From david at lang.hm Wed Feb 1 00:57:43 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 31 Jan 2012 15:57:43 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: Message-ID: On Tue, 31 Jan 2012, Michael Maymann wrote: > Hi, > > I have now setup a 6.3.6-devel rsyslog server that is working fine running > as root. > I would like to run it as non-root user as my logfiles are located on NFS > (and root export of NFS is generally not a good idea !). > > Here is my rsyslog.conf: > #LOAD MODULES > $ModLoad imudp > $UDPServerRun 514 > $UDPServerAddress 127.0.0.1 > $ModLoad imtcp > $InputTCPServerRun 514 > #SET DESTINATION FOR LOGS > $template > DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > $template > DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > $template > DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > $template DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > $template > DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > $template > DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > $template DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > #SET LOGGING CONDITIONS > if $syslogseverity <= '6' then ?DYNmessages > if $syslogfacility-text == 'authpriv' then ?DYNsecure > if $syslogfacility-text == 'mail' then ?DYNmaillog > if $syslogfacility-text == 'cron' then ?DYNcron > if $syslogseverity-text == 'crit' then ?DYNspooler > if $syslogfacility-text == 'local7' then ?DYNboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > then ?DYNtraps > > Here is my logfile when I try to start rsyslog as a non-root user: > 2012-01-31T15:45:52.997693+02:00 rsyslogd: [origin > software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" > http://www.rsyslog.com"] start > 2012-01-31T15:45:52.997294+02:00 rsyslogd: bind: Permission > denied > 2012-01-31T15:45:52.997369+02:00 rsyslogd: bind: Permission > denied > 2012-01-31T15:45:52.997374+02:00 rsyslogd: No UDP listen socket > could successfully be initialized, message reception via UDP disabled. > 2012-01-31T15:45:52.997376+02:00 rsyslogd: imudp: no listeners > could be started, input not activated. > 2012-01-31T15:45:52.997379+02:00 rsyslogd3: activation of module > imudp failed [try http://www.rsyslog.com/e/-3 ] > 2012-01-31T15:45:52.997643+02:00 rsyslogd-2077: Could not create > tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 ] > > So permissions to bind and sockets seems to be the problem... yes, you cannot bind to ports <1024 as a normal user (without making some other non-standard changes through sysctl) > 1. Is it possible to make rsyslog write logfiles as a non-root user - if > yes: how ? permission drop features > 2a. Is it possible to add permissions for non-root user to run rsyslog > server - if yes: how ? pick a listening port > 1024 and it should work. > 2b. How do I start rsyslog during boot as non-root user - can chkconfig do > this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? su can run a command as a different user. although as Rainer points out, you may just be looking for the permission dropping features that are already in rsyslog. David Lang From michael at maymann.org Wed Feb 1 09:08:25 2012 From: michael at maymann.org (Michael Maymann) Date: Wed, 1 Feb 2012 09:08:25 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: Message-ID: Hi, David: thanks - got it working with permission dropping, by far my prefered configuration... just didn't know of it...:-) ! Rainer: please let us know if the debug info of the "permission dropping: hang+timeout" I send you can solve anything... anyway it works now - but not optimal if other people have to service my setup...:-) ! Thanks in advance :-) ! ~maymann 2012/2/1 > On Tue, 31 Jan 2012, Michael Maymann wrote: > > Hi, >> >> I have now setup a 6.3.6-devel rsyslog server that is working fine running >> as root. >> I would like to run it as non-root user as my logfiles are located on NFS >> (and root export of NFS is generally not a good idea !). >> >> Here is my rsyslog.conf: >> #LOAD MODULES >> $ModLoad imudp >> $UDPServerRun 514 >> $UDPServerAddress 127.0.0.1 >> $ModLoad imtcp >> $InputTCPServerRun 514 >> #SET DESTINATION FOR LOGS >> $template >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> $MONTH%_messages" >> $template >> DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" >> $template >> DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillog" >> $template DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** >> cron" >> $template >> DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spooler" >> $template >> DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" >> $template DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >> traps" >> #SET LOGGING CONDITIONS >> if $syslogseverity <= '6' then ?DYNmessages >> if $syslogfacility-text == 'authpriv' then ?DYNsecure >> if $syslogfacility-text == 'mail' then ?DYNmaillog >> if $syslogfacility-text == 'cron' then ?DYNcron >> if $syslogseverity-text == 'crit' then ?DYNspooler >> if $syslogfacility-text == 'local7' then ?DYNboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> then ?DYNtraps >> >> Here is my logfile when I try to start rsyslog as a non-root user: >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >> http://www.rsyslog.com"] start >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: Permission >> denied >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: Permission >> denied >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP listen >> socket >> could successfully be initialized, message reception via UDP disabled. >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: no >> listeners >> could be started, input not activated. >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: activation of >> module >> imudp failed [try http://www.rsyslog.com/e/-3 ] >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: Could not >> create >> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 ] >> >> So permissions to bind and sockets seems to be the problem... >> > > yes, you cannot bind to ports <1024 as a normal user (without making some > other non-standard changes through sysctl) > > > 1. Is it possible to make rsyslog write logfiles as a non-root user - if >> yes: how ? >> > > permission drop features > > > 2a. Is it possible to add permissions for non-root user to run rsyslog >> server - if yes: how ? >> > > pick a listening port > 1024 and it should work. > > > 2b. How do I start rsyslog during boot as non-root user - can chkconfig do >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >> > > su can run a command as a different user. > > although as Rainer points out, you may just be looking for the permission > dropping features that are already in rsyslog. > > David Lang > > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Wed Feb 1 09:52:45 2012 From: michael at maymann.org (Michael Maymann) Date: Wed, 1 Feb 2012 09:52:45 +0100 Subject: [rsyslog] Syslogging FQDN logfile/logdir howto/links/examples In-Reply-To: References: <00d501ccd618$c744d54b$100013ac@intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728181F@GRFEXC.intern.adiscon.com> Message-ID: Hi, %FROMHOST% seems to be using the hostname that the host reports (not-always-FQDN), not what DNS reports (always FQDN). What should I use to get the DNS_HOSTNAME...? Br. ~maymann 2012/1/31 Michael Maymann > Hi Rainer, > > just noticed the same - see new post...:-) ! > Thanks for your help. > > Br. > ~maymann > > > > 2012/1/31 Rainer Gerhards > >> > -----Original Message----- >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > bounces at lists.adiscon.com] On Behalf Of david at lang.hm >> > Sent: Friday, January 27, 2012 7:35 PM >> > To: rsyslog-users >> > Subject: Re: [rsyslog] Syslogging FQDN logfile/logdir >> howto/links/examples >> > >> > the surest way to tell that the DNS cache is working is to look at >> traffic >> to your >> > DNS server (or more precisely the lack of traffic to that host) >> >> I just checked the code. In the current v6-devel, the dns cache is always >> active. >> >> Rainer >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > > From michael at maymann.org Wed Feb 1 12:38:48 2012 From: michael at maymann.org (Michael Maymann) Date: Wed, 1 Feb 2012 12:38:48 +0100 Subject: [rsyslog] Syslogging FQDN logfile/logdir howto/links/examples In-Reply-To: References: <00d501ccd618$c744d54b$100013ac@intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728181F@GRFEXC.intern.adiscon.com> Message-ID: Hi, I have now set: $PreserveFQDN on is this using forcing DNS or is it still just "host reported hostname" Thanks in advance :-) ! ~maymann 2012/2/1 Michael Maymann > Hi, > > %FROMHOST% seems to be using the hostname that the host reports > (not-always-FQDN), not what DNS reports (always FQDN). > What should I use to get the DNS_HOSTNAME...? > > Br. > ~maymann > > > 2012/1/31 Michael Maymann > >> Hi Rainer, >> >> just noticed the same - see new post...:-) ! >> Thanks for your help. >> >> Br. >> ~maymann >> >> >> >> 2012/1/31 Rainer Gerhards >> >>> > -----Original Message----- >>> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>> > bounces at lists.adiscon.com] On Behalf Of david at lang.hm >>> > Sent: Friday, January 27, 2012 7:35 PM >>> > To: rsyslog-users >>> > Subject: Re: [rsyslog] Syslogging FQDN logfile/logdir >>> howto/links/examples >>> > >>> > the surest way to tell that the DNS cache is working is to look at >>> traffic >>> to your >>> > DNS server (or more precisely the lack of traffic to that host) >>> >>> I just checked the code. In the current v6-devel, the dns cache is always >>> active. >>> >>> Rainer >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> >> >> > From michael at maymann.org Wed Feb 1 12:48:57 2012 From: michael at maymann.org (Michael Maymann) Date: Wed, 1 Feb 2012 12:48:57 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% Message-ID: Hi, I want to log information about hosts that are not logging with correct HOSTNAME. In my current setup, I get a dir "???" where these host(s) are logging to... I would like to change this to the hosts IP instead, something like: if %FROMHOST% == '???' then %FROMHOST% == %IP But don't know the correct format... Anyone who can help ? Thanks in advance :-) ! ~maymann From michael at maymann.org Wed Feb 1 14:53:50 2012 From: michael at maymann.org (Michael Maymann) Date: Wed, 1 Feb 2012 14:53:50 +0100 Subject: [rsyslog] Timestamp wrong...? Message-ID: on my syslog client i have the following time: # date && logger testing123 Wed Feb 1 14:42:02 CET 2012 what get in my syslog server logs: 2012-02-01T14:42:02+02:00 root: testing123 Time on my syslog server: date Wed Feb 1 15:42:02 EET 2012 according to http://www.timezoneconverter.com/cgi-bin/tzc.tzc and my calculations it should have been either: 2012-02-01T14:42:02+01:00 root: testing123 (if keeping client timestamp) or 2012-02-01T15:42:02+02:00 root: testing123 (if keeping server timestamp) or 2012-02-01T13:42:02+00:00 root: testing123 (if keeping UTC timestamp) I would prefer client timestamp... Is this a bug or have I completely misunderstood something... ? How do I change to correct client timestamp ? Thanks in advance :-) ! ~maymann From michael at maymann.org Wed Feb 1 16:24:27 2012 From: michael at maymann.org (Michael Maymann) Date: Wed, 1 Feb 2012 16:24:27 +0100 Subject: [rsyslog] Timestamp wrong...? In-Reply-To: References: Message-ID: Hi, Perhaps actually UTC would be even better... as we can then directly match events globally...:-) ! Anyone who know of a configuration that works...? Thanks in advance :-) ! ~maymann 2012/2/1 Michael Maymann > on my syslog client i have the following time: > # date && logger testing123 > Wed Feb 1 14:42:02 CET 2012 > > what get in my syslog server logs: > 2012-02-01T14:42:02+02:00 root: testing123 > Time on my syslog server: > date > Wed Feb 1 15:42:02 EET 2012 > > according to http://www.timezoneconverter.com/cgi-bin/tzc.tzc and my > calculations it should have been either: > 2012-02-01T14:42:02+01:00 root: testing123 (if keeping client > timestamp) > or > 2012-02-01T15:42:02+02:00 root: testing123 (if keeping server > timestamp) > or > 2012-02-01T13:42:02+00:00 root: testing123 (if keeping UTC > timestamp) > > I would prefer client timestamp... Is this a bug or have I completely > misunderstood something... ? > How do I change to correct client timestamp ? > > > Thanks in advance :-) ! > ~maymann > From david at lang.hm Wed Feb 1 19:50:05 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 1 Feb 2012 10:50:05 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: On Wed, 1 Feb 2012, Michael Maymann wrote: > Hi, > > I want to log information about hosts that are not logging with correct > HOSTNAME. > In my current setup, I get a dir "???" where these host(s) are logging to... > > I would like to change this to the hosts IP instead, something like: > if %FROMHOST% == '???' then %FROMHOST% == %IP rsyslog cannot do what you are asking. It can't assign a value to a property. what you can do is to setup a different template and then if %fromhost% is your special pattern you can log with this different template. David Lang From david at lang.hm Wed Feb 1 19:51:09 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 1 Feb 2012 10:51:09 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: On Wed, 1 Feb 2012, Michael Maymann wrote: > Hi, > > I want to log information about hosts that are not logging with correct > HOSTNAME. > In my current setup, I get a dir "???" where these host(s) are logging to... > > I would like to change this to the hosts IP instead, something like: > if %FROMHOST% == '???' then %FROMHOST% == %IP rsyslog cannot do what you are asking. It can't assign a value to a property. what you can do is to setup a different template and then if %fromhost% is your special pattern you can log with this different template. David Lang From david at lang.hm Wed Feb 1 21:39:43 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 1 Feb 2012 12:39:43 -0800 (PST) Subject: [rsyslog] Timestamp wrong...? In-Reply-To: References: Message-ID: On Wed, 1 Feb 2012, Michael Maymann wrote: > on my syslog client i have the following time: > # date && logger testing123 > Wed Feb 1 14:42:02 CET 2012 > > what get in my syslog server logs: > 2012-02-01T14:42:02+02:00 root: testing123 > Time on my syslog server: > date > Wed Feb 1 15:42:02 EET 2012 > > according to http://www.timezoneconverter.com/cgi-bin/tzc.tzc and my > calculations it should have been either: > 2012-02-01T14:42:02+01:00 root: testing123 (if keeping client > timestamp) > or > 2012-02-01T15:42:02+02:00 root: testing123 (if keeping server > timestamp) > or > 2012-02-01T13:42:02+00:00 root: testing123 (if keeping UTC > timestamp) > > I would prefer client timestamp... Is this a bug or have I completely > misunderstood something... ? > How do I change to correct client timestamp ? timereported is the time that the client put in the log (with whatever precision and timezone that the client reported it in) timegenerated is the timestamp that the server received the log (high precision timestamp in the server's timezone) $now is the time the log is being written check and see what the clients are sending (writing a log from a particular client using the format RSYSLOG_DEBUG is a wonderful troubleshooting tool) by default, the syslog format tries to keep the timestamp the client provides. I'm a huge proponent of running all production systems in GMT/UTC it avoids a huge number of issues along the way. David Lang From david at lang.hm Thu Feb 2 02:51:19 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 1 Feb 2012 17:51:19 -0800 (PST) Subject: [rsyslog] Syslogging FQDN logfile/logdir howto/links/examples In-Reply-To: References: <00d501ccd618$c744d54b$100013ac@intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728181F@GRFEXC.intern.adiscon.com> Message-ID: HOSTNAME is the hostname that was in the message FROMHOST-IP is the IP address that sent you the message (not necessarily the machine the message originated from, NAT, syslog relays, etc will change this) FROMHOST is the name that rsyslog finds from doing a reverse lookup of FROMHOST-IP In at least some versions, if you start with the -x option to disable reverse lookups FROMHOST contains the IP address and FROMHOST-IP doesn't contain anything. The older syslog RFCs said that the hostname should not be fully qualified, and that is why the default is to strip the remainder of the name. As a side note, it's a really good idea to make your short hostnames unique, this is only one of the places where having the same short hostname on multiple boxes will cause grief. In most cases you can work around the grief, but it's not that hard to make the hostnames unique. David Lang On Wed, 1 Feb 2012, Michael Maymann wrote: > Hi, > > %FROMHOST% seems to be using the hostname that the host reports > (not-always-FQDN), not what DNS reports (always FQDN). > What should I use to get the DNS_HOSTNAME...? > > Br. > ~maymann > > 2012/1/31 Michael Maymann > >> Hi Rainer, >> >> just noticed the same - see new post...:-) ! >> Thanks for your help. >> >> Br. >> ~maymann >> >> >> >> 2012/1/31 Rainer Gerhards >> >>>> -----Original Message----- >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm >>>> Sent: Friday, January 27, 2012 7:35 PM >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] Syslogging FQDN logfile/logdir >>> howto/links/examples >>>> >>>> the surest way to tell that the DNS cache is working is to look at >>> traffic >>> to your >>>> DNS server (or more precisely the lack of traffic to that host) >>> >>> I just checked the code. In the current v6-devel, the dns cache is always >>> active. >>> >>> Rainer >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Thu Feb 2 08:03:38 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 2 Feb 2012 08:03:38 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Wednesday, February 01, 2012 9:08 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi, > > David: thanks - got it working with permission dropping, by far my > prefered > configuration... just didn't know of it...:-) ! > Rainer: please let us know if the debug info of the "permission > dropping: > hang+timeout" I send you can solve anything... anyway it works now - > but > not optimal if other people have to service my setup...:-) ! I have reviewed the debug log and I see nothing unexpected. From the timestamps I also see that there is no hang whatsoever. So it looks like there is some problem with the startup script, which I don't know. I suggest to ask what the FAILED status is caused by. We can then look why this happens. Sorry I have no better answer... Rainer > > Thanks in advance :-) ! > ~maymann > > 2012/2/1 > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > > > > Hi, > >> > >> I have now setup a 6.3.6-devel rsyslog server that is working fine > running > >> as root. > >> I would like to run it as non-root user as my logfiles are located > on NFS > >> (and root export of NFS is generally not a good idea !). > >> > >> Here is my rsyslog.conf: > >> #LOAD MODULES > >> $ModLoad imudp > >> $UDPServerRun 514 > >> $UDPServerAddress 127.0.0.1 > >> $ModLoad imtcp > >> $InputTCPServerRun 514 > >> #SET DESTINATION FOR LOGS > >> $template > >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >> $MONTH%_messages" > >> $template > >> > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" > >> $template > >> > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo > g" > >> $template > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** > >> cron" > >> $template > >> > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole > r" > >> $template > >> > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" > >> $template > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** > >> traps" > >> #SET LOGGING CONDITIONS > >> if $syslogseverity <= '6' then ?DYNmessages > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure > >> if $syslogfacility-text == 'mail' then ?DYNmaillog > >> if $syslogfacility-text == 'cron' then ?DYNcron > >> if $syslogseverity-text == 'crit' then ?DYNspooler > >> if $syslogfacility-text == 'local7' then ?DYNboot > >> if $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > >> then ?DYNtraps > >> > >> Here is my logfile when I try to start rsyslog as a non-root user: > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" > >> http://www.rsyslog.com"] start > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: > Permission > >> denied > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: > Permission > >> denied > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP > listen > >> socket > >> could successfully be initialized, message reception via UDP > disabled. > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: no > >> listeners > >> could be started, input not activated. > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: activation > of > >> module > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: Could > not > >> create > >> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 > ] > >> > >> So permissions to bind and sockets seems to be the problem... > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without making > some > > other non-standard changes through sysctl) > > > > > > 1. Is it possible to make rsyslog write logfiles as a non-root user > - if > >> yes: how ? > >> > > > > permission drop features > > > > > > 2a. Is it possible to add permissions for non-root user to run > rsyslog > >> server - if yes: how ? > >> > > > > pick a listening port > 1024 and it should work. > > > > > > 2b. How do I start rsyslog during boot as non-root user - can > chkconfig do > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > >> > > > > su can run a command as a different user. > > > > although as Rainer points out, you may just be looking for the > permission > > dropping features that are already in rsyslog. > > > > David Lang > > > > ______________________________**_________________ > > rsyslog mailing list > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional- > services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Thu Feb 2 09:48:35 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 09:48:35 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: Hi, David: thanks for your reply... Here is my new rsyslog.conf: #SET PRIVILEGES $PreserveFQDN on $PrivDropToGroup $PrivDropToUser $DirCreateMode 0750 $FileCreateMode 0640 $UMASK 0027 #LOAD MODULES $ModLoad imudp $UDPServerRun 514 $UDPServerAddress 127.0.0.1 $ModLoad imtcp $InputTCPServerRun 514 #SET DESTINATION FOR LOGS $template DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" $template DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" $template DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" $template DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" $template DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" $template DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" $template DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" $template DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" $template DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" $template DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" #SET LOGGING CONDITIONS if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' and %FROMHOST% != '???' then ?DYNtraps if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' and %FROMHOST% == '???' then ?DYNIPtraps but it fails...: # service rsyslog start Starting system logger: rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means) [ OK ] my guess is it is my %FROMHOST% == '???' - is this format correct or how is this done... Thanks in advance :-) ! ~maymann 2012/2/1 > On Wed, 1 Feb 2012, Michael Maymann wrote: > > Hi, >> >> I want to log information about hosts that are not logging with correct >> HOSTNAME. >> In my current setup, I get a dir "???" where these host(s) are logging >> to... >> >> I would like to change this to the hosts IP instead, something like: >> if %FROMHOST% == '???' then %FROMHOST% == %IP >> > > rsyslog cannot do what you are asking. It can't assign a value to a > property. > > what you can do is to setup a different template and then if %fromhost% is > your special pattern you can log with this different template. > > David Lang > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Thu Feb 2 10:03:05 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 10:03:05 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> Message-ID: Here is my startup script... only thing changed is the path to the new 6.3.6-rsyslog-devel binary. The startup-scripts works also perfectly when i comment out the PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i have both or one of the entries...: #!/bin/bash # # rsyslog Starts rsyslogd/rklogd. # # # chkconfig: 2345 12 88 # description: Syslog is the facility by which many daemons use to log \ # messages to various system log files. It is a good idea to always \ # run rsyslog. ### BEGIN INIT INFO # Provides: $syslog # Required-Start: $local_fs # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Enhanced system logging and kernel message trapping daemons # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, # among others, MySQL, syslog/tcp, RFC 3195, permitted # sender lists, filtering on any message part, and fine # grain output format control. ### END INIT INFO # Source function library. . /etc/init.d/functions RETVAL=0 PIDFILE=/var/run/syslogd.pid prog=rsyslogd #exec=/sbin/rsyslogd exec=/usr/sbin/rsyslogd lockfile=/var/lock/subsys/$prog start() { [ -x $exec ] || exit 5 # Source config if [ -f /etc/sysconfig/rsyslog ] ; then . /etc/sysconfig/rsyslog fi umask 077 echo -n $"Starting system logger: " daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { echo -n $"Shutting down system logger: " killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } reload() { RETVAL=1 syslog=$(cat "${PIDFILE}" 2>/dev/null) echo -n "Reloading system logger..." if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then kill -HUP "$syslog"; RETVAL=$? fi if [ $RETVAL -ne 0 ]; then failure else success fi echo return $RETVAL } rhstatus() { status -p "${PIDFILE}" $prog } restart() { stop start } case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload|force-reload) reload ;; status) rhstatus ;; condrestart|try-restart) rhstatus >/dev/null 2>&1 || exit 0 restart ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}" exit 2 esac exit $? 2012/2/2 Rainer Gerhards > > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Wednesday, February 01, 2012 9:08 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > Hi, > > > > David: thanks - got it working with permission dropping, by far my > > prefered > > configuration... just didn't know of it...:-) ! > > Rainer: please let us know if the debug info of the "permission > > dropping: > > hang+timeout" I send you can solve anything... anyway it works now - > > but > > not optimal if other people have to service my setup...:-) ! > > I have reviewed the debug log and I see nothing unexpected. From the > timestamps I also see that there is no hang whatsoever. So it looks like > there is some problem with the startup script, which I don't know. I > suggest > to ask what the FAILED status is caused by. We can then look why this > happens. > > Sorry I have no better answer... > Rainer > > > > > Thanks in advance :-) ! > > ~maymann > > > > 2012/2/1 > > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > > > > > > Hi, > > >> > > >> I have now setup a 6.3.6-devel rsyslog server that is working fine > > running > > >> as root. > > >> I would like to run it as non-root user as my logfiles are located > > on NFS > > >> (and root export of NFS is generally not a good idea !). > > >> > > >> Here is my rsyslog.conf: > > >> #LOAD MODULES > > >> $ModLoad imudp > > >> $UDPServerRun 514 > > >> $UDPServerAddress 127.0.0.1 > > >> $ModLoad imtcp > > >> $InputTCPServerRun 514 > > >> #SET DESTINATION FOR LOGS > > >> $template > > >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >> $MONTH%_messages" > > >> $template > > >> > > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" > > >> $template > > >> > > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo > > g" > > >> $template > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** > > >> cron" > > >> $template > > >> > > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole > > r" > > >> $template > > >> > > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" > > >> $template > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** > > >> traps" > > >> #SET LOGGING CONDITIONS > > >> if $syslogseverity <= '6' then ?DYNmessages > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog > > >> if $syslogfacility-text == 'cron' then ?DYNcron > > >> if $syslogseverity-text == 'crit' then ?DYNspooler > > >> if $syslogfacility-text == 'local7' then ?DYNboot > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > 'WARNING' > > >> then ?DYNtraps > > >> > > >> Here is my logfile when I try to start rsyslog as a non-root user: > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" > > >> http://www.rsyslog.com"] start > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: > > Permission > > >> denied > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: > > Permission > > >> denied > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP > > listen > > >> socket > > >> could successfully be initialized, message reception via UDP > > disabled. > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: no > > >> listeners > > >> could be started, input not activated. > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: activation > > of > > >> module > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: Could > > not > > >> create > > >> tcp listener, ignoring port 514. [try http://www.rsyslog.com/e/2077 > > ] > > >> > > >> So permissions to bind and sockets seems to be the problem... > > >> > > > > > > yes, you cannot bind to ports <1024 as a normal user (without making > > some > > > other non-standard changes through sysctl) > > > > > > > > > 1. Is it possible to make rsyslog write logfiles as a non-root user > > - if > > >> yes: how ? > > >> > > > > > > permission drop features > > > > > > > > > 2a. Is it possible to add permissions for non-root user to run > > rsyslog > > >> server - if yes: how ? > > >> > > > > > > pick a listening port > 1024 and it should work. > > > > > > > > > 2b. How do I start rsyslog during boot as non-root user - can > > chkconfig do > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > > >> > > > > > > su can run a command as a different user. > > > > > > although as Rainer points out, you may just be looking for the > > permission > > > dropping features that are already in rsyslog. > > > > > > David Lang > > > > > > ______________________________**_________________ > > > rsyslog mailing list > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional- > > services/ > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Thu Feb 2 10:06:26 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 2 Feb 2012 10:06:26 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> I can only help you with that part if you point me to why exactly the script claims what it does. So you may want to try find someone who can do that. I know this is probably a trivial question, but I don't know anything ;) Sry, rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Thursday, February 02, 2012 10:03 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Here is my startup script... only thing changed is the path to the new > 6.3.6-rsyslog-devel binary. > The startup-scripts works also perfectly when i comment out the > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i > have > both or one of the entries...: > #!/bin/bash > # > # rsyslog Starts rsyslogd/rklogd. > # > # > # chkconfig: 2345 12 88 > # description: Syslog is the facility by which many daemons use to log > \ > # messages to various system log files. It is a good idea to always \ > # run rsyslog. > ### BEGIN INIT INFO > # Provides: $syslog > # Required-Start: $local_fs > # Required-Stop: $local_fs > # Default-Start: 2 3 4 5 > # Default-Stop: 0 1 6 > # Short-Description: Enhanced system logging and kernel message > trapping > daemons > # Description: Rsyslog is an enhanced multi-threaded syslogd > supporting, > # among others, MySQL, syslog/tcp, RFC 3195, permitted > # sender lists, filtering on any message part, and fine > # grain output format control. > ### END INIT INFO > > # Source function library. > . /etc/init.d/functions > > RETVAL=0 > PIDFILE=/var/run/syslogd.pid > > prog=rsyslogd > #exec=/sbin/rsyslogd > exec=/usr/sbin/rsyslogd > lockfile=/var/lock/subsys/$prog > > start() { > [ -x $exec ] || exit 5 > > # Source config > if [ -f /etc/sysconfig/rsyslog ] ; then > . /etc/sysconfig/rsyslog > fi > umask 077 > > echo -n $"Starting system logger: " > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch $lockfile > return $RETVAL > } > stop() { > echo -n $"Shutting down system logger: " > killproc $prog > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f $lockfile > return $RETVAL > } > reload() { > RETVAL=1 > syslog=$(cat "${PIDFILE}" 2>/dev/null) > echo -n "Reloading system logger..." > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > kill -HUP "$syslog"; > RETVAL=$? > fi > if [ $RETVAL -ne 0 ]; then > failure > else > success > fi > echo > return $RETVAL > } > rhstatus() { > status -p "${PIDFILE}" $prog > } > restart() { > stop > start > } > > case "$1" in > start) > start > ;; > stop) > stop > ;; > restart) > restart > ;; > reload|force-reload) > reload > ;; > status) > rhstatus > ;; > condrestart|try-restart) > rhstatus >/dev/null 2>&1 || exit 0 > restart > ;; > *) > echo $"Usage: $0 > {start|stop|restart|condrestart|try-restart|reload|force- > reload|status}" > exit 2 > esac > > exit $? > > 2012/2/2 Rainer Gerhards > > > > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > Sent: Wednesday, February 01, 2012 9:08 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > > > Hi, > > > > > > David: thanks - got it working with permission dropping, by far my > > > prefered > > > configuration... just didn't know of it...:-) ! > > > Rainer: please let us know if the debug info of the "permission > > > dropping: > > > hang+timeout" I send you can solve anything... anyway it works now > - > > > but > > > not optimal if other people have to service my setup...:-) ! > > > > I have reviewed the debug log and I see nothing unexpected. From the > > timestamps I also see that there is no hang whatsoever. So it looks > like > > there is some problem with the startup script, which I don't know. I > > suggest > > to ask what the FAILED status is caused by. We can then look why this > > happens. > > > > Sorry I have no better answer... > > Rainer > > > > > > > > Thanks in advance :-) ! > > > ~maymann > > > > > > 2012/2/1 > > > > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > > > > > > > > Hi, > > > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is working > fine > > > running > > > >> as root. > > > >> I would like to run it as non-root user as my logfiles are > located > > > on NFS > > > >> (and root export of NFS is generally not a good idea !). > > > >> > > > >> Here is my rsyslog.conf: > > > >> #LOAD MODULES > > > >> $ModLoad imudp > > > >> $UDPServerRun 514 > > > >> $UDPServerAddress 127.0.0.1 > > > >> $ModLoad imtcp > > > >> $InputTCPServerRun 514 > > > >> #SET DESTINATION FOR LOGS > > > >> $template > > > >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > >> $MONTH%_messages" > > > >> $template > > > >> > > > > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" > > > >> $template > > > >> > > > > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo > > > g" > > > >> $template > > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** > > > >> cron" > > > >> $template > > > >> > > > > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole > > > r" > > > >> $template > > > >> > > > > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" > > > >> $template > > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** > > > >> traps" > > > >> #SET LOGGING CONDITIONS > > > >> if $syslogseverity <= '6' then ?DYNmessages > > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure > > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog > > > >> if $syslogfacility-text == 'cron' then ?DYNcron > > > >> if $syslogseverity-text == 'crit' then ?DYNspooler > > > >> if $syslogfacility-text == 'local7' then ?DYNboot > > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > > 'WARNING' > > > >> then ?DYNtraps > > > >> > > > >> Here is my logfile when I try to start rsyslog as a non-root > user: > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin > > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" > > > >> http://www.rsyslog.com"] start > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: > > > Permission > > > >> denied > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: > > > Permission > > > >> denied > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP > > > listen > > > >> socket > > > >> could successfully be initialized, message reception via UDP > > > disabled. > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: > no > > > >> listeners > > > >> could be started, input not activated. > > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: > activation > > > of > > > >> module > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: > Could > > > not > > > >> create > > > >> tcp listener, ignoring port 514. [try > http://www.rsyslog.com/e/2077 > > > ] > > > >> > > > >> So permissions to bind and sockets seems to be the problem... > > > >> > > > > > > > > yes, you cannot bind to ports <1024 as a normal user (without > making > > > some > > > > other non-standard changes through sysctl) > > > > > > > > > > > > 1. Is it possible to make rsyslog write logfiles as a non-root > user > > > - if > > > >> yes: how ? > > > >> > > > > > > > > permission drop features > > > > > > > > > > > > 2a. Is it possible to add permissions for non-root user to run > > > rsyslog > > > >> server - if yes: how ? > > > >> > > > > > > > > pick a listening port > 1024 and it should work. > > > > > > > > > > > > 2b. How do I start rsyslog during boot as non-root user - can > > > chkconfig do > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > > > >> > > > > > > > > su can run a command as a different user. > > > > > > > > although as Rainer points out, you may just be looking for the > > > permission > > > > dropping features that are already in rsyslog. > > > > > > > > David Lang > > > > > > > > ______________________________**_________________ > > > > rsyslog mailing list > > > > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > > http://www.rsyslog.com/**professional- > > > services/ > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Thu Feb 2 10:39:52 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 10:39:52 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: Sorry... forgot to mention that it doesn't say anything about failing in the logs... and it actually doesn't fail... it works and after the timeout+failed notice only the proccess owned by PrivDropToUser-USER is present, but now owned by the init-proccess (mother proccess dies): # service rsyslog start Starting system logger: [FAILED] BEFORE failed status: root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 9131 9126 0 11:07 ? 