Hi,

I enabled debugging through rsyslog.conf, removed a log file to make sure a new 
one was created and checked the debug log. Unfortunately I’m not able to see 
anything obvious. Maybe you could guide me where to look or what to grep for?

Below is what I got when grepping for the server name:

1010.375076700:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.375191500:7fdda664c700: file stream server-swa01.domain.local.log params: 
flush interval 0, async write 0
1010.375199000:7fdda664c700: Added new entry 2 for file cache, file 
'/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log'.
1010.375211600:7fdda664c700: strm 0x7fdd90012320: file 
-1(server-swa01.domain.local.log) flush, buflen 335
1010.375224100:7fdda664c700: file 
'/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log' 
opened as #23 with mode 420
1010.375231900:7fdda664c700: strm 0x7fdd90012320: opened file 
'/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log' for 
WRITE as 23
1010.377159700:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377175200:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377189700:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377204000:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377218300:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377232900:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377247100:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377266000:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377275300:7fdda664c700: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) flush, buflen 4096
1010.377305800:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377320500:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377334800:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377349000:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377363100:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377377100:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377389100:7fdda664c700: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) flush, buflen 4096
1010.377408800:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377426800:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377451900:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377468000:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377482100:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1010.377494400:7fdda664c700: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) flush, buflen 3499
1020.348861200:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1020.348874700:7fdda664c700: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) flush, buflen 327
1020.351903700:7fdda664c700: file to log to: 
/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log
1020.351920900:7fdda664c700: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) flush, buflen 598
1034.213326000:7fddab149780: Removing entry 2 for file 
'/var/log/server/server-swa01.domain.local/server-swa01.domain.local.log' from 
dynaCache.
1034.213329100:7fddab149780: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) closing
1034.213332200:7fddab149780: strm 0x7fdd90012320: file 
23(server-swa01.domain.local.log) flush, buflen 0 (no need to flush)

I checked the rsyslog.service file and saw that a UMask 0066 is specified here. 
Is this OK?

[root@logstore multi-user.target.wants]# cat rsyslog.service
[Unit]
Description=System Logging Service
;Requires=syslog.socket

[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
Restart=on-failure
UMask=0066
StandardOutput=null

[Install]
WantedBy=multi-user.target
;Alias=syslog.service

Thanks in advance!

Regards,
Robin Jonsson


On 160825// 08:32 , "[email protected] on behalf of Rainer 
Gerhards" <[email protected] on behalf of 
[email protected]> wrote:

    2016-08-25 8:01 GMT+02:00 Robin Jonsson <[email protected]>:
    > Thanks for your reply!
    >
    > Have I understood it correctly that you suggest removing $FileCreateMode/
    > $DirCreateMode? I am already using DirCreateMode and FileCreateMode in 
the action clause.
    
    This sounds like there is a problem applying the modes. With the old
    version, you only see this in a debug log. So the next step is to
    activate rsyslog debug logging and check for errors during file
    creation.
    
