# system #

Distributor ID: Debian
Description:    Debian GNU/Linux 8.5 (jessie)
Release:        8.5
Codename:       jessie

rsyslog: 8.4.2-1+deb8u2

# configuration: /etc/rsyslog.conf #

> $ModLoad imuxsock
> $ModLoad imklog  
> $KLogPermitNonKernelFacility on
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> $Umask 0000
> $FileOwner root
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
>
> $WorkDirectory /var/spool/rsyslog
>
> $IncludeConfig /etc/rsyslog.d/*.conf

# conf: /etc/rsyslog.d/ruleset_incoming_relp.conf #

> module( load    = "imrelp"
>         ruleset = "incoming_relp"
>         )
>
> input( type              = "imrelp"
>        port              = "20514"
>        tls               = "on"
>        tls.compression   = "on"
>        tls.caCert        = "/etc/rsyslog.d/ssl/ca.pem"
>        tls.myCert        = "/etc/rsyslog.d/ssl/logserver.xxxxxx.crt"
>        tls.myPrivKey     = "/etc/rsyslog.d/ssl/logserver.xxxxxx.key"
>        tls.authMode      = "name"
>        tls.permittedpeer = [ "client1.xxxxxx.com", ... ]
>        )
>
> $template Authlog,"/var/log/collected/servers/%HOSTNAME%/auth.log"
> $template Syslog,"/var/log/collected/servers/%HOSTNAME%/syslog"
> ...
>
> # ruleset (filters)!
> ruleset(name="incoming_relp") {
>
> if (    $syslogfacility == '4'
>     or $syslogfacility == '10' ) then {
>         -?Authlog
> } else {
>         -?Syslog
> }
> ...
> }
>
# conf: /etc/rsyslog.d/50-default.conf #

> auth,authpriv.*                 /var/log/auth.log
>
> # filter out local?.* openstack messages
> *.*;auth,authpriv.none          -/var/log/syslog
>
> cron.*                         -/var/log/cron.log
> daemon.*                       -/var/log/daemon.log
> kern.*                         -/var/log/kern.log
>
> mail.*                         -/var/log/mail.log
> mail.err                       -/var/log/mail.err
>

The (local) logs written by 50-default.conf have correct ownership,
root:adm, but the collected logs written by ruleset_incoming_relp.conf
are root:root

rsyslogd -nd 2>&1 | grep -i -C 1 'Umask|FileOwner|FileGroup'
4012.646077607:main thread    : doGetWord: get newval
'RSYSLOG_TraditionalFileFormat' (len 29), hdlr 0x4151c0
4012.646082970:main thread    : cnf:global:cfsysline: $Umask 0000
4012.646088204:main thread    : cnf:global:cfsysline: $FileOwner root
4012.646631987:main thread    : uid 0 obtained for user 'root'
4012.646639077:main thread    : cnf:global:cfsysline: $FileGroup adm
4012.646709122:main thread    : gid 4 obtained for group 'adm'
--
4012.660969243:main thread    : adding a ruleset-specific "main" queue
for ruleset 'RSYSLOG_DefaultRuleset'
4012.660975783:main thread    : cnf:global:cfsysline: $Umask 0000
4012.660984026:main thread    : cnf:global:cfsysline: $FileOwner root
4012.661026359:main thread    : uid 0 obtained for user 'root'
4012.661032463:main thread    : cnf:global:cfsysline: $FileGroup adm
4012.661071273:main thread    : gid 4 obtained for group 'adm'
--
4012.712984548:main thread    : Writing pidfile '/var/run/rsyslogd.pid'.
4012.713085399:main thread    : umask set to 0000.
4012.713093487:main thread    : telling modules to activate config
(before dropping privs) 0xf583e0

As far as I understand from the documentation (and the debug output
above), all logs should have root:adm, but it is not so.  I would
appreciate any pointers to what I am doing wrong.

Best Regards

Y

PS: I have removed the logs and let rsyslog create new files.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to