00:00:00 /usr/sbin/rsyslogd -c 6 AFTER failed status root-owned proccess is killed and PrivDropToUser-USER owned proccess is therefore gets owned by init: 9131 1 0 11:07 ? 00:00:00 /usr/sbin/rsyslogd -c 6 Anyone who can help with this...?: here is the debug output when starting running the init-script: #/etc/init.d/rsyslog start + . /etc/init.d/functions ++ TEXTDOMAIN=initscripts ++ umask 022 ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin ++ export PATH ++ '[' -z '' ']' ++ COLUMNS=80 ++ '[' -z '' ']' +++ /sbin/consoletype ++ CONSOLETYPE=pty ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' ++ . /etc/profile.d/lang.sh ++ unset LANGSH_SOURCED ++ '[' -z '' ']' ++ '[' -f /etc/sysconfig/init ']' ++ . /etc/sysconfig/init +++ BOOTUP=color +++ RES_COL=60 +++ MOVE_TO_COL='echo -en \033[60G' +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' +++ SETCOLOR_FAILURE='echo -en \033[0;31m' +++ SETCOLOR_WARNING='echo -en \033[0;33m' +++ SETCOLOR_NORMAL='echo -en \033[0;39m' +++ PROMPT=yes +++ AUTOSWAP=no +++ ACTIVE_CONSOLES='/dev/tty[1-6]' +++ SINGLE=/sbin/sushell ++ '[' pty = serial ']' ++ __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d' + RETVAL=0 + PIDFILE=/var/run/syslogd.pid + prog=rsyslogd + exec=/usr/sbin/rsyslogd + lockfile=/var/lock/subsys/rsyslogd + case "$1" in + start + '[' -x /usr/sbin/rsyslogd ']' + '[' -f /etc/sysconfig/rsyslog ']' + . /etc/sysconfig/rsyslog ++ SYSLOGD_OPTIONS='-c 6' + umask 077 + echo -n 'Starting system logger: ' Starting system logger: + daemon --pidfile=/var/run/syslogd.pid /usr/sbin/rsyslogd -c 6 + local gotbase= force= nicelevel corelimit + local pid base= user= nice= bg= pid_file= + local cgroup= + nicelevel=0 + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']' + case $1 in + pid_file=/var/run/syslogd.pid + shift + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' + '[' -z '' ']' + base=rsyslogd + __pids_var_run rsyslogd /var/run/syslogd.pid + local base=rsyslogd + local pid_file=/var/run/syslogd.pid + pid= + '[' -f /var/run/syslogd.pid ']' + return 3 + '[' -n '' -a -z '' ']' + corelimit='ulimit -S -c 0' + '[' -n '' ']' + '[' -n '' ']' + '[' color = verbose -a -z '' ']' + '[' -z '' ']' + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6' ... (hangs here for a long time) ... + '[' 1 -eq 0 ']' + failure 'rsyslogd startup' + local rc=1 + '[' color '!=' verbose -a -z '' ']' + echo_failure + '[' color = color ']' + echo -en '\033[60G' + echo -n '[' [+ '[' color = color ']' + echo -en '\033[0;31m' + echo -n FAILED FAILED+ '[' color = color ']' + echo -en '\033[0;39m' + echo -n ']' ]+ echo -ne '\r' + return 1 + '[' -x /usr/bin/plymouth ']' + /usr/bin/plymouth --details + return 1 + RETVAL=1 + echo + '[' 1 -eq 0 ']' + return 1 + exit 1 I have tried to give 777-access to /var/run and /var/lock/subsys - but same thing happens... Thanks in advance :-) ! Br. ~maymann 2012/2/2 Rainer Gerhards > I can only help you with that part if you point me to why exactly the > script > claims what it does. So you may want to try find someone who can do that. I > know this is probably a trivial question, but I don't know anything ;) > > Sry, rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Thursday, February 02, 2012 10:03 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > Here is my startup script... only thing changed is the path to the new > > 6.3.6-rsyslog-devel binary. > > The startup-scripts works also perfectly when i comment out the > > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i > > have > > both or one of the entries...: > > #!/bin/bash > > # > > # rsyslog Starts rsyslogd/rklogd. > > # > > # > > # chkconfig: 2345 12 88 > > # description: Syslog is the facility by which many daemons use to log > > \ > > # messages to various system log files. It is a good idea to always \ > > # run rsyslog. > > ### BEGIN INIT INFO > > # Provides: $syslog > > # Required-Start: $local_fs > > # Required-Stop: $local_fs > > # Default-Start: 2 3 4 5 > > # Default-Stop: 0 1 6 > > # Short-Description: Enhanced system logging and kernel message > > trapping > > daemons > > # Description: Rsyslog is an enhanced multi-threaded syslogd > > supporting, > > # among others, MySQL, syslog/tcp, RFC 3195, permitted > > # sender lists, filtering on any message part, and fine > > # grain output format control. > > ### END INIT INFO > > > > # Source function library. > > . /etc/init.d/functions > > > > RETVAL=0 > > PIDFILE=/var/run/syslogd.pid > > > > prog=rsyslogd > > #exec=/sbin/rsyslogd > > exec=/usr/sbin/rsyslogd > > lockfile=/var/lock/subsys/$prog > > > > start() { > > [ -x $exec ] || exit 5 > > > > # Source config > > if [ -f /etc/sysconfig/rsyslog ] ; then > > . /etc/sysconfig/rsyslog > > fi > > umask 077 > > > > echo -n $"Starting system logger: " > > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > > RETVAL=$? > > echo > > [ $RETVAL -eq 0 ] && touch $lockfile > > return $RETVAL > > } > > stop() { > > echo -n $"Shutting down system logger: " > > killproc $prog > > RETVAL=$? > > echo > > [ $RETVAL -eq 0 ] && rm -f $lockfile > > return $RETVAL > > } > > reload() { > > RETVAL=1 > > syslog=$(cat "${PIDFILE}" 2>/dev/null) > > echo -n "Reloading system logger..." > > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > > kill -HUP "$syslog"; > > RETVAL=$? > > fi > > if [ $RETVAL -ne 0 ]; then > > failure > > else > > success > > fi > > echo > > return $RETVAL > > } > > rhstatus() { > > status -p "${PIDFILE}" $prog > > } > > restart() { > > stop > > start > > } > > > > case "$1" in > > start) > > start > > ;; > > stop) > > stop > > ;; > > restart) > > restart > > ;; > > reload|force-reload) > > reload > > ;; > > status) > > rhstatus > > ;; > > condrestart|try-restart) > > rhstatus >/dev/null 2>&1 || exit 0 > > restart > > ;; > > *) > > echo $"Usage: $0 > > {start|stop|restart|condrestart|try-restart|reload|force- > > reload|status}" > > exit 2 > > esac > > > > exit $? > > > > 2012/2/2 Rainer Gerhards > > > > > > > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > > Sent: Wednesday, February 01, 2012 9:08 AM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > > > > > Hi, > > > > > > > > David: thanks - got it working with permission dropping, by far my > > > > prefered > > > > configuration... just didn't know of it...:-) ! > > > > Rainer: please let us know if the debug info of the "permission > > > > dropping: > > > > hang+timeout" I send you can solve anything... anyway it works now > > - > > > > but > > > > not optimal if other people have to service my setup...:-) ! > > > > > > I have reviewed the debug log and I see nothing unexpected. From the > > > timestamps I also see that there is no hang whatsoever. So it looks > > like > > > there is some problem with the startup script, which I don't know. I > > > suggest > > > to ask what the FAILED status is caused by. We can then look why this > > > happens. > > > > > > Sorry I have no better answer... > > > Rainer > > > > > > > > > > > Thanks in advance :-) ! > > > > ~maymann > > > > > > > > 2012/2/1 > > > > > > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > > > > > > > > > > Hi, > > > > >> > > > > >> I have now setup a 6.3.6-devel rsyslog server that is working > > fine > > > > running > > > > >> as root. > > > > >> I would like to run it as non-root user as my logfiles are > > located > > > > on NFS > > > > >> (and root export of NFS is generally not a good idea !). > > > > >> > > > > >> Here is my rsyslog.conf: > > > > >> #LOAD MODULES > > > > >> $ModLoad imudp > > > > >> $UDPServerRun 514 > > > > >> $UDPServerAddress 127.0.0.1 > > > > >> $ModLoad imtcp > > > > >> $InputTCPServerRun 514 > > > > >> #SET DESTINATION FOR LOGS > > > > >> $template > > > > >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > > >> $MONTH%_messages" > > > > >> $template > > > > >> > > > > > > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" > > > > >> $template > > > > >> > > > > > > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo > > > > g" > > > > >> $template > > > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** > > > > >> cron" > > > > >> $template > > > > >> > > > > > > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole > > > > r" > > > > >> $template > > > > >> > > > > > > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" > > > > >> $template > > > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** > > > > >> traps" > > > > >> #SET LOGGING CONDITIONS > > > > >> if $syslogseverity <= '6' then ?DYNmessages > > > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure > > > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog > > > > >> if $syslogfacility-text == 'cron' then ?DYNcron > > > > >> if $syslogseverity-text == 'crit' then ?DYNspooler > > > > >> if $syslogfacility-text == 'local7' then ?DYNboot > > > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > > > 'WARNING' > > > > >> then ?DYNtraps > > > > >> > > > > >> Here is my logfile when I try to start rsyslog as a non-root > > user: > > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin > > > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" > > > > >> http://www.rsyslog.com"] start > > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: > > > > Permission > > > > >> denied > > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: > > > > Permission > > > > >> denied > > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP > > > > listen > > > > >> socket > > > > >> could successfully be initialized, message reception via UDP > > > > disabled. > > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: > > no > > > > >> listeners > > > > >> could be started, input not activated. > > > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: > > activation > > > > of > > > > >> module > > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: > > Could > > > > not > > > > >> create > > > > >> tcp listener, ignoring port 514. [try > > http://www.rsyslog.com/e/2077 > > > > ] > > > > >> > > > > >> So permissions to bind and sockets seems to be the problem... > > > > >> > > > > > > > > > > yes, you cannot bind to ports <1024 as a normal user (without > > making > > > > some > > > > > other non-standard changes through sysctl) > > > > > > > > > > > > > > > 1. Is it possible to make rsyslog write logfiles as a non-root > > user > > > > - if > > > > >> yes: how ? > > > > >> > > > > > > > > > > permission drop features > > > > > > > > > > > > > > > 2a. Is it possible to add permissions for non-root user to run > > > > rsyslog > > > > >> server - if yes: how ? > > > > >> > > > > > > > > > > pick a listening port > 1024 and it should work. > > > > > > > > > > > > > > > 2b. How do I start rsyslog during boot as non-root user - can > > > > chkconfig do > > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > > > > >> > > > > > > > > > > su can run a command as a different user. > > > > > > > > > > although as Rainer points out, you may just be looking for the > > > > permission > > > > > dropping features that are already in rsyslog. > > > > > > > > > > David Lang > > > > > > > > > > ______________________________**_________________ > > > > > rsyslog mailing list > > > > > > > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > > n.net/mailman/listinfo/rsyslog> > > > > > http://www.rsyslog.com/**professional- > > > > services/ > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Thu Feb 2 11:18:50 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 11:18:50 +0100 Subject: [rsyslog] Timestamp wrong...? In-Reply-To: References: Message-ID: Hi, David: thanks for your reply...:-) ! here is my debug output: # cat /tmp/example.log 6858.610057125:7f9222880700: 6858.610120821:7f9222880700: 6858.610134300:7f9222880700: ******************************************************************************** 6858.610152250:7f9222880700: Switching debugging_on to true at 11:00:58 6858.610164681:7f9222880700: ******************************************************************************** 6861.570630926:7f922086b700: main Q:Reg/w0: inactivity timeout, worker terminating... 6861.570684356:7f922086b700: main Q:Reg/w0: receiving command 1 6861.570698744:7f922086b700: main Q:Reg/w0: worker terminating 6861.570713062:7f922086b700: main Q:Reg: Worker thread 7f922439d740, terminated, num workers now 0 6868.949626982:7f9217fff700: Message from UNIX socket: #4 6868.949710093:7f9217fff700: logmsg: flags 4, from '', msg Feb 2 11:01:08 root: testing123 6868.949723782:7f9217fff700: Message has legacy syslog format. 6868.949742988:7f9217fff700: main Q: entry added, size now 1 entries 6868.949760658:7f9217fff700: wtpAdviseMaxWorkers signals busy 6868.949781261:7f9217fff700: main Q: EnqueueMsg advised worker start 6868.949801655:7f9217fff700: --------imuxsock calling select, active file descriptors (max 4): 4 6868.949850125:7f922086b700: main Q: entry deleted, state 0, size now 0 entries 6868.949878271:7f9217fff700: 6868.949902785:7f922086b700: testing filter, f_pmask 255 6868.949923039:7f922086b700: Called action, logging to builtin-fwd 6868.949948112:7f922086b700: 6868.949961661:7f922086b700: :514/tcp 6868.950006500:7f922086b700: TCP sent 46 bytes, requested 46 6868.950021306:7f922086b700: testing filter, f_pmask 127 6868.950036741:7f922086b700: Called action, logging to builtin-file 6868.950054830:7f922086b700: file to log to: /var/log/messages 6868.950068309:7f922086b700: doWrite, pData->pStrm 0x7f9224384660, lenBuf 59 6868.950084163:7f922086b700: strm 0x7f9224384660: file 7(messages) flush, buflen 59 6868.950131027:7f922086b700: strm 0x7f9224384660: file 7 write wrote 59 bytes 6868.950148138:7f922086b700: testing filter, f_pmask 0 6868.950160639:7f922086b700: testing filter, f_pmask 0 6868.950173420:7f922086b700: testing filter, f_pmask 0 6868.950185642:7f922086b700: testing filter, f_pmask 1 6868.950198004:7f922086b700: testing filter, f_pmask 0 6868.950210227:7f922086b700: testing filter, f_pmask 0 6868.950223915:7f922086b700: main Q:Reg/w0: worker IDLE, waiting for work. 6928.950336176:7f922086b700: main Q:Reg/w0: inactivity timeout, worker terminating... 6928.950385417:7f922086b700: main Q:Reg/w0: receiving command 1 6928.950401831:7f922086b700: main Q:Reg/w0: worker terminating 6928.950419293:7f922086b700: main Q:Reg: Worker thread 7f922439d740, terminated, num workers now 0 Here is the entry on the syslogclient: 2012-02-02T11:01:08.949694+01:00 root: testing123 Here is the same entry on the syslogserver: 2012-02-02T11:01:08+02:00 root: testing123 It seems the server entry gets +... is this really right... ? Can this be changed to one of the following: 1. +00:00 2. + 3. + Here is my clients /etc/rsyslog.conf: $ModLoad imtcp $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad immark # provides --MARK-- message capability *.* @@:514 # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* Thanks in advance :-) ! ~maymann 2012/2/1 > On Wed, 1 Feb 2012, Michael Maymann wrote: > > on my syslog client i have the following time: >> # date && logger testing123 >> Wed Feb 1 14:42:02 CET 2012 >> >> what get in my syslog server logs: >> 2012-02-01T14:42:02+02:00 root: testing123 >> Time on my syslog server: >> date >> Wed Feb 1 15:42:02 EET 2012 >> >> according to http://www.timezoneconverter.**com/cgi-bin/tzc.tzcand my >> calculations it should have been either: >> 2012-02-01T14:42:02+01:00 root: testing123 (if keeping client >> timestamp) >> or >> 2012-02-01T15:42:02+02:00 root: testing123 (if keeping server >> timestamp) >> or >> 2012-02-01T13:42:02+00:00 root: testing123 (if keeping UTC >> timestamp) >> >> I would prefer client timestamp... Is this a bug or have I completely >> misunderstood something... ? >> How do I change to correct client timestamp ? >> > > timereported is the time that the client put in the log (with whatever > precision and timezone that the client reported it in) > > timegenerated is the timestamp that the server received the log (high > precision timestamp in the server's timezone) > > $now is the time the log is being written > > check and see what the clients are sending (writing a log from a > particular client using the format RSYSLOG_DEBUG is a wonderful > troubleshooting tool) > > by default, the syslog format tries to keep the timestamp the client > provides. > > I'm a huge proponent of running all production systems in GMT/UTC it > avoids a huge number of issues along the way. > > David Lang > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From rgerhards at hq.adiscon.com Thu Feb 2 11:28:37 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 2 Feb 2012 11:28:37 +0100 Subject: [rsyslog] Timestamp wrong...? In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281844@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Thursday, February 02, 2012 11:19 AM > To: rsyslog-users > Subject: Re: [rsyslog] Timestamp wrong...? > > Hi, > > David: thanks for your reply...:-) ! > here is my debug output: > # cat /tmp/example.log > 6858.610057125:7f9222880700: [snip] > 6868.949626982:7f9217fff700: Message from UNIX socket: #4 > 6868.949710093:7f9217fff700: logmsg: flags 4, from '', msg > Feb 2 > 11:01:08 root: testing123 [snip] > > Here is the entry on the syslogclient: > 2012-02-02T11:01:08.949694+01:00 root: testing123 Nope! see above: This is what you actually get from the client: Feb 2 11:01:08 root: testing123 I guess you have not enabled high-pecision forwarding on the client. It is disable by default for compatibility reasons (at least IIRC). There is a template named along the lines of RSYSLOG_ForwardFormat you need to apply (Again IIRC) rainer > > Here is the same entry on the syslogserver: > 2012-02-02T11:01:08+02:00 root: testing123 > > It seems the server entry gets +... is > this > really right... ? > Can this be changed to one of the following: > 1. +00:00 > 2. + > 3. + > > Here is my clients /etc/rsyslog.conf: > $ModLoad imtcp > $ModLoad imuxsock # provides support for local system logging > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > $ModLoad immark # provides --MARK-- message capability > *.