    HTH
    Rainer
    >
    > Regards,
    > Robin
    >
    > On 160825// 00:41 , "[email protected] on behalf of David 
Lang" <[email protected] on behalf of [email protected]> wrote:
    >
    >     when you use action(), it completely ignores the legacy stuff set with
    >     $filecreatemode etc. everything needs to be specified in the action() 
clause.
    >
    >     David Lang
    >
    >     On Wed, 24 Aug 2016, Robin Jonsson wrote:
    >
    >     > Date: Wed, 24 Aug 2016 12:15:05 +0000
    >     > From: Robin Jonsson <[email protected]>
    >     > Reply-To: rsyslog-users <[email protected]>
    >     > To: "[email protected]" <[email protected]>
    >     > Subject: [rsyslog] $DirCreateMode / $FileCreateMode is not enforced
    >     >
    >     > Hi,
    >     >
    >     > I’m currently setting up a syslog-server to be used for Network 
equipment and servers based on rsyslogd (rsyslog-7.4.7-12.el7.x86_64) running 
on Centos 7. The logging is working fine and everything goes into the 
directories I’ve chosen, but the permissions for the servers seems to be a bit 
strange and doesn’t follow the values specified in 
$DirCreateMode/$FileCreateMode. For Network equipment this works perfectly!!
    >     >
    >     > Each directory for the servers are created with 0711, should be 
0755. Files are created with 0600, should be 0644.
    >     >
    >     > root@logstore]# cat /etc/rsyslog.conf
    >     > $ModLoad imudp
    >     > $UDPServerRun 514
    >     > $ModLoad imtcp
    >     > $InputTCPServerRun 514
    >     > $WorkDirectory /var/lib/rsyslog
    >     > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    >     > $IncludeConfig /etc/rsyslog.d/*.conf
    >     > $OmitLocalLogging on
    >     > $IMJournalStateFile imjournal.state
    >     > $FileOwner root
    >     > $FileGroup wheel
    >     > $FileCreateMode 0644
    >     > $DirCreateMode 0755
    >     >
    >     > template (name="remote_server" type="string" 
string="/var/log/server/%fromhost%/%fromhost%.log")
    >     > template (name="remote_network" type="string" 
string="/var/log/network/%fromhost%/%fromhost%.log")
    >     >
    >     > # If received on Facility 22 then sort as server stuff..
    >     > if ( ($inputname == 'imudp' or $inputname == 'imtcp') and 
$syslogfacility == 22 ) then {
    >     > action (type="omfile" dynaFile="remote_server" DirCreateMode="0755" 
FileCreateMode="0644" )
    >     > }
    >     >
    >     > # … else sort as network stuff
    >     > else if ( $inputname == 'imudp' or $inputname == 'imtcp' ) then {
    >     > action(type="omfile" dynaFile="remote_network" DirCreateMode="0755" 
FileCreateMode="0644" )
    >     > stop
    >     > }
    >     > # Ignore this host…
    >     > if $hostname == 'last' then stop
    >     >
    >     > *.info;mail.none;authpriv.none;cron.none                
/var/log/messages
    >     > authpriv.*                                              
/var/log/secure
    >     > mail.*                                                  
-/var/log/maillog
    >     > cron.*                                                  
/var/log/cron
    >     > *.emerg                                                 :omusrmsg:*
    >     > uucp,news.crit                                          
/var/log/spooler
    >     > local7.*                                                
/var/log/boot.log
    >     >
    >     > Directories and files created by rsyslogd for servers (not working 
– 711 for dir and 600 for files):
    >     > ls -la /var/log/server
    >     > (…)
    >     > drwx--x--x.  2 root root  100 Aug 24 03:19 server-sfe03.domain.local
    >     > (…)
    >     >
    >     > ls -la /var/log/server/server-sfe01.domain.local
    >     > total 256
    >     > drwx--x--x. 2 root root    100 Aug 24 03:19 .
    >     > drwxr-xr-x. 9 root root   4096 Aug 24 13:20 ..
    >     > -rw-------. 1 root root 241821 Aug 24 13:20 
server-sfe01.domain.local.log
    >     > -rw-------. 1 root root   7311 Aug 24 01:19 
server-sfe01.domain.local.log-20160824.gz
    >     >
    >     > Directories and files created by rsyslogd for networks (this works 
– 755 for dir and 644 for files):
    >     > ls -l /var/log/network
    >     > (…)
    >     > drwxr-xr-x.  2 root root 8192 Aug 24 03:18 
network-asa01.domain.local
    >     > (…)
    >     >
    >     > drwxr-xr-x.  2 root root 8192 Aug 24 03:18 
network-asa01.domain.local
    >     > ls –al /var/log/network/network-asa01.domain.local
    >     > total 83756
    >     > drwxr-xr-x.  2 root root    8192 Aug 24 03:18 .
    >     > drwxr-xr-x. 53 root root    4096 Aug 23 15:32 ..
    >     > -rw-r--r--.  1 root root 9107124 Aug 24 13:33 
network-asa01.domain.local.log
    >     > (…)
    >     >
    >     > Any help is much appreciated! Why is not DirCreateMode / 
FileCreateMode enforced? I’ve checked umask and permissions on both 
/var/log/network and /var/log/servers and they are the same.
    >     >
    >     > Thanks in advance!
    >     >
    >     > Regards,
    >     > Robin Jonsson
    >     > _______________________________________________
    >     > rsyslog mailing list
    >     > http://lists.adiscon.net/mailman/listinfo/rsyslog
    >     > http://www.rsyslog.com/professional-services/
    >     > What's up with rsyslog? Follow https://twitter.com/rgerhards
    >     > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T LIKE THAT.
    >
    >
    > _______________________________________________
    > rsyslog mailing list
    > http://lists.adiscon.net/mailman/listinfo/rsyslog
    > http://www.rsyslog.com/professional-services/
    > What's up with rsyslog? Follow https://twitter.com/rgerhards
    > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad 
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.
    _______________________________________________
    rsyslog mailing list
    http://lists.adiscon.net/mailman/listinfo/rsyslog
    http://www.rsyslog.com/professional-services/
    What's up with rsyslog? Follow https://twitter.com/rgerhards
    NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to