On Mon, Apr 14, 2014 at 10:14 AM, [email protected]
<[email protected]>wrote:
> Sure. These are all the actions defined below within the "remote" ruleset.
> I'm happy to attach my entire configuration tree if it helps?
>
>
Ah, this is what I suspected. You use new-style action definitions. By
design, legacy config statements (like $FileOwner) do NOT modify settings
for new-style objects. After all, the prime reason for introducing the new
system was to get rid of all the complex things that could happen with the
old style. So you have two options:
1. specify the settings with the action() object, as you have done
2. specify module defaults via the module(load="builtin:omfile" ...) object
Note that for 2. you probably need a recent (v8.2?) build to set all of the
defaults.
HTH
Rainer
>
> ## Define a dynamic file template
> template(name="cisco" type="string"
> string="/var/log/remote/cisco/%FROMHOST%.log")
>
> ## Define a message format template
> template(name="ciscomsg" type="string"
> string="%timestamp:::date-rfc3339% %syslogtag%%msg% : %pri-text%\n")
>
> ## Receive remote cisco logs. Attempt to filter out non-cisco logs.
> if $syslogfacility-text == 'local3' and $programname != ['jabberd']
> and not (re_match($fromhost, '^(tb|bb)-')) then {
> action(
> type="omfile" dynafile="cisco" template="ciscomsg"
> DirCreateMode="0750" DirGroup="logaudit"
> FileCreateMode="0640" FileGroup="logaudit")
> stop
> }
>
> ## Define a dynamic file template
> template(name="rootsh" type="string"
> string="/var/log/remote/audit/%FROMHOST%/rootsh.log")
>
> if $programname == 'rootsh' then {
> action(type="omfile" dynafile="rootsh"
> DirCreateMode="0750" DirGroup="logaudit"
> FileCreateMode="0640" FileGroup="logaudit")
> stop
> }
> ## Define a dynamic file template
> template(name="uv" type="string"
> string="/var/log/remote/unix/%FROMHOST%/uv.log")
>
> ## Receive remote UniVerse logs
> if $syslogfacility-text == ['local3','local7']
> and re_match($fromhost, '^(tb|bb)-') then {
> action(type="omfile" dynafile="uv")
> stop
> }
>
> ## Define a dynamic file template
> template(name="stun" type="string"
> string="/var/log/remote/unix/%FROMHOST%/stunnel.log")
>
> ## Receive remote stunnel logs
> if $syslogfacility-text == 'local4' and $programname == 'stunnel' then {
> action(type="omfile" dynafile="stun")
> stop
> }
>
>
> ## Define a dynamic file template
> template(name="nagios" type="string"
> string="/var/log/remote/unix/%FROMHOST%/nagios.log")
>
> ## Receive remote stunnel logs
> if $syslogfacility-text == 'local1' and $programname == 'nrpe' then {
> action(type="omfile" dynafile="nagios")
> stop
> }
>
>
>
> ## Define a dynamic file template
> template(name="slapd" type="string"
> string="/var/log/remote/unix/%FROMHOST%/slapd.log")
>
> ## Receive remote openldap slapd logs
> if $syslogfacility-text == 'local4' and $programname == 'slapd' then {
> action(type="omfile" dynafile="slapd")
> stop
> }
>
>
>
> ## Define a dynamic file template
> template(name="fex" type="string"
> string="/var/log/remote/unix/%FROMHOST%/fex.log")
>
> ## Define a message format template
> template(name="fexmsg" type="string"
> string="%msg:2:20% %source% %syslogtag%%msg:22:$:drop-last-lf%\n")
>
> ## Receive remote F*EX logs
> if $syslogfacility-text == 'local2' and $programname == ['fop','fup'] then
> {
> action(type="omfile" dynafile="fex" template="fexmsg")
> stop
> }
>
> ## Define dynamic file templates for standard unix facilities
>
> template(name="messages" type="string"
> string="/var/log/remote/unix/%FROMHOST%/messages")
>
> template(name="secure" type="string"
> string="/var/log/remote/unix/%FROMHOST%/secure")
>
> template(name="maillog" type="string"
> string="/var/log/remote/unix/%FROMHOST%/maillog")
>
> template(name="cron" type="string"
> string="/var/log/remote/unix/%FROMHOST%/cron")
>
>
> ## Standard rules for all Unix hosts
>
> # Log anything of level info or higher, except mail, auth & cron messages.