* @@:514 > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none > /var/log/messages > # The authpriv file has restricted access. > authpriv.* /var/log/secure > # Log all the mail messages in one place. > mail.* - > /var/log/maillog > # Log cron stuff > cron.* /var/log/cron > # Everybody gets emergency messages > *.emerg * > # Save news errors of level crit and higher in a special file. > uucp,news.crit > /var/log/spooler > # Save boot messages also to boot.log > local7.* > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/1 > > > On Wed, 1 Feb 2012, Michael Maymann wrote: > > > > on my syslog client i have the following time: > >> # date && logger testing123 > >> Wed Feb 1 14:42:02 CET 2012 > >> > >> what get in my syslog server logs: > >> 2012-02-01T14:42:02+02:00 root: testing123 > >> Time on my syslog server: > >> date > >> Wed Feb 1 15:42:02 EET 2012 > >> > >> according to http://www.timezoneconverter.**com/cgi- > bin/tzc.tzcand my > >> calculations it should have been either: > >> 2012-02-01T14:42:02+01:00 root: testing123 (if keeping > client > >> timestamp) > >> or > >> 2012-02-01T15:42:02+02:00 root: testing123 (if keeping > server > >> timestamp) > >> or > >> 2012-02-01T13:42:02+00:00 root: testing123 (if keeping > UTC > >> timestamp) > >> > >> I would prefer client timestamp... Is this a bug or have I > completely > >> misunderstood something... ? > >> How do I change to correct client timestamp ? > >> > > > > timereported is the time that the client put in the log (with > whatever > > precision and timezone that the client reported it in) > > > > timegenerated is the timestamp that the server received the log (high > > precision timestamp in the server's timezone) > > > > $now is the time the log is being written > > > > check and see what the clients are sending (writing a log from a > > particular client using the format RSYSLOG_DEBUG is a wonderful > > troubleshooting tool) > > > > by default, the syslog format tries to keep the timestamp the client > > provides. > > > > I'm a huge proponent of running all production systems in GMT/UTC it > > avoids a huge number of issues along the way. > > > > David Lang > > ______________________________**_________________ > > rsyslog mailing list > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional- > services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Thu Feb 2 12:21:03 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 12:21:03 +0100 Subject: [rsyslog] Timestamp wrong...? In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281844@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA7281844@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: thanks again...:-) ! $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat added just after $ModLoad's on the client did the trick... Client: # date && logger testing123 Thu Feb 2 12:16:44 CET 2012 Server: 2012-02-02T12:16:44.307098+01:00 root: testing123 Case closed... 2012/2/2 Rainer Gerhards > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Thursday, February 02, 2012 11:19 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Timestamp wrong...? > > > > Hi, > > > > David: thanks for your reply...:-) ! > > here is my debug output: > > # cat /tmp/example.log > > 6858.610057125:7f9222880700: > [snip] > > 6868.949626982:7f9217fff700: Message from UNIX socket: #4 > > 6868.949710093:7f9217fff700: logmsg: flags 4, from '', msg > > Feb 2 > > 11:01:08 root: testing123 > [snip] > > > > > Here is the entry on the syslogclient: > > 2012-02-02T11:01:08.949694+01:00 root: testing123 > > Nope! see above: This is what you actually get from the client: > Feb 2 11:01:08 root: testing123 > > I guess you have not enabled high-pecision forwarding on the client. It is > disable by default for compatibility reasons (at least IIRC). There is a > template named along the lines of RSYSLOG_ForwardFormat you need to apply > (Again IIRC) > > rainer > > > > Here is the same entry on the syslogserver: > > 2012-02-02T11:01:08+02:00 root: testing123 > > > > It seems the server entry gets +... is > > this > > really right... ? > > Can this be changed to one of the following: > > 1. +00:00 > > 2. + > > 3. + > > > > Here is my clients /etc/rsyslog.conf: > > $ModLoad imtcp > > $ModLoad imuxsock # provides support for local system logging > > $ModLoad imklog # provides kernel logging support (previously done by > > rklogd) > > $ModLoad immark # provides --MARK-- message capability > > *.* @@:514 > > # Log all kernel messages to the console. > > # Logging much else clutters up the screen. > > #kern.* /dev/console > > # Log anything (except mail) of level info or higher. > > # Don't log private authentication messages! > > *.info;mail.none;authpriv.none;cron.none > > /var/log/messages > > # The authpriv file has restricted access. > > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > > mail.* - > > /var/log/maillog > > # Log cron stuff > > cron.* /var/log/cron > > # Everybody gets emergency messages > > *.emerg * > > # Save news errors of level crit and higher in a special file. > > uucp,news.crit > > /var/log/spooler > > # Save boot messages also to boot.log > > local7.* > > > > > > Thanks in advance :-) ! > > ~maymann > > > > > > 2012/2/1 > > > > > On Wed, 1 Feb 2012, Michael Maymann wrote: > > > > > > on my syslog client i have the following time: > > >> # date && logger testing123 > > >> Wed Feb 1 14:42:02 CET 2012 > > >> > > >> what get in my syslog server logs: > > >> 2012-02-01T14:42:02+02:00 root: testing123 > > >> Time on my syslog server: > > >> date > > >> Wed Feb 1 15:42:02 EET 2012 > > >> > > >> according to http://www.timezoneconverter.**com/cgi- > > bin/tzc.tzcand my > > >> calculations it should have been either: > > >> 2012-02-01T14:42:02+01:00 root: testing123 (if keeping > > client > > >> timestamp) > > >> or > > >> 2012-02-01T15:42:02+02:00 root: testing123 (if keeping > > server > > >> timestamp) > > >> or > > >> 2012-02-01T13:42:02+00:00 root: testing123 (if keeping > > UTC > > >> timestamp) > > >> > > >> I would prefer client timestamp... Is this a bug or have I > > completely > > >> misunderstood something... ? > > >> How do I change to correct client timestamp ? > > >> > > > > > > timereported is the time that the client put in the log (with > > whatever > > > precision and timezone that the client reported it in) > > > > > > timegenerated is the timestamp that the server received the log (high > > > precision timestamp in the server's timezone) > > > > > > $now is the time the log is being written > > > > > > check and see what the clients are sending (writing a log from a > > > particular client using the format RSYSLOG_DEBUG is a wonderful > > > troubleshooting tool) > > > > > > by default, the syslog format tries to keep the timestamp the client > > > provides. > > > > > > I'm a huge proponent of running all production systems in GMT/UTC it > > > avoids a huge number of issues along the way. > > > > > > David Lang > > > ______________________________**_________________ > > > rsyslog mailing list > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional- > > services/ > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Thu Feb 2 14:17:14 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 14:17:14 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: Hi, got it started... but still ??? dir+logfiles are showing up... This is now my rsyslog.conf: #SET PRIVILEGES $PreserveFQDN on $PrivDropToGroup $PrivDropToUser $DirCreateMode 0750 $FileCreateMode 0640 $UMASK 0027 #LOAD MODULES $ModLoad imudp $UDPServerRun 514 $UDPServerAddress 127.0.0.1 $ModLoad imtcp $InputTCPServerRun 514 #SET DESTINATION FOR LOGS $template DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" $template DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" $template DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" $template DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" $template DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" $template DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" $template DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" $template DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" $template DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" $template DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" #SET LOGGING CONDITIONS if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' and $fromhost != '???' then ?DYNtraps if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' and $fromhost == '???' then ?DYNIPtraps I have tried with $fromhost, $fromhost-ip and $hostname - but all creates ??? dir+files... What variable should I use to handle this properly ? Thanks in advance :-) ! ~maymann 2012/2/2 Michael Maymann > Hi, > > David: thanks for your reply... > Here is my new rsyslog.conf: > #SET PRIVILEGES > $PreserveFQDN on > $PrivDropToGroup > $PrivDropToUser > $DirCreateMode 0750 > $FileCreateMode 0640 > $UMASK 0027 > > #LOAD MODULES > $ModLoad imudp > $UDPServerRun 514 > $UDPServerAddress 127.0.0.1 > $ModLoad imtcp > $InputTCPServerRun 514 > > #SET DESTINATION FOR LOGS > $template > DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > $template > DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > $template > DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > $template > DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" > $template > DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" > $template > DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" > $template > DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" > $template > DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" > $template > DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" > $template > DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" > > #SET LOGGING CONDITIONS > if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages > if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then > ?DYNsecure > if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog > if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron > if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler > if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > and %FROMHOST% != '???' then ?DYNtraps > > if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages > if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then > ?DYNIPsecure > if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then > ?DYNIPmaillog > if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron > if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then > ?DYNIPspooler > if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then ?DYNIPboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > and %FROMHOST% == '???' then ?DYNIPtraps > > but it fails...: > # service rsyslog start > Starting system logger: rsyslogd: run failed with error -2207 (see > rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number > means) > [ OK ] > > my guess is it is my %FROMHOST% == '???' - is this format correct or how > is this done... > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/1 > > On Wed, 1 Feb 2012, Michael Maymann wrote: >> >> Hi, >>> >>> I want to log information about hosts that are not logging with correct >>> HOSTNAME. >>> In my current setup, I get a dir "???" where these host(s) are logging >>> to... >>> >>> I would like to change this to the hosts IP instead, something like: >>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>> >> >> rsyslog cannot do what you are asking. It can't assign a value to a >> property. >> >> what you can do is to setup a different template and then if %fromhost% >> is your special pattern you can log with this different template. >> >> David Lang >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > > From michael at maymann.org Thu Feb 2 14:28:45 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 14:28:45 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi Rainer, I really have my doubts it has something to do with my startup script: 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. I'm running on RHEL6.1_x64. Do you have a working /etc/init.d/rsyslog what you can share/I can test...? Thanks in advance :-) ! ~maymann 2012/2/2 Michael Maymann > Hi, > > Rainer: Sorry... forgot to mention that it doesn't say anything about > failing in the logs... and it actually doesn't fail... it works and after > the timeout+failed notice only the proccess owned by PrivDropToUser-USER is > present, but now owned by the init-proccess (mother proccess dies): > > # service rsyslog start > Starting system logger: [FAILED] > > BEFORE failed status: > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 > 9131 9126 0 11:07 ? 00:00:00 > /usr/sbin/rsyslogd -c 6 > > AFTER failed status root-owned proccess is killed and PrivDropToUser-USER > owned proccess is therefore gets owned by init: > 9131 1 0 11:07 ? 00:00:00 > /usr/sbin/rsyslogd -c 6 > > Anyone who can help with this...?: > here is the debug output when starting running the init-script: > #/etc/init.d/rsyslog start > + . /etc/init.d/functions > ++ TEXTDOMAIN=initscripts > ++ umask 022 > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin > ++ export PATH > ++ '[' -z '' ']' > ++ COLUMNS=80 > ++ '[' -z '' ']' > +++ /sbin/consoletype > ++ CONSOLETYPE=pty > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > ++ . /etc/profile.d/lang.sh > ++ unset LANGSH_SOURCED > ++ '[' -z '' ']' > ++ '[' -f /etc/sysconfig/init ']' > ++ . /etc/sysconfig/init > +++ BOOTUP=color > +++ RES_COL=60 > +++ MOVE_TO_COL='echo -en \033[60G' > +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > +++ SETCOLOR_WARNING='echo -en \033[0;33m' > +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > +++ PROMPT=yes > +++ AUTOSWAP=no > +++ ACTIVE_CONSOLES='/dev/tty[1-6]' > +++ SINGLE=/sbin/sushell > ++ '[' pty = serial ']' > ++ > __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d' > + RETVAL=0 > + PIDFILE=/var/run/syslogd.pid > + prog=rsyslogd > + exec=/usr/sbin/rsyslogd > + lockfile=/var/lock/subsys/rsyslogd > + case "$1" in > + start > + '[' -x /usr/sbin/rsyslogd ']' > + '[' -f /etc/sysconfig/rsyslog ']' > + . /etc/sysconfig/rsyslog > ++ SYSLOGD_OPTIONS='-c 6' > + umask 077 > + echo -n 'Starting system logger: ' > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid > /usr/sbin/rsyslogd -c 6 > + local gotbase= force= nicelevel corelimit > + local pid base= user= nice= bg= pid_file= > + local cgroup= > + nicelevel=0 > + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']' > + case $1 in > + pid_file=/var/run/syslogd.pid > + shift > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > + '[' -z '' ']' > + base=rsyslogd > + __pids_var_run rsyslogd /var/run/syslogd.pid > + local base=rsyslogd > + local pid_file=/var/run/syslogd.pid > + pid= > + '[' -f /var/run/syslogd.pid ']' > + return 3 > + '[' -n '' -a -z '' ']' > + corelimit='ulimit -S -c 0' > + '[' -n '' ']' > + '[' -n '' ']' > + '[' color = verbose -a -z '' ']' > + '[' -z '' ']' > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6' > ... > (hangs here for a long time) > ... > + '[' 1 -eq 0 ']' > + failure 'rsyslogd startup' > + local rc=1 > + '[' color '!=' verbose -a -z '' ']' > + echo_failure > + '[' color = color ']' > + echo -en '\033[60G' > + echo -n '[' > [+ '[' color = color ']' > + echo -en '\033[0;31m' > + echo -n FAILED > FAILED+ '[' color = color ']' > + echo -en '\033[0;39m' > + echo -n ']' > ]+ echo -ne '\r' > + return 1 > + '[' -x /usr/bin/plymouth ']' > + /usr/bin/plymouth --details > + return 1 > + RETVAL=1 > + echo > > + '[' 1 -eq 0 ']' > + return 1 > + exit 1 > > I have tried to give 777-access to /var/run and /var/lock/subsys - but > same thing happens... > > > > Thanks in advance :-) ! > > Br. > ~maymann > > > > 2012/2/2 Rainer Gerhards > >> I can only help you with that part if you point me to why exactly the >> script >> claims what it does. So you may want to try find someone who can do that. >> I >> know this is probably a trivial question, but I don't know anything ;) >> >> Sry, rainer >> >> > -----Original Message----- >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann >> > Sent: Thursday, February 02, 2012 10:03 AM >> > To: rsyslog-users >> > Subject: Re: [rsyslog] rsyslog as non-root user >> > >> > Here is my startup script... only thing changed is the path to the new >> > 6.3.6-rsyslog-devel binary. >> > The startup-scripts works also perfectly when i comment out the >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i >> > have >> > both or one of the entries...: >> > #!