Yep, I tried setting these when loading module per option #2, but rsyslogd wasn't happy with the syntax or ignored it (can't remember which). So, i'll give the latest 8 stable a go.
Thanks for your help. Cheers, Grant -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Gerhards Sent: Monday, 14 April 2014 7:39 PM To: rsyslog-users Subject: Re: [rsyslog] 7.4.2 not honouring defaults for omfile On Mon, Apr 14, 2014 at 10:38 AM, Rainer Gerhards <[email protected]>wrote: > On Mon, Apr 14, 2014 at 10:14 AM, [email protected] <[email protected] > > wrote: > >> Sure. These are all the actions defined below within the "remote" >> ruleset. I'm happy to attach my entire configuration tree if it helps? >> >> > Ah, this is what I suspected. You use new-style action definitions. By > design, legacy config statements (like $FileOwner) do NOT modify settings > for new-style objects. After all, the prime reason for introducing the new > system was to get rid of all the complex things that could happen with the > old style. So you have two options: > > 1. specify the settings with the action() object, as you have done > 2. specify module defaults via the module(load="builtin:omfile" ...) object > > Note that for 2. you probably need a recent (v8.2?) build to set all of > the defaults. > > FYI: I have updated the omfile doc to state this explicitely. Rainer > HTH > Rainer > >> >> ## Define a dynamic file template >> template(name="cisco" type="string" >> string="/var/log/remote/cisco/%FROMHOST%.log") >> >> ## Define a message format template >> template(name="ciscomsg" type="string" >> string="%timestamp:::date-rfc3339% %syslogtag%%msg% : %pri-text%\n") >> >> ## Receive remote cisco logs. Attempt to filter out non-cisco logs. >> if $syslogfacility-text == 'local3' and $programname != ['jabberd'] >> and not (re_match($fromhost, '^(tb|bb)-')) then { >> action( >> type="omfile" dynafile="cisco" template="ciscomsg" >> DirCreateMode="0750" DirGroup="logaudit" >> FileCreateMode="0640" FileGroup="logaudit") >> stop >> } >> >> ## Define a dynamic file template >> template(name="rootsh" type="string" >> string="/var/log/remote/audit/%FROMHOST%/rootsh.log") >> >> if $programname == 'rootsh' then { >> action(type="omfile" dynafile="rootsh" >> DirCreateMode="0750" DirGroup="logaudit" >> FileCreateMode="0640" FileGroup="logaudit") >> stop >> } >> ## Define a dynamic file template >> template(name="uv" type="string" >> string="/var/log/remote/unix/%FROMHOST%/uv.log") >> >> ## Receive remote UniVerse logs >> if $syslogfacility-text == ['local3','local7'] >> and re_match($fromhost, '^(tb|bb)-') then { >> action(type="omfile" dynafile="uv") >> stop >> } >> >> ## Define a dynamic file template >> template(name="stun" type="string" >> string="/var/log/remote/unix/%FROMHOST%/stunnel.log") >> >> ## Receive remote stunnel logs >> if $syslogfacility-text == 'local4' and $programname == 'stunnel' then { >> action(type="omfile" dynafile="stun") >> stop >> } >> >> >> ## Define a dynamic file template >> template(name="nagios" type="string" >> string="/var/log/remote/unix/%FROMHOST%/nagios.log") >> >> ## Receive remote stunnel logs >> if $syslogfacility-text == 'local1' and $programname == 'nrpe' then { >> action(type="omfile" dynafile="nagios") >> stop >> } >> >> >> >> ## Define a dynamic file template >> template(name="slapd" type="string" >> string="/var/log/remote/unix/%FROMHOST%/slapd.log") >> >> ## Receive remote openldap slapd logs >> if $syslogfacility-text == 'local4' and $programname == 'slapd' then { >> action(type="omfile" dynafile="slapd") >> stop >> } >> >> >> >> ## Define a dynamic file template >> template(name="fex" type="string" >> string="/var/log/remote/unix/%FROMHOST%/fex.log") >> >> ## Define a message format template >> template(name="fexmsg" type="string" >> string="%msg:2:20% %source% %syslogtag%%msg:22:$:drop-last-lf%\n") >> >> ## Receive remote F*EX logs >> if $syslogfacility-text == 'local2' and $programname == ['fop','fup'] >> then { >> action(type="omfile" dynafile="fex" template="fexmsg") >> stop >> } >> >> ## Define dynamic file templates for standard unix facilities >> >> template(name="messages" type="string" >> string="/var/log/remote/unix/%FROMHOST%/messages") >> >> template(name="secure" type="string" >> string="/var/log/remote/unix/%FROMHOST%/secure") >> >> template(name="maillog" type="string" >> string="/var/log/remote/unix/%FROMHOST%/maillog") >> >> template(name="cron" type="string" >> string="/var/log/remote/unix/%FROMHOST%/cron") >> >> >> ## Standard rules for all Unix hosts >> >> # Log anything of level info or higher, except mail, auth & cron messages. >> *.info;mail.none;authpriv.none;auth.none;cron.none >> action(type="omfile" dynafile="messages") >> >> >> # The authpriv file has restricted access. >> authpriv.