Hi, I enabled debugging through rsyslog.conf, removed a log file to make sure a new one was created and checked the debug log. Unfortunately I’m not able to see anything obvious. Maybe you could guide me where to look or what to grep for?
Below is what I got when grepping for the server name: 1010.375076700:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.375191500:7fdda664c700: file stream server-swa01.domain.local.log params: flush interval 0, async write 0 1010.375199000:7fdda664c700: Added new entry 2 for file cache, file '/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log'. 1010.375211600:7fdda664c700: strm 0x7fdd90012320: file -1(server-swa01.domain.local.log) flush, buflen 335 1010.375224100:7fdda664c700: file '/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log' opened as #23 with mode 420 1010.375231900:7fdda664c700: strm 0x7fdd90012320: opened file '/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log' for WRITE as 23 1010.377159700:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377175200:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377189700:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377204000:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377218300:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377232900:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377247100:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377266000:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377275300:7fdda664c700: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) flush, buflen 4096 1010.377305800:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377320500:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377334800:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377349000:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377363100:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377377100:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377389100:7fdda664c700: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) flush, buflen 4096 1010.377408800:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377426800:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377451900:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377468000:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377482100:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1010.377494400:7fdda664c700: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) flush, buflen 3499 1020.348861200:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1020.348874700:7fdda664c700: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) flush, buflen 327 1020.351903700:7fdda664c700: file to log to: /var/log/server/server-swa01.domain.local/server-swa01.domain.local.log 1020.351920900:7fdda664c700: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) flush, buflen 598 1034.213326000:7fddab149780: Removing entry 2 for file '/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log' from dynaCache. 1034.213329100:7fddab149780: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) closing 1034.213332200:7fddab149780: strm 0x7fdd90012320: file 23(server-swa01.domain.local.log) flush, buflen 0 (no need to flush) I checked the rsyslog.service file and saw that a UMask 0066 is specified here. Is this OK? [root@logstore multi-user.target.wants]# cat rsyslog.service [Unit] Description=System Logging Service ;Requires=syslog.socket [Service] Type=notify EnvironmentFile=-/etc/sysconfig/rsyslog ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS Restart=on-failure UMask=0066 StandardOutput=null [Install] WantedBy=multi-user.target ;Alias=syslog.service Thanks in advance! Regards, Robin Jonsson On 160825// 08:32 , "[email protected] on behalf of Rainer Gerhards" <[email protected] on behalf of [email protected]> wrote: 2016-08-25 8:01 GMT+02:00 Robin Jonsson <[email protected]>: > Thanks for your reply! > > Have I understood it correctly that you suggest removing $FileCreateMode/ > $DirCreateMode? I am already using DirCreateMode and FileCreateMode in the action clause. This sounds like there is a problem applying the modes. With the old version, you only see this in a debug log. So the next step is to activate rsyslog debug logging and check for errors during file creation. HTH Rainer > > Regards, > Robin > > On 160825// 00:41 , "[email protected] on behalf of David Lang" <[email protected] on behalf of [email protected]> wrote: > > when you use action(), it completely ignores the legacy stuff set with > $filecreatemode etc. everything needs to be specified in the action() clause. > > David Lang > > On Wed, 24 Aug 2016, Robin Jonsson wrote: > > > Date: Wed, 24 Aug 2016 12:15:05 +0000 > > From: Robin Jonsson <[email protected]> > > Reply-To: rsyslog-users <[email protected]> > > To: "[email protected]" <[email protected]> > > Subject: [rsyslog] $DirCreateMode / $FileCreateMode is not enforced > > > > Hi, > > > > I’m currently setting up a syslog-server to be used for Network equipment and servers based on rsyslogd (rsyslog-7.4.7-12.el7.x86_64) running on Centos 7. The logging is working fine and everything goes into the directories I’ve chosen, but the permissions for the servers seems to be a bit strange and doesn’t follow the values specified in $DirCreateMode/$FileCreateMode. For Network equipment this works perfectly!! > > > > Each directory for the servers are created with 0711, should be 0755. Files are created with 0600, should be 0644. > > > > root@logstore]# cat /etc/rsyslog.conf > > $ModLoad imudp > > $UDPServerRun 514 > > $ModLoad imtcp > > $InputTCPServerRun 514 > > $WorkDirectory /var/lib/rsyslog > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > $IncludeConfig /etc/rsyslog.d/*.conf > > $OmitLocalLogging on > > $IMJournalStateFile imjournal.state > > $FileOwner root > > $FileGroup wheel > > $FileCreateMode 0644 > > $DirCreateMode 0755 > > > > template (name="remote_server" type="string" string="/var/log/server/%fromhost%/%fromhost%.log") > > template (name="remote_network" type="string" string="/var/log/network/%fromhost%/%fromhost%.log") > > > > # If received on Facility 22 then sort as server stuff.. > > if ( ($inputname == 'imudp' or $inputname == 'imtcp') and $syslogfacility == 22 ) then { > > action (type="omfile" dynaFile="remote_server" DirCreateMode="0755" FileCreateMode="0644" ) > > } > > > > # … else sort as network stuff > > else if ( $inputname == 'imudp' or $inputname == 'imtcp' ) then { > > action(type="omfile" dynaFile="remote_network" DirCreateMode="0755" FileCreateMode="0644" ) > > stop > > } > > # Ignore this host… > > if $hostname == 'last' then stop > > > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > authpriv.* /var/log/secure > > mail.* -/var/log/maillog > > cron.* /var/log/cron > > *.emerg :omusrmsg:* > > uucp,news.crit /var/log/spooler > > local7.* /var/log/boot.log > > > > Directories and files created by rsyslogd for servers (not working – 711 for dir and 600 for files): > > ls -la /var/log/server > > (…) > > drwx--x--x. 2 root root 100 Aug 24 03:19 server-sfe03.domain.local > > (…) > > > > ls -la /var/log/server/server-sfe01.domain.local > > total 256 > > drwx--x--x. 2 root root 100 Aug 24 03:19 . > > drwxr-xr-x. 9 root root 4096 Aug 24 13:20 .. > > -rw-------. 1 root root 241821 Aug 24 13:20 server-sfe01.domain.local.log > > -rw-------. 1 root root 7311 Aug 24 01:19 server-sfe01.domain.local.log-20160824.gz > > > > Directories and files created by rsyslogd for networks (this works – 755 for dir and 644 for files): > > ls -l /var/log/network > > (…) > > drwxr-xr-x. 2 root root 8192 Aug 24 03:18 network-asa01.domain.local > > (…) > > > > drwxr-xr-x. 2 root root 8192 Aug 24 03:18 network-asa01.domain.local > > ls –al /var/log/network/network-asa01.domain.local > > total 83756 > > drwxr-xr-x. 2 root root 8192 Aug 24 03:18 . > > drwxr-xr-x. 53 root root 4096 Aug 23 15:32 .. > > -rw-r--r--. 1 root root 9107124 Aug 24 13:33 network-asa01.domain.local.log > > (…) > > > > Any help is much appreciated! Why is not DirCreateMode / FileCreateMode enforced? I’ve checked umask and permissions on both /var/log/network and /var/log/servers and they are the same. > > > > Thanks in advance! > > > > Regards, > > Robin Jonsson > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