> *.info;mail.none;authpriv.none;auth.none;cron.none
> action(type="omfile" dynafile="messages")
>
>
> # The authpriv file has restricted access.
> authpriv.*;auth.* action(type="omfile" dynafile="secure")
>
>
> # Log all the mail messages in one place.
> mail.* action(type="omfile" dynafile="maillog")
>
>
> # Log cron stuff
> cron.* action(type="omfile" dynafile="cron")
>
> -----Original Message-----
> From: [email protected] [mailto:
> [email protected]] On Behalf Of Rainer Gerhards
> Sent: Monday, 14 April 2014 6:03 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] 7.4.2 not honouring defaults for omfile
>
> Can you pls post the actual acrions.
>
> Sent from phone, thus brief.
> Am 14.04.2014 05:55 schrieb "[email protected]" <[email protected]>:
>
> > Hi,
> >
> > As the title suggests, rsyslog-7.4.2 doesn't seem to be honouring
> defaults
> > for the umask, dirgroup, filegroup, dircreatemode & filecreatemode
> options.
> > It does honour these options when they are used within an action, but I
> > don't want to have to specify them for every action. I've tried defining
> > them prior to including any other config files, both inside & outside the
> > "remote" ruleset (see below). I've also tried specifying these as options
> > to module(type="builtin:omfile" ...), but this breaks my configuration.
> >
> > I've run the whole thing in debug mode & I see the following ;
> >
> > 3701.046633592:7f39135f8740: remote: queue finished initialization
> > 3701.046654134:7f39135f8740: cnf:global:cfsysline: $umask 0027
> > 3701.046669631:7f39135f8740: cnf:global:cfsysline: $FileCreateMode 0640
> > 3701.046682473:7f39135f8740: cnf:global:cfsysline: $FileGroup logaudit
> > 3701.052690160:7f39135f8740: gid 10039 obtained for group 'logaudit'
> > 3701.052720258:7f39135f8740: cnf:global:cfsysline: $DirCreateMode 0755
> > 3701.052736657:7f39135f8740: cnf:global:cfsysline: $DirGroup logaudit
> > 3701.053210378:7f39135f8740: gid 10039 obtained for group 'logaudit'
> > ...
> > 3701.075155891:7f39135f8740: dirowner: (unset)
> > 3701.075176079:7f39135f8740: dirgroup: (unset)
> > 3701.075195853:7f39135f8740: fileowner: (unset)
> > 3701.075215766:7f39135f8740: filegroup: (unset)
> > 3701.075235563:7f39135f8740: dircreatemode: (unset)
> > 3701.075255409:7f39135f8740: filecreatemode: (unset)
> >
> > Does anyone have any suggestions as to why this might happening?
> >
> > I have this stanza at the top of my rsyslog.conf ;
> >
> > #### MODULES ####
> >
> > # Provide support for local system logging (e.g. via logger command)
> > $ModLoad imuxsock
> >
> > # Provide kernel logging support (previously done by rklogd)
> > $ModLoad imklog
> >
> > # Provides --MARK-- message capability
> > $ModLoad immark
> >
> > #### GLOBAL DIRECTIVES ####
> >
> > ## Include all config files in /etc/rsyslog.d/
> > $IncludeConfig /etc/rsyslog.d/*.conf
> >
> > ## Revert to default ruleset for remaining rules
> > $Ruleset RSYSLOG_DefaultRuleset
> >
> >
> > In /etc/rsyslog.d/, I have 00-global.conf ;
> >
> >
> > ## Set some sane defaults
> > $DropTrailingLFOnReception on
> >
> > ## Create new "remote" ruleset. All directives following belong to this.
> > $RuleSet remote
> > $RulesetCreateMainQueue on
> >
> > $umask 0027
> >
> > $FileCreateMode 0640
> > $FileGroup logaudit
> >
> > $DirCreateMode 0755
> > $DirGroup logaudit
> >
> > ## Include all rules into the current rulset
> > $IncludeConfig /etc/rsyslog.d/rules.d/*.rs
> >
> > ## Finally, restore default ruleset
> > $Ruleset RSYSLOG_DefaultRuleset
> >
> >
> > Thanks,
> > Grant
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