/bin/bash >> > # >> > # rsyslog Starts rsyslogd/rklogd. >> > # >> > # >> > # chkconfig: 2345 12 88 >> > # description: Syslog is the facility by which many daemons use to log >> > \ >> > # messages to various system log files. It is a good idea to always \ >> > # run rsyslog. >> > ### BEGIN INIT INFO >> > # Provides: $syslog >> > # Required-Start: $local_fs >> > # Required-Stop: $local_fs >> > # Default-Start: 2 3 4 5 >> > # Default-Stop: 0 1 6 >> > # Short-Description: Enhanced system logging and kernel message >> > trapping >> > daemons >> > # Description: Rsyslog is an enhanced multi-threaded syslogd >> > supporting, >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted >> > # sender lists, filtering on any message part, and fine >> > # grain output format control. >> > ### END INIT INFO >> > >> > # Source function library. >> > . /etc/init.d/functions >> > >> > RETVAL=0 >> > PIDFILE=/var/run/syslogd.pid >> > >> > prog=rsyslogd >> > #exec=/sbin/rsyslogd >> > exec=/usr/sbin/rsyslogd >> > lockfile=/var/lock/subsys/$prog >> > >> > start() { >> > [ -x $exec ] || exit 5 >> > >> > # Source config >> > if [ -f /etc/sysconfig/rsyslog ] ; then >> > . /etc/sysconfig/rsyslog >> > fi >> > umask 077 >> > >> > echo -n $"Starting system logger: " >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >> > RETVAL=$? >> > echo >> > [ $RETVAL -eq 0 ] && touch $lockfile >> > return $RETVAL >> > } >> > stop() { >> > echo -n $"Shutting down system logger: " >> > killproc $prog >> > RETVAL=$? >> > echo >> > [ $RETVAL -eq 0 ] && rm -f $lockfile >> > return $RETVAL >> > } >> > reload() { >> > RETVAL=1 >> > syslog=$(cat "${PIDFILE}" 2>/dev/null) >> > echo -n "Reloading system logger..." >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >> > kill -HUP "$syslog"; >> > RETVAL=$? >> > fi >> > if [ $RETVAL -ne 0 ]; then >> > failure >> > else >> > success >> > fi >> > echo >> > return $RETVAL >> > } >> > rhstatus() { >> > status -p "${PIDFILE}" $prog >> > } >> > restart() { >> > stop >> > start >> > } >> > >> > case "$1" in >> > start) >> > start >> > ;; >> > stop) >> > stop >> > ;; >> > restart) >> > restart >> > ;; >> > reload|force-reload) >> > reload >> > ;; >> > status) >> > rhstatus >> > ;; >> > condrestart|try-restart) >> > rhstatus >/dev/null 2>&1 || exit 0 >> > restart >> > ;; >> > *) >> > echo $"Usage: $0 >> > {start|stop|restart|condrestart|try-restart|reload|force- >> > reload|status}" >> > exit 2 >> > esac >> > >> > exit $? >> > >> > 2012/2/2 Rainer Gerhards >> > >> > > >> > > >> > > > -----Original Message----- >> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann >> > > > Sent: Wednesday, February 01, 2012 9:08 AM >> > > > To: rsyslog-users >> > > > Subject: Re: [rsyslog] rsyslog as non-root user >> > > > >> > > > Hi, >> > > > >> > > > David: thanks - got it working with permission dropping, by far my >> > > > prefered >> > > > configuration... just didn't know of it...:-) ! >> > > > Rainer: please let us know if the debug info of the "permission >> > > > dropping: >> > > > hang+timeout" I send you can solve anything... anyway it works now >> > - >> > > > but >> > > > not optimal if other people have to service my setup...:-) ! >> > > >> > > I have reviewed the debug log and I see nothing unexpected. From the >> > > timestamps I also see that there is no hang whatsoever. So it looks >> > like >> > > there is some problem with the startup script, which I don't know. I >> > > suggest >> > > to ask what the FAILED status is caused by. We can then look why this >> > > happens. >> > > >> > > Sorry I have no better answer... >> > > Rainer >> > > >> > > > >> > > > Thanks in advance :-) ! >> > > > ~maymann >> > > > >> > > > 2012/2/1 >> > > > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: >> > > > > >> > > > > Hi, >> > > > >> >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is working >> > fine >> > > > running >> > > > >> as root. >> > > > >> I would like to run it as non-root user as my logfiles are >> > located >> > > > on NFS >> > > > >> (and root export of NFS is generally not a good idea !). >> > > > >> >> > > > >> Here is my rsyslog.conf: >> > > > >> #LOAD MODULES >> > > > >> $ModLoad imudp >> > > > >> $UDPServerRun 514 >> > > > >> $UDPServerAddress 127.0.0.1 >> > > > >> $ModLoad imtcp >> > > > >> $InputTCPServerRun 514 >> > > > >> #SET DESTINATION FOR LOGS >> > > > >> $template >> > > > >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> > > > >> $MONTH%_messages" >> > > > >> $template >> > > > >> >> > > > >> > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" >> > > > >> $template >> > > > >> >> > > > >> > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo >> > > > g" >> > > > >> $template >> > > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** >> > > > >> cron" >> > > > >> $template >> > > > >> >> > > > >> > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole >> > > > r" >> > > > >> $template >> > > > >> >> > > > >> > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" >> > > > >> $template >> > > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >> > > > >> traps" >> > > > >> #SET LOGGING CONDITIONS >> > > > >> if $syslogseverity <= '6' then ?DYNmessages >> > > > >> if $syslogfacility-text == 'authpriv' then ?DYNsecure >> > > > >> if $syslogfacility-text == 'mail' then ?DYNmaillog >> > > > >> if $syslogfacility-text == 'cron' then ?DYNcron >> > > > >> if $syslogseverity-text == 'crit' then ?DYNspooler >> > > > >> if $syslogfacility-text == 'local7' then ?DYNboot >> > > > >> if $syslogfacility-text == 'local6' and $syslogseverity-text == >> > > > 'WARNING' >> > > > >> then ?DYNtraps >> > > > >> >> > > > >> Here is my logfile when I try to start rsyslog as a non-root >> > user: >> > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin >> > > > >> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >> > > > >> http://www.rsyslog.com"] start >> > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: >> > > > Permission >> > > > >> denied >> > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: >> > > > Permission >> > > > >> denied >> > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP >> > > > listen >> > > > >> socket >> > > > >> could successfully be initialized, message reception via UDP >> > > > disabled. >> > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: >> > no >> > > > >> listeners >> > > > >> could be started, input not activated. >> > > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: >> > activation >> > > > of >> > > > >> module >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] >> > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: >> > Could >> > > > not >> > > > >> create >> > > > >> tcp listener, ignoring port 514. [try >> > http://www.rsyslog.com/e/2077 >> > > > ] >> > > > >> >> > > > >> So permissions to bind and sockets seems to be the problem... >> > > > >> >> > > > > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without >> > making >> > > > some >> > > > > other non-standard changes through sysctl) >> > > > > >> > > > > >> > > > > 1. Is it possible to make rsyslog write logfiles as a non-root >> > user >> > > > - if >> > > > >> yes: how ? >> > > > >> >> > > > > >> > > > > permission drop features >> > > > > >> > > > > >> > > > > 2a. Is it possible to add permissions for non-root user to run >> > > > rsyslog >> > > > >> server - if yes: how ? >> > > > >> >> > > > > >> > > > > pick a listening port > 1024 and it should work. >> > > > > >> > > > > >> > > > > 2b. How do I start rsyslog during boot as non-root user - can >> > > > chkconfig do >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >> > > > >> >> > > > > >> > > > > su can run a command as a different user. >> > > > > >> > > > > although as Rainer points out, you may just be looking for the >> > > > permission >> > > > > dropping features that are already in rsyslog. >> > > > > >> > > > > David Lang >> > > > > >> > > > > ______________________________**_________________ >> > > > > rsyslog mailing list >> > > > > >> > > > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog> > > > n.net/mailman/listinfo/rsyslog> >> > > > > http://www.rsyslog.com/**professional- >> > > > services/ >> > > > > >> > > > _______________________________________________ >> > > > rsyslog mailing list >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > > > http://www.rsyslog.com/professional-services/ >> > > _______________________________________________ >> > > rsyslog mailing list >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > > http://www.rsyslog.com/professional-services/ >> > > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > > From rgerhards at hq.adiscon.com Thu Feb 2 14:31:06 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 2 Feb 2012 14:31:06 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281846@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Thursday, February 02, 2012 2:29 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi Rainer, > > I really have my doubts it has something to do with my startup script: > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works > perfectly when PrivDropTo is not used in rsyslog.conf. > > I'm running on RHEL6.1_x64. > Do you have a working /etc/init.d/rsyslog what you can share/I can test...? No rg > > > Thanks in advance :-) ! > ~maymann > > 2012/2/2 Michael Maymann > > > Hi, > > > > Rainer: Sorry... forgot to mention that it doesn't say anything about > > failing in the logs... and it actually doesn't fail... it works and > > after the timeout+failed notice only the proccess owned by > > PrivDropToUser-USER is present, but now owned by the init-proccess > (mother proccess dies): > > > > # service rsyslog start > > Starting system logger: [FAILED] > > > > BEFORE failed status: > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 > > 9131 9126 0 11:07 ? 00:00:00 > > /usr/sbin/rsyslogd -c 6 > > > > AFTER failed status root-owned proccess is killed and > > PrivDropToUser-USER owned proccess is therefore gets owned by init: > > 9131 1 0 11:07 ? 00:00:00 > > /usr/sbin/rsyslogd -c 6 > > > > Anyone who can help with this...?: > > here is the debug output when starting running the init-script: > > #/etc/init.d/rsyslog start > > + . /etc/init.d/functions > > ++ TEXTDOMAIN=initscripts > > ++ umask 022 > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin > > ++ export PATH > > ++ '[' -z '' ']' > > ++ COLUMNS=80 > > ++ '[' -z '' ']' > > +++ /sbin/consoletype > > ++ CONSOLETYPE=pty > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > > ++ . /etc/profile.d/lang.sh > > ++ unset LANGSH_SOURCED > > ++ '[' -z '' ']' > > ++ '[' -f /etc/sysconfig/init ']' > > ++ . /etc/sysconfig/init > > +++ BOOTUP=color > > +++ RES_COL=60 > > +++ MOVE_TO_COL='echo -en \033[60G' > > +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > > +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > > +++ SETCOLOR_WARNING='echo -en \033[0;33m' > > +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > > +++ PROMPT=yes > > +++ AUTOSWAP=no > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]' > > +++ SINGLE=/sbin/sushell > > ++ '[' pty = serial ']' > > ++ > > > __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\ > .rpmsave\)$/d' > > + RETVAL=0 > > + PIDFILE=/var/run/syslogd.pid > > + prog=rsyslogd > > + exec=/usr/sbin/rsyslogd > > + lockfile=/var/lock/subsys/rsyslogd > > + case "$1" in > > + start > > + '[' -x /usr/sbin/rsyslogd ']' > > + '[' -f /etc/sysconfig/rsyslog ']' > > + . /etc/sysconfig/rsyslog > > ++ SYSLOGD_OPTIONS='-c 6' > > + umask 077 > > + echo -n 'Starting system logger: ' > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid > > /usr/sbin/rsyslogd -c 6 > > + local gotbase= force= nicelevel corelimit local pid base= user= > > + nice= bg= pid_file= local cgroup= > > + nicelevel=0 > > + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']' > > + case $1 in > > + pid_file=/var/run/syslogd.pid > > + shift > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > > + '[' -z '' ']' > > + base=rsyslogd > > + __pids_var_run rsyslogd /var/run/syslogd.pid local base=rsyslogd > > + local pid_file=/var/run/syslogd.pid pid= '[' -f /var/run/syslogd.pid > > + ']' > > + return 3 > > + '[' -n '' -a -z '' ']' > > + corelimit='ulimit -S -c 0' > > + '[' -n '' ']' > > + '[' -n '' ']' > > + '[' color = verbose -a -z '' ']' > > + '[' -z '' ']' > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6' > > ... > > (hangs here for a long time) > > ... > > + '[' 1 -eq 0 ']' > > + failure 'rsyslogd startup' > > + local rc=1 > > + '[' color '!=' verbose -a -z '' ']' > > + echo_failure > > + '[' color = color ']' > > + echo -en '\033[60G' > > + echo -n '[' > > [+ '[' color = color ']' > > + echo -en '\033[0;31m' > > + echo -n FAILED > > FAILED+ '[' color = color ']' > > + echo -en '\033[0;39m' > > + echo -n ']' > > ]+ echo -ne '\r' > > + return 1 > > + '[' -x /usr/bin/plymouth ']' > > + /usr/bin/plymouth --details > > + return 1 > > + RETVAL=1 > > + echo > > > > + '[' 1 -eq 0 ']' > > + return 1 > > + exit 1 > > > > I have tried to give 777-access to /var/run and /var/lock/subsys - but > > same thing happens... > > > > > > > > Thanks in advance :-) ! > > > > Br. > > ~maymann > > > > > > > > 2012/2/2 Rainer Gerhards > > > >> I can only help you with that part if you point me to why exactly the > >> script claims what it does. So you may want to try find someone who > >> can do that. > >> I > >> know this is probably a trivial question, but I don't know anything > >> ;) > >> > >> Sry, rainer > >> > >> > -----Original Message----- > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >> > Sent: Thursday, February 02, 2012 10:03 AM > >> > To: rsyslog-users > >> > Subject: Re: [rsyslog] rsyslog as non-root user > >> > > >> > Here is my startup script... only thing changed is the path to the > >> > new 6.3.6-rsyslog-devel binary. > >> > The startup-scripts works also perfectly when i comment out the > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if > >> > PrivDropToUser+i > >> > have > >> > both or one of the entries...: > >> > #!/bin/bash > >> > # > >> > # rsyslog Starts rsyslogd/rklogd. > >> > # > >> > # > >> > # chkconfig: 2345 12 88 > >> > # description: Syslog is the facility by which many daemons use to > >> > log \ # messages to various system log files. It is a good idea to > >> > always \ # run rsyslog. > >> > ### BEGIN INIT INFO > >> > # Provides: $syslog > >> > # Required-Start: $local_fs > >> > # Required-Stop: $local_fs > >> > # Default-Start: 2 3 4 5 > >> > # Default-Stop: 0 1 6 > >> > # Short-Description: Enhanced system logging and kernel message > >> > trapping daemons # Description: Rsyslog is an enhanced > >> > multi-threaded syslogd supporting, > >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted > >> > # sender lists, filtering on any message part, and fine > >> > # grain output format control. > >> > ### END INIT INFO > >> > > >> > # Source function library. > >> > . /etc/init.d/functions > >> > > >> > RETVAL=0 > >> > PIDFILE=/var/run/syslogd.pid > >> > > >> > prog=rsyslogd > >> > #exec=/sbin/rsyslogd > >> > exec=/usr/sbin/rsyslogd > >> > lockfile=/var/lock/subsys/$prog > >> > > >> > start() { > >> > [ -x $exec ] || exit 5 > >> > > >> > # Source config > >> > if [ -f /etc/sysconfig/rsyslog ] ; then > >> > . /etc/sysconfig/rsyslog > >> > fi > >> > umask 077 > >> > > >> > echo -n $"Starting system logger: " > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > >> > RETVAL=$? > >> > echo > >> > [ $RETVAL -eq 0 ] && touch $lockfile > >> > return $RETVAL > >> > } > >> > stop() { > >> > echo -n $"Shutting down system logger: " > >> > killproc $prog > >> > RETVAL=$? > >> > echo > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile > >> > return $RETVAL > >> > } > >> > reload() { > >> > RETVAL=1 > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null) > >> > echo -n "Reloading system logger..." > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > >> > kill -HUP "$syslog"; > >> > RETVAL=$? > >> > fi > >> > if [ $RETVAL -ne 0 ]; then > >> > failure > >> > else > >> > success > >> > fi > >> > echo > >> > return $RETVAL > >> > } > >> > rhstatus() { > >> > status -p "${PIDFILE}" $prog } > >> > restart() { > >> > stop > >> > start > >> > } > >> > > >> > case "$1" in > >> > start) > >> > start > >> > ;; > >> > stop) > >> > stop > >> > ;; > >> > restart) > >> > restart > >> > ;; > >> > reload|force-reload) > >> > reload > >> > ;; > >> > status) > >> > rhstatus > >> > ;; > >> > condrestart|try-restart) > >> > rhstatus >/dev/null 2>&1 || exit 0 > >> > restart > >> > ;; > >> > *) > >> > echo $"Usage: $0 > >> > {start|stop|restart|condrestart|try-restart|reload|force- > >> > reload|status}" > >> > exit 2 > >> > esac > >> > > >> > exit $? > >> > > >> > 2012/2/2 Rainer Gerhards > >> > > >> > > > >> > > > >> > > > -----Original Message----- > >> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM > >> > > > To: rsyslog-users > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user > >> > > > > >> > > > Hi, > >> > > > > >> > > > David: thanks - got it working with permission dropping, by far > >> > > > my prefered configuration... just didn't know of it...:-) ! > >> > > > Rainer: please let us know if the debug info of the "permission > >> > > > dropping: > >> > > > hang+timeout" I send you can solve anything... anyway it works > >> > > > hang+now > >> > - > >> > > > but > >> > > > not optimal if other people have to service my setup...:-) ! > >> > > > >> > > I have reviewed the debug log and I see nothing unexpected. From > >> > > the timestamps I also see that there is no hang whatsoever. So it > >> > > looks > >> > like > >> > > there is some problem with the startup script, which I don't > >> > > know. I suggest to ask what the FAILED status is caused by. We > >> > > can then look why this happens. > >> > > > >> > > Sorry I have no better answer... > >> > > Rainer > >> > > > >> > > > > >> > > > Thanks in advance :-) ! > >> > > > ~maymann > >> > > > > >> > > > 2012/2/1 > >> > > > > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > >> > > > > > >> > > > > Hi, > >> > > > >> > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is > >> > > > >> working > >> > fine > >> > > > running > >> > > > >> as root. > >> > > > >> I would like to run it as non-root user as my logfiles are > >> > located > >> > > > on NFS > >> > > > >> (and root export of NFS is generally not a good idea !). > >> > > > >> > >> > > > >> Here is my rsyslog.conf: > >> > > > >> #LOAD MODULES > >> > > > >> $ModLoad imudp > >> > > > >> $UDPServerRun 514 > >> > > > >> $UDPServerAddress 127.0.0.1 > >> > > > >> $ModLoad imtcp > >> > > > >> $InputTCPServerRun 514 > >> > > > >> #SET DESTINATION FOR LOGS > >> > > > >> $template > >> > > > >> > DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.% > ** > >> > > > >> $MONTH%_messages" > >> > > > >> $template > >> > > > >> > >> > > > > >> > > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > $MONTH%_secure" > >> > > > >> $template > >> > > > >> > >> > > > > >> > > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > $MONTH%_ma > >> > illo > >> > > > g" > >> > > > >> $template > >> > > > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > NTH%_** > >> > > > >> cron" > >> > > > >> $template > >> > > > >> > >> > > > > >> > > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > $MONTH%_sp > >> > oole > >> > > > r" > >> > > > >> $template > >> > > > >> > >> > > > > >> > > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > NTH%_**boot.log" > >> > > > >> $template > >> > > > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > NTH%_** > >> > > > >> traps" > >> > > > >> #SET LOGGING CONDITIONS > >> > > > >> if $syslogseverity <= '6' then ?DYNmessages if > >> > > > >> $syslogfacility-text == 'authpriv' then ?DYNsecure if > >> > > > >> $syslogfacility-text == 'mail' then ?DYNmaillog if > >> > > > >> $syslogfacility-text == 'cron' then ?DYNcron if > >> > > > >> $syslogseverity-text == 'crit' then ?DYNspooler if > >> > > > >> $syslogfacility-text == 'local7' then ?DYNboot if > >> > > > >> $syslogfacility-text == 'local6' and $syslogseverity-text == > >> > > > 'WARNING' > >> > > > >> then ?DYNtraps > >> > > > >> > >> > > > >> Here is my logfile when I try to start rsyslog as a non-root > >> > user: > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-pid="26185" x- > info=" > >> > > > >> http://www.rsyslog.com"] start > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: > >> > > > Permission > >> > > > >> denied > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: > >> > > > Permission > >> > > > >> denied > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No > >> > > > >> UDP > >> > > > listen > >> > > > >> socket > >> > > > >> could successfully be initialized, message reception via UDP > >> > > > disabled. > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: > imudp: > >> > no > >> > > > >> listeners > >> > > > >> could be started, input not activated. > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: > >> > activation > >> > > > of > >> > > > >> module > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: > >> > Could > >> > > > not > >> > > > >> create > >> > > > >> tcp listener, ignoring port 514. [try > >> > http://www.rsyslog.com/e/2077 > >> > > > ] > >> > > > >> > >> > > > >> So permissions to bind and sockets seems to be the problem... > >> > > > >> > >> > > > > > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without > >> > making > >> > > > some > >> > > > > other non-standard changes through sysctl) > >> > > > > > >> > > > > > >> > > > > 1. Is it possible to make rsyslog write logfiles as a > >> > > > > non-root > >> > user > >> > > > - if > >> > > > >> yes: how ? > >> > > > >> > >> > > > > > >> > > > > permission drop features > >> > > > > > >> > > > > > >> > > > > 2a. Is it possible to add permissions for non-root user to > >> > > > > run > >> > > > rsyslog > >> > > > >> server - if yes: how ? > >> > > > >> > >> > > > > > >> > > > > pick a listening port > 1024 and it should work. > >> > > > > > >> > > > > > >> > > > > 2b. How do I start rsyslog during boot as non-root user - > >> > > > > can > >> > > > chkconfig do > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > >> > > > >> > >> > > > > > >> > > > > su can run a command as a different user. > >> > > > > > >> > > > > although as Rainer points out, you may just be looking for > >> > > > > the > >> > > > permission > >> > > > > dropping features that are already in rsyslog. > >> > > > > > >> > > > > David Lang > >> > > > > > >> > > > > ______________________________**_________________ > >> > > > > rsyslog mailing list > >> > > > > > >> > > > > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog >> > isco > >> > > > n.net/mailman/listinfo/rsyslog> > >> > > > > http://www.rsyslog.com/**professional- > >> > > > services/ > >> > > > > > >> > > > _______________________________________________ > >> > > > rsyslog mailing list > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > > > http://www.rsyslog.com/professional-services/ > >> > > _______________________________________________ > >> > > rsyslog mailing list > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > > http://www.rsyslog.com/professional-services/ > >> > > > >> > _______________________________________________ > >> > rsyslog mailing list > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > http://www.rsyslog.com/professional-services/ > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Thu Feb 2 14:32:28 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 14:32:28 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281846@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281846@GRFEXC.intern.adiscon.com> Message-ID: Anyone...? 