Re: [rsyslog] RHEL-7.9 rsyslog with FileOwner

Wed, 05 Jun 2024 11:09:13 -0700 

Thank you Rainer,
     I finally got the opportunity to get back to this task.

I was able to get the error to cease and desist from being presented in the
"*systemctl status rsyslog*" output.

However, I have a question as I was expecting to observe a change but, I do
not see the change in Group Ownership of the files.

*How do I associate the directive ($FileGroupNum 2000) with the  log file
itself?*

In the case this wasn't obvious to you in the rsyslog.debug (because I
didn't have all that much time to review it myself), I have to
generate multiple log files based on the sources of the datafeeds (based on
facility.severity) into:
1) a separate directory, and
2) the same file name it would have been locally on the source-server.

So, I am using Conditionals, such as these:

if   ($fromhost-ip startswith  ‘172.20.245.5’  or $fromhost-ip contains
‘172.20.245.101’)  then  {


authpriv.*
-?SECU


*.info;mail.none;authpriv.none;cron.none
-?MESG

                    &  stop

}   else  if     ( $fromhost  contains  ‘i42tskvm’ ) then {


*.*
-?MESG

                    stop

}  else   {

                    *.*

               /var/log/messages

                    stop

}

I established the templates (variables) with the following syntax:

$template  CATC,”/var/log/remote/%HOSTNAME%.log”

$template  SECU,”/var/log/remote/%HOSTNAME%/secure”

$template  MESG,”/var/log/remote/%HOSTNAME%/messages”


Please, let me know if I need to establish a new email thread for this
independently.


--------------------------
Warron French



On Sat, Jun 1, 2024 at 7:18 AM Rainer Gerhards <[email protected]>
wrote:

> I have looked into the log. The group name is actually not resolvable.
> The debug log has not more information, but from the config given it
> shows that you provide what looks like the group ID (2000) and not the
> name ("examplegroup"). Thus resolution seems to fail.
>
> Use
>
> $FileGroupNum 2000
>
> instead. Or, better, use new style format. Please also note the doc for
> omfile:
>
> https://www.rsyslog.com/doc/configuration/modules/omfile.html
>
> HTH
> Rainer
>
> PS: thread history deleted, there seems to have been a large file
> inside it, that prevented me from posting on the ML.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to