[rsyslog] $template to create filename, ownership, and other file-related questions

Mauricio Tavares raubvogel at gmail.com
Tue Aug 31 15:46:32 CEST 2010 

On Tue, Aug 31, 2010 at 1:58 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
>> Sent: Tuesday, August 31, 2010 2:18 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] $template to create filename, ownership, and
>> other file-related questions
>>
>> On Mon, 30 Aug 2010, Mauricio Tavares wrote:
>>
>> > On Mon, Aug 30, 2010 at 7:02 PM,  <david at lang.hm> wrote:
>> >> On Mon, 30 Aug 2010, Mauricio Tavares wrote:
>> >>
>> >>> On Mon, Aug 30, 2010 at 6:43 PM,  <david at lang.hm> wrote:
>> >>>>
>> >>>> On Mon, 30 Aug 2010, Mauricio Tavares wrote:
>> >>>>
>> >>>>> In my ongoing quest to understand rsyslog, I have a few log
>> >>>>> file-related questions:
>> >>>>>
>> >>>>> 1) What does the "-" in
>> >>>>>
>> >>>>> news.err                        /var/log/news/news.err
>> >>>>> news.notice                     -/var/log/news/news.notice
>> >>>>>
>> >>>>> stand for? I probably passed through its explanation a few times
>> but
>> >>>>> did not see it.
>> >>>>
>> >>>> actually, in rsyslog the - has no effect (and can even cause
>> problems)
>> >>>>
>> >>>     How could it cause problems?
>> >>
>> >> in sysklogd syslog.conf - at ip is valid, in rsyslog this isn't valid
>> and
>> >> causes  a problem. I don't remember if the problem is that rsyslog
>> doesn't
>> >> send the logs, or that it has some other problem.
>> >>
>> >      Ok. But would that be a problem if instead of being forwarded to
>> > another machine it is just being saved to a local file? I ask since
>> > the ubuntu config file for rsyslog only has entries to save to log
>> > file with and without the "-".
>>
>> In that case I believe that the '-' does nothing and causes no harm.
>
> What it does depends on startup switches (see v3 compatibility doc:
> http://www.rsyslog.com/doc/v3compatibility.html ) as well as config. By
> default, it does nothing (see v3 comp. doc to learn why this is good). With
> "$ActionFileEnableSync on" you can enable old-style behavior.

Very nice reading! I do not know how much I have digested yet but it
is pretty nice. Now, I will need to keep it as close to
backwards-compatibility mode as I can for now... at least until we
move out of syslog-ng and I can make sure all machines we want to
monitor can do rsyslog (I did find out sunfreeware has a rsyslog
package, which is very good to know).

>>
>> >>>> in other syslog implementations the - tells syslog that it doesn't
>> have
>> >>>> to
>> >>>> do a fsync after writing each message to disk, it can just keep
>> writing
>> >>>> and let the OS buffer them and write them to disk.
>> >>>>
>> >>>> This is the default in rsyslog.
>> >>>>
>> >>>     Now it makes sense.  Thanks!
>> >>>
>> >>>>> 2) Let's say I want to generate dynamic file names. Based on the
>> man
>> >>>>> page, I create the following template:
>> >>>>>
>> >>>>> $template AuthFile,"/var/log/auth/auth-%$YEAR%-%$MONTH%-
>> %$DAY%.log"
>> >>>>>
>> >>>>> And apply it to, say, auth:
>> >>>>>
>> >>>>> # auth,authpriv.*                       /var/log/auth.log
>> >>>>> # auth,authpriv.*                 -?AuthFile
>> >>>>> auth,authpriv.*                 ?AuthFile
>> >>>>>
>> >>>>> What I noticed is that instead of the log file be owned by
>> syslog:adm,
>> >>>>> it is owned by syslog:syslog. Did I miss anything?
>> >>>>
>> >>>> I believe that there are options to define what the file ownership
>> is.
>> >>>>
>> >>>     in /etc/rsyslog.conf I have
>> >>>
>> >>> #
>> >>> # Set the default permissions for all log files.
>> >>> #
>> >>> $FileOwner syslog
>> >>> $FileGroup adm
>> >>> $FileCreateMode 0640
>> >>> $DirCreateMode 0755
>> >>> $Umask 0022
>> >>> $PrivDropToUser syslog
>> >>> $PrivDropToGroup syslog
>> >>>
>> >>> If I tell it to write to /var/log/auth.log, rsyslog seems to honor
>> >>> $FileOwner and $FileGroup. But when I tell it to create a dynamic
>> >>> filename log file, it seems to be using the user:group it dropped
>> to
>> >>> once it started, namely syslog:syslog:
>> >>
>> >> that makes sense, once it drops privilages it may not have the
>> ability to
>> >> use different credentials.
>> >>
>> >> the privilage dropping feature of rsyslog was a quick-and-dirty
>> >> modification, there are many things that do not work with it because
>> after
>> >> the privilages are dropped the process doesn't have the rights to do
>> what
>> >> it's trying to do.
>> >>
>> >      That said, in examples like
>> > http://wiki.rsyslog.com/index.php/DailyLogRotation, they are using
>> > dynamic filenames. I would think those examples reflect used
>> > configurations. Could it be they are older/newer examples, so that
>> > either the issue I am having did not exist or was solved? Or perhaps
>> > it is just me who did not set it up right.
>>
>> but that example says nothing about dropping privilage.
>>
>> There are a lot of things in rsyslog that work perfectly without
>> dropping
>> privilage, but don't work once privilages have been dropped.
>> Unfortunantly
>> such things have not been documented as such (mostly they've been
>> identified as not working, questions are asked here or on the message
>> board and the response is very similar to what I posted, just with the
>> authority of the developers saying "yeah, that won't work with reduced
>> privilages")
>
> David is right on privilege drop. Most of these things are simply impossible
> after you have dropped privileges. I am not sure if this is the case in your
> scenario. Please remove the privilege drop for a test and let us know if the
> files then have proper user and group.
>
      That seems to have done the trick:

raub at ubuntu1004-x64:/etc/rsyslog.d$ ls -lh /var/log/auth/
total 4.0K
-rw-r----- 1 syslog syslog   0 2010-08-30 17:33 auth-2010-08-30.log
-rw-r----- 1 syslog adm    135 2010-08-31 09:30 auth-2010-08-31.log
raub at ubuntu1004-x64:/etc/rsyslog.d$

Thanks!

Ok, I have yet another answer: the template I created,

$template AuthFile,"/var/log/auth/auth-%$YEAR%-%$MONTH%-%$DAY%.log"

is nice but i was wondering if there is a way to pass an argument to
it from the selector line. This way, I could do, say,

$template LogFile,"/var/log/$Moose/$Moose-%$YEAR%-%$MONTH%-%$DAY%.log"

and then pass the value of $Moose when calling that template

mail.info    $Moose="mail", ?LogFile

I know the syntax is completely wrong but you can see where I am
getting at. Is there a way to do that?

> Rainer
>>
>> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>

More information about the rsyslog mailing list