2012/2/2 Rainer Gerhards > > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Thursday, February 02, 2012 2:29 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > Hi Rainer, > > > > I really have my doubts it has something to do with my startup script: > > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works > > perfectly when PrivDropTo is not used in rsyslog.conf. > > > > I'm running on RHEL6.1_x64. > > Do you have a working /etc/init.d/rsyslog what you can share/I can > test...? > > No > > rg > > > > > > Thanks in advance :-) ! > > ~maymann > > > > 2012/2/2 Michael Maymann > > > > > Hi, > > > > > > Rainer: Sorry... forgot to mention that it doesn't say anything about > > > failing in the logs... and it actually doesn't fail... it works and > > > after the timeout+failed notice only the proccess owned by > > > PrivDropToUser-USER is present, but now owned by the init-proccess > > (mother proccess dies): > > > > > > # service rsyslog start > > > Starting system logger: [FAILED] > > > > > > BEFORE failed status: > > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 > > > 9131 9126 0 11:07 ? 00:00:00 > > > /usr/sbin/rsyslogd -c 6 > > > > > > AFTER failed status root-owned proccess is killed and > > > PrivDropToUser-USER owned proccess is therefore gets owned by init: > > > 9131 1 0 11:07 ? 00:00:00 > > > /usr/sbin/rsyslogd -c 6 > > > > > > Anyone who can help with this...?: > > > here is the debug output when starting running the init-script: > > > #/etc/init.d/rsyslog start > > > + . /etc/init.d/functions > > > ++ TEXTDOMAIN=initscripts > > > ++ umask 022 > > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin > > > ++ export PATH > > > ++ '[' -z '' ']' > > > ++ COLUMNS=80 > > > ++ '[' -z '' ']' > > > +++ /sbin/consoletype > > > ++ CONSOLETYPE=pty > > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > > > ++ . /etc/profile.d/lang.sh > > > ++ unset LANGSH_SOURCED > > > ++ '[' -z '' ']' > > > ++ '[' -f /etc/sysconfig/init ']' > > > ++ . /etc/sysconfig/init > > > +++ BOOTUP=color > > > +++ RES_COL=60 > > > +++ MOVE_TO_COL='echo -en \033[60G' > > > +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > > > +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > > > +++ SETCOLOR_WARNING='echo -en \033[0;33m' > > > +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > > > +++ PROMPT=yes > > > +++ AUTOSWAP=no > > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]' > > > +++ SINGLE=/sbin/sushell > > > ++ '[' pty = serial ']' > > > ++ > > > > > __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\ > > .rpmsave\)$/d' > > > + RETVAL=0 > > > + PIDFILE=/var/run/syslogd.pid > > > + prog=rsyslogd > > > + exec=/usr/sbin/rsyslogd > > > + lockfile=/var/lock/subsys/rsyslogd > > > + case "$1" in > > > + start > > > + '[' -x /usr/sbin/rsyslogd ']' > > > + '[' -f /etc/sysconfig/rsyslog ']' > > > + . /etc/sysconfig/rsyslog > > > ++ SYSLOGD_OPTIONS='-c 6' > > > + umask 077 > > > + echo -n 'Starting system logger: ' > > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid > > > /usr/sbin/rsyslogd -c 6 > > > + local gotbase= force= nicelevel corelimit local pid base= user= > > > + nice= bg= pid_file= local cgroup= > > > + nicelevel=0 > > > + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid > ']' > > > + case $1 in > > > + pid_file=/var/run/syslogd.pid > > > + shift > > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > > > + '[' -z '' ']' > > > + base=rsyslogd > > > + __pids_var_run rsyslogd /var/run/syslogd.pid local base=rsyslogd > > > + local pid_file=/var/run/syslogd.pid pid= '[' -f /var/run/syslogd.pid > > > + ']' > > > + return 3 > > > + '[' -n '' -a -z '' ']' > > > + corelimit='ulimit -S -c 0' > > > + '[' -n '' ']' > > > + '[' -n '' ']' > > > + '[' color = verbose -a -z '' ']' > > > + '[' -z '' ']' > > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c > 6' > > > ... > > > (hangs here for a long time) > > > ... > > > + '[' 1 -eq 0 ']' > > > + failure 'rsyslogd startup' > > > + local rc=1 > > > + '[' color '!=' verbose -a -z '' ']' > > > + echo_failure > > > + '[' color = color ']' > > > + echo -en '\033[60G' > > > + echo -n > '[' > > > [+ '[' color = color ']' > > > + echo -en '\033[0;31m' > > > + echo -n FAILED > > > FAILED+ '[' color = color ']' > > > + echo -en '\033[0;39m' > > > + echo -n ']' > > > ]+ echo -ne '\r' > > > + return 1 > > > + '[' -x /usr/bin/plymouth ']' > > > + /usr/bin/plymouth --details > > > + return 1 > > > + RETVAL=1 > > > + echo > > > > > > + '[' 1 -eq 0 ']' > > > + return 1 > > > + exit 1 > > > > > > I have tried to give 777-access to /var/run and /var/lock/subsys - but > > > same thing happens... > > > > > > > > > > > > Thanks in advance :-) ! > > > > > > Br. > > > ~maymann > > > > > > > > > > > > 2012/2/2 Rainer Gerhards > > > > > >> I can only help you with that part if you point me to why exactly the > > >> script claims what it does. So you may want to try find someone who > > >> can do that. > > >> I > > >> know this is probably a trivial question, but I don't know anything > > >> ;) > > >> > > >> Sry, rainer > > >> > > >> > -----Original Message----- > > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > >> > Sent: Thursday, February 02, 2012 10:03 AM > > >> > To: rsyslog-users > > >> > Subject: Re: [rsyslog] rsyslog as non-root user > > >> > > > >> > Here is my startup script... only thing changed is the path to the > > >> > new 6.3.6-rsyslog-devel binary. > > >> > The startup-scripts works also perfectly when i comment out the > > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if > > >> > PrivDropToUser+i > > >> > have > > >> > both or one of the entries...: > > >> > #!/bin/bash > > >> > # > > >> > # rsyslog Starts rsyslogd/rklogd. > > >> > # > > >> > # > > >> > # chkconfig: 2345 12 88 > > >> > # description: Syslog is the facility by which many daemons use to > > >> > log \ # messages to various system log files. It is a good idea to > > >> > always \ # run rsyslog. > > >> > ### BEGIN INIT INFO > > >> > # Provides: $syslog > > >> > # Required-Start: $local_fs > > >> > # Required-Stop: $local_fs > > >> > # Default-Start: 2 3 4 5 > > >> > # Default-Stop: 0 1 6 > > >> > # Short-Description: Enhanced system logging and kernel message > > >> > trapping daemons # Description: Rsyslog is an enhanced > > >> > multi-threaded syslogd supporting, > > >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted > > >> > # sender lists, filtering on any message part, and fine > > >> > # grain output format control. > > >> > ### END INIT INFO > > >> > > > >> > # Source function library. > > >> > . /etc/init.d/functions > > >> > > > >> > RETVAL=0 > > >> > PIDFILE=/var/run/syslogd.pid > > >> > > > >> > prog=rsyslogd > > >> > #exec=/sbin/rsyslogd > > >> > exec=/usr/sbin/rsyslogd > > >> > lockfile=/var/lock/subsys/$prog > > >> > > > >> > start() { > > >> > [ -x $exec ] || exit 5 > > >> > > > >> > # Source config > > >> > if [ -f /etc/sysconfig/rsyslog ] ; then > > >> > . /etc/sysconfig/rsyslog > > >> > fi > > >> > umask 077 > > >> > > > >> > echo -n $"Starting system logger: " > > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > > >> > RETVAL=$? > > >> > echo > > >> > [ $RETVAL -eq 0 ] && touch $lockfile > > >> > return $RETVAL > > >> > } > > >> > stop() { > > >> > echo -n $"Shutting down system logger: " > > >> > killproc $prog > > >> > RETVAL=$? > > >> > echo > > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile > > >> > return $RETVAL > > >> > } > > >> > reload() { > > >> > RETVAL=1 > > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null) > > >> > echo -n "Reloading system logger..." > > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > > >> > kill -HUP "$syslog"; > > >> > RETVAL=$? > > >> > fi > > >> > if [ $RETVAL -ne 0 ]; then > > >> > failure > > >> > else > > >> > success > > >> > fi > > >> > echo > > >> > return $RETVAL > > >> > } > > >> > rhstatus() { > > >> > status -p "${PIDFILE}" $prog } > > >> > restart() { > > >> > stop > > >> > start > > >> > } > > >> > > > >> > case "$1" in > > >> > start) > > >> > start > > >> > ;; > > >> > stop) > > >> > stop > > >> > ;; > > >> > restart) > > >> > restart > > >> > ;; > > >> > reload|force-reload) > > >> > reload > > >> > ;; > > >> > status) > > >> > rhstatus > > >> > ;; > > >> > condrestart|try-restart) > > >> > rhstatus >/dev/null 2>&1 || exit 0 > > >> > restart > > >> > ;; > > >> > *) > > >> > echo $"Usage: $0 > > >> > {start|stop|restart|condrestart|try-restart|reload|force- > > >> > reload|status}" > > >> > exit 2 > > >> > esac > > >> > > > >> > exit $? > > >> > > > >> > 2012/2/2 Rainer Gerhards > > >> > > > >> > > > > >> > > > > >> > > > -----Original Message----- > > >> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >> > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM > > >> > > > To: rsyslog-users > > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user > > >> > > > > > >> > > > Hi, > > >> > > > > > >> > > > David: thanks - got it working with permission dropping, by far > > >> > > > my prefered configuration... just didn't know of it...:-) ! > > >> > > > Rainer: please let us know if the debug info of the "permission > > >> > > > dropping: > > >> > > > hang+timeout" I send you can solve anything... anyway it works > > >> > > > hang+now > > >> > - > > >> > > > but > > >> > > > not optimal if other people have to service my setup...:-) ! > > >> > > > > >> > > I have reviewed the debug log and I see nothing unexpected. From > > >> > > the timestamps I also see that there is no hang whatsoever. So it > > >> > > looks > > >> > like > > >> > > there is some problem with the startup script, which I don't > > >> > > know. I suggest to ask what the FAILED status is caused by. We > > >> > > can then look why this happens. > > >> > > > > >> > > Sorry I have no better answer... > > >> > > Rainer > > >> > > > > >> > > > > > >> > > > Thanks in advance :-) ! > > >> > > > ~maymann > > >> > > > > > >> > > > 2012/2/1 > > >> > > > > > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > > >> > > > > > > >> > > > > Hi, > > >> > > > >> > > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is > > >> > > > >> working > > >> > fine > > >> > > > running > > >> > > > >> as root. > > >> > > > >> I would like to run it as non-root user as my logfiles are > > >> > located > > >> > > > on NFS > > >> > > > >> (and root export of NFS is generally not a good idea !). > > >> > > > >> > > >> > > > >> Here is my rsyslog.conf: > > >> > > > >> #LOAD MODULES > > >> > > > >> $ModLoad imudp > > >> > > > >> $UDPServerRun 514 > > >> > > > >> $UDPServerAddress 127.0.0.1 > > >> > > > >> $ModLoad imtcp > > >> > > > >> $InputTCPServerRun 514 > > >> > > > >> #SET DESTINATION FOR LOGS > > >> > > > >> $template > > >> > > > >> > > DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.% > > ** > > >> > > > >> $MONTH%_messages" > > >> > > > >> $template > > >> > > > >> > > >> > > > > > >> > > > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > $MONTH%_secure" > > >> > > > >> $template > > >> > > > >> > > >> > > > > > >> > > > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > $MONTH%_ma > > >> > illo > > >> > > > g" > > >> > > > >> $template > > >> > > > > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > NTH%_** > > >> > > > >> cron" > > >> > > > >> $template > > >> > > > >> > > >> > > > > > >> > > > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > $MONTH%_sp > > >> > oole > > >> > > > r" > > >> > > > >> $template > > >> > > > >> > > >> > > > > > >> > > > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > NTH%_**boot.log" > > >> > > > >> $template > > >> > > > > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > NTH%_** > > >> > > > >> traps" > > >> > > > >> #SET LOGGING CONDITIONS > > >> > > > >> if $syslogseverity <= '6' then ?DYNmessages if > > >> > > > >> $syslogfacility-text == 'authpriv' then ?DYNsecure if > > >> > > > >> $syslogfacility-text == 'mail' then ?DYNmaillog if > > >> > > > >> $syslogfacility-text == 'cron' then ?DYNcron if > > >> > > > >> $syslogseverity-text == 'crit' then ?DYNspooler if > > >> > > > >> $syslogfacility-text == 'local7' then ?DYNboot if > > >> > > > >> $syslogfacility-text == 'local6' and $syslogseverity-text == > > >> > > > 'WARNING' > > >> > > > >> then ?DYNtraps > > >> > > > >> > > >> > > > >> Here is my logfile when I try to start rsyslog as a non-root > > >> > user: > > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: > > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-pid="26185" > x- > > info=" > > >> > > > >> http://www.rsyslog.com"] start > > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: > > >> > > > Permission > > >> > > > >> denied > > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: > > >> > > > Permission > > >> > > > >> denied > > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No > > >> > > > >> UDP > > >> > > > listen > > >> > > > >> socket > > >> > > > >> could successfully be initialized, message reception via UDP > > >> > > > disabled. > > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: > > imudp: > > >> > no > > >> > > > >> listeners > > >> > > > >> could be started, input not activated. > > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: > > >> > activation > > >> > > > of > > >> > > > >> module > > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: > > >> > Could > > >> > > > not > > >> > > > >> create > > >> > > > >> tcp listener, ignoring port 514. [try > > >> > http://www.rsyslog.com/e/2077 > > >> > > > ] > > >> > > > >> > > >> > > > >> So permissions to bind and sockets seems to be the problem... > > >> > > > >> > > >> > > > > > > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without > > >> > making > > >> > > > some > > >> > > > > other non-standard changes through sysctl) > > >> > > > > > > >> > > > > > > >> > > > > 1. Is it possible to make rsyslog write logfiles as a > > >> > > > > non-root > > >> > user > > >> > > > - if > > >> > > > >> yes: how ? > > >> > > > >> > > >> > > > > > > >> > > > > permission drop features > > >> > > > > > > >> > > > > > > >> > > > > 2a. Is it possible to add permissions for non-root user to > > >> > > > > run > > >> > > > rsyslog > > >> > > > >> server - if yes: how ? > > >> > > > >> > > >> > > > > > > >> > > > > pick a listening port > 1024 and it should work. > > >> > > > > > > >> > > > > > > >> > > > > 2b. How do I start rsyslog during boot as non-root user - > > >> > > > > can > > >> > > > chkconfig do > > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > > >> > > > >> > > >> > > > > > > >> > > > > su can run a command as a different user. > > >> > > > > > > >> > > > > although as Rainer points out, you may just be looking for > > >> > > > > the > > >> > > > permission > > >> > > > > dropping features that are already in rsyslog. > > >> > > > > > > >> > > > > David Lang > > >> > > > > > > >> > > > > ______________________________**_________________ > > >> > > > > rsyslog mailing list > > >> > > > > > > >> > > > > > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog > >> > isco > > >> > > > n.net/mailman/listinfo/rsyslog> > > >> > > > > http://www.rsyslog.com/**professional- > > >> > > > services/ > > >> > > > > > > >> > > > _______________________________________________ > > >> > > > rsyslog mailing list > > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> > > > http://www.rsyslog.com/professional-services/ > > >> > > _______________________________________________ > > >> > > rsyslog mailing list > > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> > > http://www.rsyslog.com/professional-services/ > > >> > > > > >> > _______________________________________________ > > >> > rsyslog mailing list > > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> > http://www.rsyslog.com/professional-services/ > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Thu Feb 2 15:10:40 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 15:10:40 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281846@GRFEXC.intern.adiscon.com> Message-ID: bugreport created... http://bugzilla.adiscon.com/show_bug.cgi?id=306 Br. ~maymann 2012/2/2 Michael Maymann > Anyone...? > > > 2012/2/2 Rainer Gerhards > >> >> >> > -----Original Message----- >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann >> > Sent: Thursday, February 02, 2012 2:29 PM >> > To: rsyslog-users >> > Subject: Re: [rsyslog] rsyslog as non-root user >> > >> > Hi Rainer, >> > >> > I really have my doubts it has something to do with my startup script: >> > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It works >> > perfectly when PrivDropTo is not used in rsyslog.conf. >> > >> > I'm running on RHEL6.1_x64. >> > Do you have a working /etc/init.d/rsyslog what you can share/I can >> test...? >> >> No >> >> rg >> > >> > >> > Thanks in advance :-) ! >> > ~maymann >> > >> > 2012/2/2 Michael Maymann >> > >> > > Hi, >> > > >> > > Rainer: Sorry... forgot to mention that it doesn't say anything about >> > > failing in the logs... and it actually doesn't fail... it works and >> > > after the timeout+failed notice only the proccess owned by >> > > PrivDropToUser-USER is present, but now owned by the init-proccess >> > (mother proccess dies): >> > > >> > > # service rsyslog start >> > > Starting system logger: [FAILED] >> > > >> > > BEFORE failed status: >> > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c >> 6 >> > > 9131 9126 0 11:07 ? 