Sure. These are all the actions defined below within the "remote" ruleset. I'm
happy to attach my entire configuration tree if it helps?
## Define a dynamic file template
template(name="cisco" type="string"
string="/var/log/remote/cisco/%FROMHOST%.log")
## Define a message format template
template(name="ciscomsg" type="string"
string="%timestamp:::date-rfc3339% %syslogtag%%msg% : %pri-text%\n")
## Receive remote cisco logs. Attempt to filter out non-cisco logs.
if $syslogfacility-text == 'local3' and $programname != ['jabberd']
and not (re_match($fromhost, '^(tb|bb)-')) then {
action(
type="omfile" dynafile="cisco" template="ciscomsg"
DirCreateMode="0750" DirGroup="logaudit"
FileCreateMode="0640" FileGroup="logaudit")
stop
}
## Define a dynamic file template
template(name="rootsh" type="string"
string="/var/log/remote/audit/%FROMHOST%/rootsh.log")
if $programname == 'rootsh' then {
action(type="omfile" dynafile="rootsh"
DirCreateMode="0750" DirGroup="logaudit"
FileCreateMode="0640" FileGroup="logaudit")
stop
}
## Define a dynamic file template
template(name="uv" type="string"
string="/var/log/remote/unix/%FROMHOST%/uv.log")
## Receive remote UniVerse logs
if $syslogfacility-text == ['local3','local7']
and re_match($fromhost, '^(tb|bb)-') then {
action(type="omfile" dynafile="uv")
stop
}
## Define a dynamic file template
template(name="stun" type="string"
string="/var/log/remote/unix/%FROMHOST%/stunnel.log")
## Receive remote stunnel logs
if $syslogfacility-text == 'local4' and $programname == 'stunnel' then {
action(type="omfile" dynafile="stun")
stop
}
## Define a dynamic file template
template(name="nagios" type="string"
string="/var/log/remote/unix/%FROMHOST%/nagios.log")
## Receive remote stunnel logs
if $syslogfacility-text == 'local1' and $programname == 'nrpe' then {
action(type="omfile" dynafile="nagios")
stop
}
## Define a dynamic file template
template(name="slapd" type="string"
string="/var/log/remote/unix/%FROMHOST%/slapd.log")
## Receive remote openldap slapd logs
if $syslogfacility-text == 'local4' and $programname == 'slapd' then {
action(type="omfile" dynafile="slapd")
stop
}
## Define a dynamic file template
template(name="fex" type="string"
string="/var/log/remote/unix/%FROMHOST%/fex.log")
## Define a message format template
template(name="fexmsg" type="string"
string="%msg:2:20% %source% %syslogtag%%msg:22:$:drop-last-lf%\n")
## Receive remote F*EX logs
if $syslogfacility-text == 'local2' and $programname == ['fop','fup'] then {
action(type="omfile" dynafile="fex" template="fexmsg")
stop
}
## Define dynamic file templates for standard unix facilities
template(name="messages" type="string"
string="/var/log/remote/unix/%FROMHOST%/messages")
template(name="secure" type="string"
string="/var/log/remote/unix/%FROMHOST%/secure")
template(name="maillog" type="string"
string="/var/log/remote/unix/%FROMHOST%/maillog")
template(name="cron" type="string"
string="/var/log/remote/unix/%FROMHOST%/cron")
## Standard rules for all Unix hosts
# Log anything of level info or higher, except mail, auth & cron messages.
*.info;mail.none;authpriv.none;auth.none;cron.none
action(type="omfile" dynafile="messages")
# The authpriv file has restricted access.
authpriv.*;auth.* action(type="omfile" dynafile="secure")
# Log all the mail messages in one place.
mail.* action(type="omfile" dynafile="maillog")
# Log cron stuff
cron.* action(type="omfile" dynafile="cron")
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Rainer Gerhards
Sent: Monday, 14 April 2014 6:03 PM
To: rsyslog-users
Subject: Re: [rsyslog] 7.4.2 not honouring defaults for omfile
Can you pls post the actual acrions.
Sent from phone, thus brief.
Am 14.04.2014 05:55 schrieb "[email protected]" <[email protected]>:
> Hi,
>
> As the title suggests, rsyslog-7.4.2 doesn't seem to be honouring defaults
> for the umask, dirgroup, filegroup, dircreatemode & filecreatemode options.
> It does honour these options when they are used within an action, but I
> don't want to have to specify them for every action. I've tried defining
> them prior to including any other config files, both inside & outside the
> "remote" ruleset (see below). I've also tried specifying these as options
> to module(type="builtin:omfile" ...), but this breaks my configuration.
>
> I've run the whole thing in debug mode & I see the following ;
>
> 3701.046633592:7f39135f8740: remote: queue finished initialization
> 3701.046654134:7f39135f8740: cnf:global:cfsysline: $umask 0027
> 3701.046669631:7f39135f8740: cnf:global:cfsysline: $FileCreateMode 0640
> 3701.046682473:7f39135f8740: cnf:global:cfsysline: $FileGroup logaudit
> 3701.052690160:7f39135f8740: gid 10039 obtained for group 'logaudit'
> 3701.052720258:7f39135f8740: cnf:global:cfsysline: $DirCreateMode 0755
> 3701.052736657:7f39135f8740: cnf:global:cfsysline: $DirGroup logaudit
> 3701.053210378:7f39135f8740: gid 10039 obtained for group 'logaudit'
> ...
> 3701.075155891:7f39135f8740: dirowner: (unset)
> 3701.075176079:7f39135f8740: dirgroup: (unset)
> 3701.075195853:7f39135f8740: fileowner: (unset)
> 3701.075215766:7f39135f8740: filegroup: (unset)
> 3701.075235563:7f39135f8740: dircreatemode: (unset)
> 3701.075255409:7f39135f8740: filecreatemode: (unset)
>
> Does anyone have any suggestions as to why this might happening?
>
> I have this stanza at the top of my rsyslog.conf ;
>
> #### MODULES ####
>
> # Provide support for local system logging (e.g. via logger command)
> $ModLoad imuxsock
>
> # Provide kernel logging support (previously done by rklogd)
> $ModLoad imklog
>
> # Provides --MARK-- message capability
> $ModLoad immark
>
> #### GLOBAL DIRECTIVES ####
>
> ## Include all config files in /etc/rsyslog.d/
> $IncludeConfig /etc/rsyslog.d/*.conf
>
> ## Revert to default ruleset for remaining rules
> $Ruleset RSYSLOG_DefaultRuleset
>
>
> In /etc/rsyslog.d/, I have 00-global.conf ;
>
>
> ## Set some sane defaults
> $DropTrailingLFOnReception on
>
> ## Create new "remote" ruleset. All directives following belong to this.
> $RuleSet remote
> $RulesetCreateMainQueue on
>
> $umask 0027
>
> $FileCreateMode 0640
> $FileGroup logaudit
>
> $DirCreateMode 0755
> $DirGroup logaudit
>
> ## Include all rules into the current rulset
> $IncludeConfig /etc/rsyslog.d/rules.d/*.rs
>
> ## Finally, restore default ruleset
> $Ruleset RSYSLOG_DefaultRuleset
>
>
> Thanks,
> Grant
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
