345:b772c700: ruleset 0x9a46c38: ruleset RSYSLOG_DefaultRuleset 
assigned parser list:
0917.512089751:b772c700: End of Rulesets.


(The ruleset is also listed out twice during the "optimization phase",
but the order is the same there as shown in the above lines.)


Has anyone else noticed this problem?   (I did search around for any
previous discussion of the topic, but wasn't able to find anything....)

Thanks.

                                                        Nathan

----------------------------------------------------------------------------
Nathan Stratton Treadway  -  [email protected]  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] rsyslog v7.3 processing rules from files included using $IncludeConfig in reverse order?

Reply via email to