00:00:00 >> > > /usr/sbin/rsyslogd -c 6 >> > > >> > > AFTER failed status root-owned proccess is killed and >> > > PrivDropToUser-USER owned proccess is therefore gets owned by init: >> > > 9131 1 0 11:07 ? 00:00:00 >> > > /usr/sbin/rsyslogd -c 6 >> > > >> > > Anyone who can help with this...?: >> > > here is the debug output when starting running the init-script: >> > > #/etc/init.d/rsyslog start >> > > + . /etc/init.d/functions >> > > ++ TEXTDOMAIN=initscripts >> > > ++ umask 022 >> > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin >> > > ++ export PATH >> > > ++ '[' -z '' ']' >> > > ++ COLUMNS=80 >> > > ++ '[' -z '' ']' >> > > +++ /sbin/consoletype >> > > ++ CONSOLETYPE=pty >> > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >> > > ++ . /etc/profile.d/lang.sh >> > > ++ unset LANGSH_SOURCED >> > > ++ '[' -z '' ']' >> > > ++ '[' -f /etc/sysconfig/init ']' >> > > ++ . /etc/sysconfig/init >> > > +++ BOOTUP=color >> > > +++ RES_COL=60 >> > > +++ MOVE_TO_COL='echo -en \033[60G' >> > > +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >> > > +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >> > > +++ SETCOLOR_WARNING='echo -en \033[0;33m' >> > > +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >> > > +++ PROMPT=yes >> > > +++ AUTOSWAP=no >> > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]' >> > > +++ SINGLE=/sbin/sushell >> > > ++ '[' pty = serial ']' >> > > ++ >> > > >> > __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\ >> > .rpmsave\)$/d' >> > > + RETVAL=0 >> > > + PIDFILE=/var/run/syslogd.pid >> > > + prog=rsyslogd >> > > + exec=/usr/sbin/rsyslogd >> > > + lockfile=/var/lock/subsys/rsyslogd >> > > + case "$1" in >> > > + start >> > > + '[' -x /usr/sbin/rsyslogd ']' >> > > + '[' -f /etc/sysconfig/rsyslog ']' >> > > + . /etc/sysconfig/rsyslog >> > > ++ SYSLOGD_OPTIONS='-c 6' >> > > + umask 077 >> > > + echo -n 'Starting system logger: ' >> > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >> > > /usr/sbin/rsyslogd -c 6 >> > > + local gotbase= force= nicelevel corelimit local pid base= user= >> > > + nice= bg= pid_file= local cgroup= >> > > + nicelevel=0 >> > > + '[' --pidfile=/var/run/syslogd.pid '!=' >> -pidfile=/var/run/syslogd.pid >> ']' >> > > + case $1 in >> > > + pid_file=/var/run/syslogd.pid >> > > + shift >> > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >> > > + '[' -z '' ']' >> > > + base=rsyslogd >> > > + __pids_var_run rsyslogd /var/run/syslogd.pid local base=rsyslogd >> > > + local pid_file=/var/run/syslogd.pid pid= '[' -f /var/run/syslogd.pid >> > > + ']' >> > > + return 3 >> > > + '[' -n '' -a -z '' ']' >> > > + corelimit='ulimit -S -c 0' >> > > + '[' -n '' ']' >> > > + '[' -n '' ']' >> > > + '[' color = verbose -a -z '' ']' >> > > + '[' -z '' ']' >> > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd >> -c 6' >> > > ... >> > > (hangs here for a long time) >> > > ... >> > > + '[' 1 -eq 0 ']' >> > > + failure 'rsyslogd startup' >> > > + local rc=1 >> > > + '[' color '!=' verbose -a -z '' ']' >> > > + echo_failure >> > > + '[' color = color ']' >> > > + echo -en '\033[60G' >> > > + echo -n >> '[' >> > > [+ '[' color = color ']' >> > > + echo -en '\033[0;31m' >> > > + echo -n FAILED >> > > FAILED+ '[' color = color ']' >> > > + echo -en '\033[0;39m' >> > > + echo -n ']' >> > > ]+ echo -ne '\r' >> > > + return 1 >> > > + '[' -x /usr/bin/plymouth ']' >> > > + /usr/bin/plymouth --details >> > > + return 1 >> > > + RETVAL=1 >> > > + echo >> > > >> > > + '[' 1 -eq 0 ']' >> > > + return 1 >> > > + exit 1 >> > > >> > > I have tried to give 777-access to /var/run and /var/lock/subsys - but >> > > same thing happens... >> > > >> > > >> > > >> > > Thanks in advance :-) ! >> > > >> > > Br. >> > > ~maymann >> > > >> > > >> > > >> > > 2012/2/2 Rainer Gerhards >> > > >> > >> I can only help you with that part if you point me to why exactly the >> > >> script claims what it does. So you may want to try find someone who >> > >> can do that. >> > >> I >> > >> know this is probably a trivial question, but I don't know anything >> > >> ;) >> > >> >> > >> Sry, rainer >> > >> >> > >> > -----Original Message----- >> > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann >> > >> > Sent: Thursday, February 02, 2012 10:03 AM >> > >> > To: rsyslog-users >> > >> > Subject: Re: [rsyslog] rsyslog as non-root user >> > >> > >> > >> > Here is my startup script... only thing changed is the path to the >> > >> > new 6.3.6-rsyslog-devel binary. >> > >> > The startup-scripts works also perfectly when i comment out the >> > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if >> > >> > PrivDropToUser+i >> > >> > have >> > >> > both or one of the entries...: >> > >> > #!/bin/bash >> > >> > # >> > >> > # rsyslog Starts rsyslogd/rklogd. >> > >> > # >> > >> > # >> > >> > # chkconfig: 2345 12 88 >> > >> > # description: Syslog is the facility by which many daemons use to >> > >> > log \ # messages to various system log files. It is a good idea to >> > >> > always \ # run rsyslog. >> > >> > ### BEGIN INIT INFO >> > >> > # Provides: $syslog >> > >> > # Required-Start: $local_fs >> > >> > # Required-Stop: $local_fs >> > >> > # Default-Start: 2 3 4 5 >> > >> > # Default-Stop: 0 1 6 >> > >> > # Short-Description: Enhanced system logging and kernel message >> > >> > trapping daemons # Description: Rsyslog is an enhanced >> > >> > multi-threaded syslogd supporting, >> > >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted >> > >> > # sender lists, filtering on any message part, and >> fine >> > >> > # grain output format control. >> > >> > ### END INIT INFO >> > >> > >> > >> > # Source function library. >> > >> > . /etc/init.d/functions >> > >> > >> > >> > RETVAL=0 >> > >> > PIDFILE=/var/run/syslogd.pid >> > >> > >> > >> > prog=rsyslogd >> > >> > #exec=/sbin/rsyslogd >> > >> > exec=/usr/sbin/rsyslogd >> > >> > lockfile=/var/lock/subsys/$prog >> > >> > >> > >> > start() { >> > >> > [ -x $exec ] || exit 5 >> > >> > >> > >> > # Source config >> > >> > if [ -f /etc/sysconfig/rsyslog ] ; then >> > >> > . /etc/sysconfig/rsyslog >> > >> > fi >> > >> > umask 077 >> > >> > >> > >> > echo -n $"Starting system logger: " >> > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >> > >> > RETVAL=$? >> > >> > echo >> > >> > [ $RETVAL -eq 0 ] && touch $lockfile >> > >> > return $RETVAL >> > >> > } >> > >> > stop() { >> > >> > echo -n $"Shutting down system logger: " >> > >> > killproc $prog >> > >> > RETVAL=$? >> > >> > echo >> > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile >> > >> > return $RETVAL >> > >> > } >> > >> > reload() { >> > >> > RETVAL=1 >> > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null) >> > >> > echo -n "Reloading system logger..." >> > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >> > >> > kill -HUP "$syslog"; >> > >> > RETVAL=$? >> > >> > fi >> > >> > if [ $RETVAL -ne 0 ]; then >> > >> > failure >> > >> > else >> > >> > success >> > >> > fi >> > >> > echo >> > >> > return $RETVAL >> > >> > } >> > >> > rhstatus() { >> > >> > status -p "${PIDFILE}" $prog } >> > >> > restart() { >> > >> > stop >> > >> > start >> > >> > } >> > >> > >> > >> > case "$1" in >> > >> > start) >> > >> > start >> > >> > ;; >> > >> > stop) >> > >> > stop >> > >> > ;; >> > >> > restart) >> > >> > restart >> > >> > ;; >> > >> > reload|force-reload) >> > >> > reload >> > >> > ;; >> > >> > status) >> > >> > rhstatus >> > >> > ;; >> > >> > condrestart|try-restart) >> > >> > rhstatus >/dev/null 2>&1 || exit 0 >> > >> > restart >> > >> > ;; >> > >> > *) >> > >> > echo $"Usage: $0 >> > >> > {start|stop|restart|condrestart|try-restart|reload|force- >> > >> > reload|status}" >> > >> > exit 2 >> > >> > esac >> > >> > >> > >> > exit $? >> > >> > >> > >> > 2012/2/2 Rainer Gerhards >> > >> > >> > >> > > >> > >> > > >> > >> > > > -----Original Message----- >> > >> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > >> > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann >> > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM >> > >> > > > To: rsyslog-users >> > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user >> > >> > > > >> > >> > > > Hi, >> > >> > > > >> > >> > > > David: thanks - got it working with permission dropping, by far >> > >> > > > my prefered configuration... just didn't know of it...:-) ! >> > >> > > > Rainer: please let us know if the debug info of the "permission >> > >> > > > dropping: >> > >> > > > hang+timeout" I send you can solve anything... anyway it works >> > >> > > > hang+now >> > >> > - >> > >> > > > but >> > >> > > > not optimal if other people have to service my setup...:-) ! >> > >> > > >> > >> > > I have reviewed the debug log and I see nothing unexpected. From >> > >> > > the timestamps I also see that there is no hang whatsoever. So it >> > >> > > looks >> > >> > like >> > >> > > there is some problem with the startup script, which I don't >> > >> > > know. I suggest to ask what the FAILED status is caused by. We >> > >> > > can then look why this happens. >> > >> > > >> > >> > > Sorry I have no better answer... >> > >> > > Rainer >> > >> > > >> > >> > > > >> > >> > > > Thanks in advance :-) ! >> > >> > > > ~maymann >> > >> > > > >> > >> > > > 2012/2/1 >> > >> > > > >> > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: >> > >> > > > > >> > >> > > > > Hi, >> > >> > > > >> >> > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is >> > >> > > > >> working >> > >> > fine >> > >> > > > running >> > >> > > > >> as root. >> > >> > > > >> I would like to run it as non-root user as my logfiles are >> > >> > located >> > >> > > > on NFS >> > >> > > > >> (and root export of NFS is generally not a good idea !). >> > >> > > > >> >> > >> > > > >> Here is my rsyslog.conf: >> > >> > > > >> #LOAD MODULES >> > >> > > > >> $ModLoad imudp >> > >> > > > >> $UDPServerRun 514 >> > >> > > > >> $UDPServerAddress 127.0.0.1 >> > >> > > > >> $ModLoad imtcp >> > >> > > > >> $InputTCPServerRun 514 >> > >> > > > >> #SET DESTINATION FOR LOGS >> > >> > > > >> $template >> > >> > > > >> >> > DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.% >> > ** >> > >> > > > >> $MONTH%_messages" >> > >> > > > >> $template >> > >> > > > >> >> > >> > > > >> > >> > >> > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> > $MONTH%_secure" >> > >> > > > >> $template >> > >> > > > >> >> > >> > > > >> > >> > >> > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> > $MONTH%_ma >> > >> > illo >> > >> > > > g" >> > >> > > > >> $template >> > >> > > > >> > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO >> > NTH%_** >> > >> > > > >> cron" >> > >> > > > >> $template >> > >> > > > >> >> > >> > > > >> > >> > >> > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> > $MONTH%_sp >> > >> > oole >> > >> > > > r" >> > >> > > > >> $template >> > >> > > > >> >> > >> > > > >> > >> > >> > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO >> > NTH%_**boot.log" >> > >> > > > >> $template >> > >> > > > >> > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO >> > NTH%_** >> > >> > > > >> traps" >> > >> > > > >> #SET LOGGING CONDITIONS >> > >> > > > >> if $syslogseverity <= '6' then ?DYNmessages if >> > >> > > > >> $syslogfacility-text == 'authpriv' then ?DYNsecure if >> > >> > > > >> $syslogfacility-text == 'mail' then ?DYNmaillog if >> > >> > > > >> $syslogfacility-text == 'cron' then ?DYNcron if >> > >> > > > >> $syslogseverity-text == 'crit' then ?DYNspooler if >> > >> > > > >> $syslogfacility-text == 'local7' then ?DYNboot if >> > >> > > > >> $syslogfacility-text == 'local6' and $syslogseverity-text == >> > >> > > > 'WARNING' >> > >> > > > >> then ?DYNtraps >> > >> > > > >> >> > >> > > > >> Here is my logfile when I try to start rsyslog as a non-root >> > >> > user: >> > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: >> > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x-pid="26185" >> x- >> > info=" >> > >> > > > >> http://www.rsyslog.com"] start >> > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: >> bind: >> > >> > > > Permission >> > >> > > > >> denied >> > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: >> bind: >> > >> > > > Permission >> > >> > > > >> denied >> > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No >> > >> > > > >> UDP >> > >> > > > listen >> > >> > > > >> socket >> > >> > > > >> could successfully be initialized, message reception via UDP >> > >> > > > disabled. >> > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: >> > imudp: >> > >> > no >> > >> > > > >> listeners >> > >> > > > >> could be started, input not activated. >> > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: >> > >> > activation >> > >> > > > of >> > >> > > > >> module >> > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] >> > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: >> > >> > Could >> > >> > > > not >> > >> > > > >> create >> > >> > > > >> tcp listener, ignoring port 514. [try >> > >> > http://www.rsyslog.com/e/2077 >> > >> > > > ] >> > >> > > > >> >> > >> > > > >> So permissions to bind and sockets seems to be the >> problem... >> > >> > > > >> >> > >> > > > > >> > >> > > > > yes, you cannot bind to ports <1024 as a normal user (without >> > >> > making >> > >> > > > some >> > >> > > > > other non-standard changes through sysctl) >> > >> > > > > >> > >> > > > > >> > >> > > > > 1. Is it possible to make rsyslog write logfiles as a >> > >> > > > > non-root >> > >> > user >> > >> > > > - if >> > >> > > > >> yes: how ? >> > >> > > > >> >> > >> > > > > >> > >> > > > > permission drop features >> > >> > > > > >> > >> > > > > >> > >> > > > > 2a. Is it possible to add permissions for non-root user to >> > >> > > > > run >> > >> > > > rsyslog >> > >> > > > >> server - if yes: how ? >> > >> > > > >> >> > >> > > > > >> > >> > > > > pick a listening port > 1024 and it should work. >> > >> > > > > >> > >> > > > > >> > >> > > > > 2b. How do I start rsyslog during boot as non-root user - >> > >> > > > > can >> > >> > > > chkconfig do >> > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >> > >> > > > >> >> > >> > > > > >> > >> > > > > su can run a command as a different user. >> > >> > > > > >> > >> > > > > although as Rainer points out, you may just be looking for >> > >> > > > > the >> > >> > > > permission >> > >> > > > > dropping features that are already in rsyslog. >> > >> > > > > >> > >> > > > > David Lang >> > >> > > > > >> > >> > > > > ______________________________**_________________ >> > >> > > > > rsyslog mailing list >> > >> > > > > >> > >> > > > >> > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog< >> http://lists.ad >> > >> > isco >> > >> > > > n.net/mailman/listinfo/rsyslog> >> > >> > > > > http://www.rsyslog.com/**professional- >> > >> > > > services/ >> > >> > > > > >> > >> > > > _______________________________________________ >> > >> > > > rsyslog mailing list >> > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > >> > > > http://www.rsyslog.com/professional-services/ >> > >> > > _______________________________________________ >> > >> > > rsyslog mailing list >> > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > >> > > http://www.rsyslog.com/professional-services/ >> > >> > > >> > >> > _______________________________________________ >> > >> > rsyslog mailing list >> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > >> > http://www.rsyslog.com/professional-services/ >> > >> _______________________________________________ >> > >> rsyslog mailing list >> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> > >> http://www.rsyslog.com/professional-services/ >> > >> >> > > >> > > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > > From rgerhards at hq.adiscon.com Thu Feb 2 15:12:54 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 2 Feb 2012 15:12:54 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281846@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281847@GRFEXC.intern.adiscon.com> Closed as invalid, you need to talkt o your distro... (see tracker) > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Thursday, February 02, 2012 3:11 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > bugreport created... > http://bugzilla.adiscon.com/show_bug.cgi?id=306 > > Br. > ~maymann > > 2012/2/2 Michael Maymann > > > Anyone...? > > > > > > 2012/2/2 Rainer Gerhards > > > >> > >> > >> > -----Original Message----- > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >> > Sent: Thursday, February 02, 2012 2:29 PM > >> > To: rsyslog-users > >> > Subject: Re: [rsyslog] rsyslog as non-root user > >> > > >> > Hi Rainer, > >> > > >> > I really have my doubts it has something to do with my startup script: > >> > 1. I only changed the exec=/usr/sbin/rsyslogd from default 2. It > >> > works perfectly when PrivDropTo is not used in rsyslog.conf. > >> > > >> > I'm running on RHEL6.1_x64. > >> > Do you have a working /etc/init.d/rsyslog what you can share/I can > >> test...? > >> > >> No > >> > >> rg > >> > > >> > > >> > Thanks in advance :-) ! > >> > ~maymann > >> > > >> > 2012/2/2 Michael Maymann > >> > > >> > > Hi, > >> > > > >> > > Rainer: Sorry... forgot to mention that it doesn't say anything > >> > > about failing in the logs... and it actually doesn't fail... it > >> > > works and after the timeout+failed notice only the proccess owned > >> > > by PrivDropToUser-USER is present, but now owned by the > >> > > init-proccess > >> > (mother proccess dies): > >> > > > >> > > # service rsyslog start > >> > > Starting system logger: [FAILED] > >> > > > >> > > BEFORE failed status: > >> > > root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c > >> 6 > >> > > 9131 9126 0 11:07 ? 00:00:00 > >> > > /usr/sbin/rsyslogd -c 6 > >> > > > >> > > AFTER failed status root-owned proccess is killed and > >> > > PrivDropToUser-USER owned proccess is therefore gets owned by > init: > >> > > 9131 1 0 11:07 ? 