*;auth.* action(type="omfile" dynafile="secure") >> >> >> # Log all the mail messages in one place. >> mail.* action(type="omfile" dynafile="maillog") >> >> >> # Log cron stuff >> cron.* action(type="omfile" dynafile="cron") >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Rainer Gerhards >> Sent: Monday, 14 April 2014 6:03 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] 7.4.2 not honouring defaults for omfile >> >> Can you pls post the actual acrions. >> >> Sent from phone, thus brief. >> Am 14.04.2014 05:55 schrieb "[email protected]" <[email protected]>: >> >> > Hi, >> > >> > As the title suggests, rsyslog-7.4.2 doesn't seem to be honouring >> defaults >> > for the umask, dirgroup, filegroup, dircreatemode & filecreatemode >> options. >> > It does honour these options when they are used within an action, but I >> > don't want to have to specify them for every action. I've tried defining >> > them prior to including any other config files, both inside & outside >> the >> > "remote" ruleset (see below). I've also tried specifying these as >> options >> > to module(type="builtin:omfile" ...), but this breaks my configuration. >> > >> > I've run the whole thing in debug mode & I see the following ; >> > >> > 3701.046633592:7f39135f8740: remote: queue finished initialization >> > 3701.046654134:7f39135f8740: cnf:global:cfsysline: $umask 0027 >> > 3701.046669631:7f39135f8740: cnf:global:cfsysline: $FileCreateMode 0640 >> > 3701.046682473:7f39135f8740: cnf:global:cfsysline: $FileGroup logaudit >> > 3701.052690160:7f39135f8740: gid 10039 obtained for group 'logaudit' >> > 3701.052720258:7f39135f8740: cnf:global:cfsysline: $DirCreateMode 0755 >> > 3701.052736657:7f39135f8740: cnf:global:cfsysline: $DirGroup logaudit >> > 3701.053210378:7f39135f8740: gid 10039 obtained for group 'logaudit' >> > ... >> > 3701.075155891:7f39135f8740: dirowner: (unset) >> > 3701.075176079:7f39135f8740: dirgroup: (unset) >> > 3701.075195853:7f39135f8740: fileowner: (unset) >> > 3701.075215766:7f39135f8740: filegroup: (unset) >> > 3701.075235563:7f39135f8740: dircreatemode: (unset) >> > 3701.075255409:7f39135f8740: filecreatemode: (unset) >> > >> > Does anyone have any suggestions as to why this might happening? >> > >> > I have this stanza at the top of my rsyslog.conf ; >> > >> > #### MODULES #### >> > >> > # Provide support for local system logging (e.g. via logger command) >> > $ModLoad imuxsock >> > >> > # Provide kernel logging support (previously done by rklogd) >> > $ModLoad imklog >> > >> > # Provides --MARK-- message capability >> > $ModLoad immark >> > >> > #### GLOBAL DIRECTIVES #### >> > >> > ## Include all config files in /etc/rsyslog.d/ >> > $IncludeConfig /etc/rsyslog.d/*.conf >> > >> > ## Revert to default ruleset for remaining rules >> > $Ruleset RSYSLOG_DefaultRuleset >> > >> > >> > In /etc/rsyslog.d/, I have 00-global.conf ; >> > >> > >> > ## Set some sane defaults >> > $DropTrailingLFOnReception on >> > >> > ## Create new "remote" ruleset. All directives following belong to this. >> > $RuleSet remote >> > $RulesetCreateMainQueue on >> > >> > $umask 0027 >> > >> > $FileCreateMode 0640 >> > $FileGroup logaudit >> > >> > $DirCreateMode 0755 >> > $DirGroup logaudit >> > >> > ## Include all rules into the current rulset >> > $IncludeConfig /etc/rsyslog.d/rules.d/*.rs >> > >> > ## Finally, restore default ruleset >> > $Ruleset RSYSLOG_DefaultRuleset >> > >> > >> > Thanks, >> > Grant >> > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> > DON'T LIKE THAT. >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
