# system #
Distributor ID: Debian
Description: Debian GNU/Linux 8.5 (jessie)
Release: 8.5
Codename: jessie
rsyslog: 8.4.2-1+deb8u2
# configuration: /etc/rsyslog.conf #
> $ModLoad imuxsock
> $ModLoad imklog
> $KLogPermitNonKernelFacility on
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> $Umask 0000
> $FileOwner root
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
>
> $WorkDirectory /var/spool/rsyslog
>
> $IncludeConfig /etc/rsyslog.d/*.conf
# conf: /etc/rsyslog.d/ruleset_incoming_relp.conf #
> module( load = "imrelp"
> ruleset = "incoming_relp"
> )
>
> input( type = "imrelp"
> port = "20514"
> tls = "on"
> tls.compression = "on"
> tls.caCert = "/etc/rsyslog.d/ssl/ca.pem"
> tls.myCert = "/etc/rsyslog.d/ssl/logserver.xxxxxx.crt"
> tls.myPrivKey = "/etc/rsyslog.d/ssl/logserver.xxxxxx.key"
> tls.authMode = "name"
> tls.permittedpeer = [ "client1.xxxxxx.com", ... ]
> )
>
> $template Authlog,"/var/log/collected/servers/%HOSTNAME%/auth.log"
> $template Syslog,"/var/log/collected/servers/%HOSTNAME%/syslog"
> ...
>
> # ruleset (filters)!
> ruleset(name="incoming_relp") {
>
> if ( $syslogfacility == '4'
> or $syslogfacility == '10' ) then {
> -?Authlog
> } else {
> -?Syslog
> }
> ...
> }
>
# conf: /etc/rsyslog.d/50-default.conf #
> auth,authpriv.* /var/log/auth.log
>
> # filter out local?.* openstack messages
> *.*;auth,authpriv.none -/var/log/syslog
>
> cron.* -/var/log/cron.log
> daemon.* -/var/log/daemon.log
> kern.* -/var/log/kern.log
>
> mail.* -/var/log/mail.log
> mail.err -/var/log/mail.err
>
The (local) logs written by 50-default.conf have correct ownership,
root:adm, but the collected logs written by ruleset_incoming_relp.conf
are root:root
rsyslogd -nd 2>&1 | grep -i -C 1 'Umask|FileOwner|FileGroup'
4012.646077607:main thread : doGetWord: get newval
'RSYSLOG_TraditionalFileFormat' (len 29), hdlr 0x4151c0
4012.646082970:main thread : cnf:global:cfsysline: $Umask 0000
4012.646088204:main thread : cnf:global:cfsysline: $FileOwner root
4012.646631987:main thread : uid 0 obtained for user 'root'
4012.646639077:main thread : cnf:global:cfsysline: $FileGroup adm
4012.646709122:main thread : gid 4 obtained for group 'adm'
--
4012.660969243:main thread : adding a ruleset-specific "main" queue
for ruleset 'RSYSLOG_DefaultRuleset'
4012.660975783:main thread : cnf:global:cfsysline: $Umask 0000
4012.660984026:main thread : cnf:global:cfsysline: $FileOwner root
4012.661026359:main thread : uid 0 obtained for user 'root'
4012.661032463:main thread : cnf:global:cfsysline: $FileGroup adm
4012.661071273:main thread : gid 4 obtained for group 'adm'
--
4012.712984548:main thread : Writing pidfile '/var/run/rsyslogd.pid'.
4012.713085399:main thread : umask set to 0000.
4012.713093487:main thread : telling modules to activate config
(before dropping privs) 0xf583e0
As far as I understand from the documentation (and the debug output
above), all logs should have root:adm, but it is not so. I would
appreciate any pointers to what I am doing wrong.
Best Regards
Y
PS: I have removed the logs and let rsyslog create new files.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.