00:00:00 > >> > > /usr/sbin/rsyslogd -c 6 > >> > > > >> > > Anyone who can help with this...?: > >> > > here is the debug output when starting running the init-script: > >> > > #/etc/init.d/rsyslog start > >> > > + . /etc/init.d/functions > >> > > ++ TEXTDOMAIN=initscripts > >> > > ++ umask 022 > >> > > ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin > >> > > ++ export PATH > >> > > ++ '[' -z '' ']' > >> > > ++ COLUMNS=80 > >> > > ++ '[' -z '' ']' > >> > > +++ /sbin/consoletype > >> > > ++ CONSOLETYPE=pty > >> > > ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > >> > > ++ . /etc/profile.d/lang.sh > >> > > ++ unset LANGSH_SOURCED > >> > > ++ '[' -z '' ']' > >> > > ++ '[' -f /etc/sysconfig/init ']' > >> > > ++ . /etc/sysconfig/init > >> > > +++ BOOTUP=color > >> > > +++ RES_COL=60 > >> > > +++ MOVE_TO_COL='echo -en \033[60G' > >> > > +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > >> > > +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > >> > > +++ SETCOLOR_WARNING='echo -en \033[0;33m' > >> > > +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > >> > > +++ PROMPT=yes > >> > > +++ AUTOSWAP=no > >> > > +++ ACTIVE_CONSOLES='/dev/tty[1-6]' > >> > > +++ SINGLE=/sbin/sushell > >> > > ++ '[' pty = serial ']' > >> > > ++ > >> > > > >> > __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmor > >> > ig\|\ > >> > .rpmsave\)$/d' > >> > > + RETVAL=0 > >> > > + PIDFILE=/var/run/syslogd.pid > >> > > + prog=rsyslogd > >> > > + exec=/usr/sbin/rsyslogd > >> > > + lockfile=/var/lock/subsys/rsyslogd > >> > > + case "$1" in > >> > > + start > >> > > + '[' -x /usr/sbin/rsyslogd ']' > >> > > + '[' -f /etc/sysconfig/rsyslog ']' > >> > > + . /etc/sysconfig/rsyslog > >> > > ++ SYSLOGD_OPTIONS='-c 6' > >> > > + umask 077 > >> > > + echo -n 'Starting system logger: ' > >> > > Starting system logger: + daemon --pidfile=/var/run/syslogd.pid > >> > > /usr/sbin/rsyslogd -c 6 > >> > > + local gotbase= force= nicelevel corelimit local pid base= user= > >> > > + nice= bg= pid_file= local cgroup= > >> > > + nicelevel=0 > >> > > + '[' --pidfile=/var/run/syslogd.pid '!=' > >> -pidfile=/var/run/syslogd.pid > >> ']' > >> > > + case $1 in > >> > > + pid_file=/var/run/syslogd.pid > >> > > + shift > >> > > + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > >> > > + '[' -z '' ']' > >> > > + base=rsyslogd > >> > > + __pids_var_run rsyslogd /var/run/syslogd.pid local > >> > > + base=rsyslogd local pid_file=/var/run/syslogd.pid pid= '[' -f > >> > > + /var/run/syslogd.pid ']' > >> > > + return 3 > >> > > + '[' -n '' -a -z '' ']' > >> > > + corelimit='ulimit -S -c 0' > >> > > + '[' -n '' ']' > >> > > + '[' -n '' ']' > >> > > + '[' color = verbose -a -z '' ']' > >> > > + '[' -z '' ']' > >> > > + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; > >> > > + /usr/sbin/rsyslogd > >> -c 6' > >> > > ... > >> > > (hangs here for a long time) > >> > > ... > >> > > + '[' 1 -eq 0 ']' > >> > > + failure 'rsyslogd startup' > >> > > + local rc=1 > >> > > + '[' color '!=' verbose -a -z '' ']' > >> > > + echo_failure > >> > > + '[' color = color ']' > >> > > + echo -en '\033[60G' > >> > > + echo > >> > > -n > >> '[' > >> > > [+ '[' color = color ']' > >> > > + echo -en '\033[0;31m' > >> > > + echo -n FAILED > >> > > FAILED+ '[' color = color ']' > >> > > + echo -en '\033[0;39m' > >> > > + echo -n ']' > >> > > ]+ echo -ne '\r' > >> > > + return 1 > >> > > + '[' -x /usr/bin/plymouth ']' > >> > > + /usr/bin/plymouth --details > >> > > + return 1 > >> > > + RETVAL=1 > >> > > + echo > >> > > > >> > > + '[' 1 -eq 0 ']' > >> > > + return 1 > >> > > + exit 1 > >> > > > >> > > I have tried to give 777-access to /var/run and /var/lock/subsys > >> > > - but same thing happens... > >> > > > >> > > > >> > > > >> > > Thanks in advance :-) ! > >> > > > >> > > Br. > >> > > ~maymann > >> > > > >> > > > >> > > > >> > > 2012/2/2 Rainer Gerhards > >> > > > >> > >> I can only help you with that part if you point me to why > >> > >> exactly the script claims what it does. So you may want to try > >> > >> find someone who can do that. > >> > >> I > >> > >> know this is probably a trivial question, but I don't know > >> > >> anything > >> > >> ;) > >> > >> > >> > >> Sry, rainer > >> > >> > >> > >> > -----Original Message----- > >> > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >> > >> > Sent: Thursday, February 02, 2012 10:03 AM > >> > >> > To: rsyslog-users > >> > >> > Subject: Re: [rsyslog] rsyslog as non-root user > >> > >> > > >> > >> > Here is my startup script... only thing changed is the path to > >> > >> > the new 6.3.6-rsyslog-devel binary. > >> > >> > The startup-scripts works also perfectly when i comment out > >> > >> > the > >> > >> > PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but > >> > >> > PrivDropToUser+failes if i > >> > >> > have > >> > >> > both or one of the entries...: > >> > >> > #!/bin/bash > >> > >> > # > >> > >> > # rsyslog Starts rsyslogd/rklogd. > >> > >> > # > >> > >> > # > >> > >> > # chkconfig: 2345 12 88 > >> > >> > # description: Syslog is the facility by which many daemons > >> > >> > use to log \ # messages to various system log files. It is a > >> > >> > good idea to always \ # run rsyslog. > >> > >> > ### BEGIN INIT INFO > >> > >> > # Provides: $syslog > >> > >> > # Required-Start: $local_fs > >> > >> > # Required-Stop: $local_fs > >> > >> > # Default-Start: 2 3 4 5 > >> > >> > # Default-Stop: 0 1 6 > >> > >> > # Short-Description: Enhanced system logging and kernel > >> > >> > message trapping daemons # Description: Rsyslog is an enhanced > >> > >> > multi-threaded syslogd supporting, > >> > >> > # among others, MySQL, syslog/tcp, RFC 3195, permitted > >> > >> > # sender lists, filtering on any message part, and > >> fine > >> > >> > # grain output format control. > >> > >> > ### END INIT INFO > >> > >> > > >> > >> > # Source function library. > >> > >> > . /etc/init.d/functions > >> > >> > > >> > >> > RETVAL=0 > >> > >> > PIDFILE=/var/run/syslogd.pid > >> > >> > > >> > >> > prog=rsyslogd > >> > >> > #exec=/sbin/rsyslogd > >> > >> > exec=/usr/sbin/rsyslogd > >> > >> > lockfile=/var/lock/subsys/$prog > >> > >> > > >> > >> > start() { > >> > >> > [ -x $exec ] || exit 5 > >> > >> > > >> > >> > # Source config > >> > >> > if [ -f /etc/sysconfig/rsyslog ] ; then > >> > >> > . /etc/sysconfig/rsyslog > >> > >> > fi > >> > >> > umask 077 > >> > >> > > >> > >> > echo -n $"Starting system logger: " > >> > >> > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > >> > >> > RETVAL=$? > >> > >> > echo > >> > >> > [ $RETVAL -eq 0 ] && touch $lockfile > >> > >> > return $RETVAL > >> > >> > } > >> > >> > stop() { > >> > >> > echo -n $"Shutting down system logger: " > >> > >> > killproc $prog > >> > >> > RETVAL=$? > >> > >> > echo > >> > >> > [ $RETVAL -eq 0 ] && rm -f $lockfile > >> > >> > return $RETVAL > >> > >> > } > >> > >> > reload() { > >> > >> > RETVAL=1 > >> > >> > syslog=$(cat "${PIDFILE}" 2>/dev/null) > >> > >> > echo -n "Reloading system logger..." > >> > >> > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > >> > >> > kill -HUP "$syslog"; > >> > >> > RETVAL=$? > >> > >> > fi > >> > >> > if [ $RETVAL -ne 0 ]; then > >> > >> > failure > >> > >> > else > >> > >> > success > >> > >> > fi > >> > >> > echo > >> > >> > return $RETVAL > >> > >> > } > >> > >> > rhstatus() { > >> > >> > status -p "${PIDFILE}" $prog } > >> > >> > restart() { > >> > >> > stop > >> > >> > start > >> > >> > } > >> > >> > > >> > >> > case "$1" in > >> > >> > start) > >> > >> > start > >> > >> > ;; > >> > >> > stop) > >> > >> > stop > >> > >> > ;; > >> > >> > restart) > >> > >> > restart > >> > >> > ;; > >> > >> > reload|force-reload) > >> > >> > reload > >> > >> > ;; > >> > >> > status) > >> > >> > rhstatus > >> > >> > ;; > >> > >> > condrestart|try-restart) > >> > >> > rhstatus >/dev/null 2>&1 || exit 0 > >> > >> > restart > >> > >> > ;; > >> > >> > *) > >> > >> > echo $"Usage: $0 > >> > >> > {start|stop|restart|condrestart|try-restart|reload|force- > >> > >> > reload|status}" > >> > >> > exit 2 > >> > >> > esac > >> > >> > > >> > >> > exit $? > >> > >> > > >> > >> > 2012/2/2 Rainer Gerhards > >> > >> > > >> > >> > > > >> > >> > > > >> > >> > > > -----Original Message----- > >> > >> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> > >> > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >> > >> > > > Sent: Wednesday, February 01, 2012 9:08 AM > >> > >> > > > To: rsyslog-users > >> > >> > > > Subject: Re: [rsyslog] rsyslog as non-root user > >> > >> > > > > >> > >> > > > Hi, > >> > >> > > > > >> > >> > > > David: thanks - got it working with permission dropping, > >> > >> > > > by far my prefered configuration... just didn't know of it...:-) ! > >> > >> > > > Rainer: please let us know if the debug info of the > >> > >> > > > "permission > >> > >> > > > dropping: > >> > >> > > > hang+timeout" I send you can solve anything... anyway it > >> > >> > > > hang+works now > >> > >> > - > >> > >> > > > but > >> > >> > > > not optimal if other people have to service my setup...:-) ! > >> > >> > > > >> > >> > > I have reviewed the debug log and I see nothing unexpected. > >> > >> > > From the timestamps I also see that there is no hang > >> > >> > > whatsoever. So it looks > >> > >> > like > >> > >> > > there is some problem with the startup script, which I don't > >> > >> > > know. I suggest to ask what the FAILED status is caused by. > >> > >> > > We can then look why this happens. > >> > >> > > > >> > >> > > Sorry I have no better answer... > >> > >> > > Rainer > >> > >> > > > >> > >> > > > > >> > >> > > > Thanks in advance :-) ! > >> > >> > > > ~maymann > >> > >> > > > > >> > >> > > > 2012/2/1 > >> > >> > > > > >> > >> > > > > On Tue, 31 Jan 2012, Michael Maymann wrote: > >> > >> > > > > > >> > >> > > > > Hi, > >> > >> > > > >> > >> > >> > > > >> I have now setup a 6.3.6-devel rsyslog server that is > >> > >> > > > >> working > >> > >> > fine > >> > >> > > > running > >> > >> > > > >> as root. > >> > >> > > > >> I would like to run it as non-root user as my logfiles > >> > >> > > > >> are > >> > >> > located > >> > >> > > > on NFS > >> > >> > > > >> (and root export of NFS is generally not a good idea !). > >> > >> > > > >> > >> > >> > > > >> Here is my rsyslog.conf: > >> > >> > > > >> #LOAD MODULES > >> > >> > > > >> $ModLoad imudp > >> > >> > > > >> $UDPServerRun 514 > >> > >> > > > >> $UDPServerAddress 127.0.0.1 $ModLoad imtcp > >> > >> > > > >> $InputTCPServerRun 514 #SET DESTINATION FOR LOGS > >> > >> > > > >> $template > >> > >> > > > >> > >> > > DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.% > >> > ** > >> > >> > > > >> $MONTH%_messages" > >> > >> > > > >> $template > >> > >> > > > >> > >> > >> > > > > >> > >> > > >> > > DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >> > $MONTH%_secure" > >> > >> > > > >> $template > >> > >> > > > >> > >> > >> > > > > >> > >> > > >> > > DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >> > $MONTH%_ma > >> > >> > illo > >> > >> > > > g" > >> > >> > > > >> $template > >> > >> > > > > >> > > DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_** > >> > >> > > > >> cron" > >> > >> > > > >> $template > >> > >> > > > >> > >> > >> > > > > >> > >> > > >> > > DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >> > $MONTH%_sp > >> > >> > oole > >> > >> > > > r" > >> > >> > > > >> $template > >> > >> > > > >> > >> > >> > > > > >> > >> > > >> > > DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_**boot.log" > >> > >> > > > >> $template > >> > >> > > > > >> > > DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_** > >> > >> > > > >> traps" > >> > >> > > > >> #SET LOGGING CONDITIONS if $syslogseverity <= '6' then > >> > >> > > > >> ?DYNmessages if $syslogfacility-text == 'authpriv' then > >> > >> > > > >> ?DYNsecure if $syslogfacility-text == 'mail' then > >> > >> > > > >> ?DYNmaillog if $syslogfacility-text == 'cron' then > >> > >> > > > >> ?DYNcron if $syslogseverity-text == 'crit' then > >> > >> > > > >> ?DYNspooler if $syslogfacility-text == 'local7' then > >> > >> > > > >> ?DYNboot if $syslogfacility-text == 'local6' and > >> > >> > > > >> $syslogseverity-text == > >> > >> > > > 'WARNING' > >> > >> > > > >> then ?DYNtraps > >> > >> > > > >> > >> > >> > > > >> Here is my logfile when I try to start rsyslog as a > >> > >> > > > >> non-root > >> > >> > user: > >> > >> > > > >> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: > >> > >> > > > >> [origin software="rsyslogd" swVersion="6.3.6" x- > pid="26185" > >> x- > >> > info=" > >> > >> > > > >> http://www.rsyslog.com"] start > >> > >> > > > >> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: > >> bind: > >> > >> > > > Permission > >> > >> > > > >> denied > >> > >> > > > >> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: > >> bind: > >> > >> > > > Permission > >> > >> > > > >> denied > >> > >> > > > >> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: > >> > >> > > > >> No UDP > >> > >> > > > listen > >> > >> > > > >> socket > >> > >> > > > >> could successfully be initialized, message reception > >> > >> > > > >> via UDP > >> > >> > > > disabled. > >> > >> > > > >> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: > >> > imudp: > >> > >> > no > >> > >> > > > >> listeners > >> > >> > > > >> could be started, input not activated. > >> > >> > > > >> 2012-01-31T15:45:52.997379+02:**00 > rsyslogd3: > >> > >> > activation > >> > >> > > > of > >> > >> > > > >> module > >> > >> > > > >> imudp failed [try http://www.rsyslog.com/e/-3 ] > >> > >> > > > >> 2012-01-31T15:45:52.997643+02:**00 rsyslogd- > 2077: > >> > >> > Could > >> > >> > > > not > >> > >> > > > >> create > >> > >> > > > >> tcp listener, ignoring port 514. [try > >> > >> > http://www.rsyslog.com/e/2077 > >> > >> > > > ] > >> > >> > > > >> > >> > >> > > > >> So permissions to bind and sockets seems to be the > >> problem... > >> > >> > > > >> > >> > >> > > > > > >> > >> > > > > yes, you cannot bind to ports <1024 as a normal user > >> > >> > > > > (without > >> > >> > making > >> > >> > > > some > >> > >> > > > > other non-standard changes through sysctl) > >> > >> > > > > > >> > >> > > > > > >> > >> > > > > 1. Is it possible to make rsyslog write logfiles as a > >> > >> > > > > non-root > >> > >> > user > >> > >> > > > - if > >> > >> > > > >> yes: how ? > >> > >> > > > >> > >> > >> > > > > > >> > >> > > > > permission drop features > >> > >> > > > > > >> > >> > > > > > >> > >> > > > > 2a. Is it possible to add permissions for non-root user > >> > >> > > > > to run > >> > >> > > > rsyslog > >> > >> > > > >> server - if yes: how ? > >> > >> > > > >> > >> > >> > > > > > >> > >> > > > > pick a listening port > 1024 and it should work. > >> > >> > > > > > >> > >> > > > > > >> > >> > > > > 2b. How do I start rsyslog during boot as non-root user > >> > >> > > > > - can > >> > >> > > > chkconfig do > >> > >> > > > >> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > >> > >> > > > >> > >> > >> > > > > > >> > >> > > > > su can run a command as a different user. > >> > >> > > > > > >> > >> > > > > although as Rainer points out, you may just be looking > >> > >> > > > > for the > >> > >> > > > permission > >> > >> > > > > dropping features that are already in rsyslog. > >> > >> > > > > > >> > >> > > > > David Lang > >> > >> > > > > > >> > >> > > > > > ______________________________**_________________ > >> > >> > > > > rsyslog mailing list > >> > >> > > > > > >> > >> > > > > >> > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog< > >> http://lists.ad > >> > >> > isco > >> > >> > > > n.net/mailman/listinfo/rsyslog> > >> > >> > > > > http://www.rsyslog.com/**professional- > >> > >> > > > services/ > >> > >> > > > > > >> > >> > > > _______________________________________________ > >> > >> > > > rsyslog mailing list > >> > >> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > >> > > > http://www.rsyslog.com/professional-services/ > >> > >> > > _______________________________________________ > >> > >> > > rsyslog mailing list > >> > >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > >> > > http://www.rsyslog.com/professional-services/ > >> > >> > > > >> > >> > _______________________________________________ > >> > >> > rsyslog mailing list > >> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > >> > http://www.rsyslog.com/professional-services/ > >> > >> _______________________________________________ > >> > >> rsyslog mailing list > >> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > >> http://www.rsyslog.com/professional-services/ > >> > >> > >> > > > >> > > > >> > _______________________________________________ > >> > rsyslog mailing list > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > http://www.rsyslog.com/professional-services/ > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From friedl at hq.adiscon.com Thu Feb 2 16:07:08 2012 From: friedl at hq.adiscon.com (Florian Riedl) Date: Thu, 2 Feb 2012 16:07:08 +0100 Subject: [rsyslog] rsyslog 6.3.7 (devel) released Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281848@GRFEXC.intern.adiscon.com> Hi all. With this release, all builtin actions support the new v6 config format. Also, the release contains much enhanced statistics counters and various bug fixes. Recommended for all users of the v6-devel branch. ChangeLog: http://www.rsyslog.com/changelog-for-6-3-7-v6-devel/ Download: http://www.rsyslog.com/rsyslog-6-3-7-v6-devel/ As always, feedback is appreciated. Best regards, Florian Riedl From david at lang.hm Thu Feb 2 19:17:29 2012 From: david at lang.hm (david at lang.hm) Date: Thu, 2 Feb 2012 10:17:29 -0800 (PST) Subject: [rsyslog] Timestamp wrong...? In-Reply-To: References: Message-ID: On Thu, 2 Feb 2012, Michael Maymann wrote: > Hi, > > David: thanks for your reply...:-) ! > here is my debug output: Rainer already answered your question, but this isn't quite what I was asking for. what I was asking for was for you to add a line something like the following *.info;mail.none;authpriv.none;cron.none /var/log/messages-debug;RSYSLOG_DEBUG this would create a file with the same logs as you put in /var/log/messages, but with a different format that gives you a dump of what all the properties are set for. give it a quick try and I think you'll see that it will give you a lot of the information you are needing to troubleshoot the types of problems that you are having. David Lang From david at lang.hm Thu Feb 2 19:19:27 2012 From: david at lang.hm (david at lang.hm) Date: Thu, 2 Feb 2012 10:19:27 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: On Thu, 2 Feb 2012, Michael Maymann wrote: > Hi Rainer, > > I really have my doubts it has something to do with my startup script: > 1. I only changed the exec=/usr/sbin/rsyslogd from default > 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. > > I'm running on RHEL6.1_x64. > Do you have a working /etc/init.d/rsyslog what you can share/I can test...? my guess is that this is a SELINUX related problem. what happens if you try to start rsyslog manually (not by running the startup script, but just running 'rsyslogd -c 6' " David Lang > > Thanks in advance :-) ! > ~maymann > > 2012/2/2 Michael Maymann > >> Hi, >> >> Rainer: Sorry... forgot to mention that it doesn't say anything about >> failing in the logs... and it actually doesn't fail... it works and after >> the timeout+failed notice only the proccess owned by PrivDropToUser-USER is >> present, but now owned by the init-proccess (mother proccess dies): >> >> # service rsyslog start >> Starting system logger: [FAILED] >> >> BEFORE failed status: >> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 >> 9131 9126 0 11:07 ? 00:00:00 >> /usr/sbin/rsyslogd -c 6 >> >> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER >> owned proccess is therefore gets owned by init: >> 9131 1 0 11:07 ? 00:00:00 >> /usr/sbin/rsyslogd -c 6 >> >> Anyone who can help with this...?: >> here is the debug output when starting running the init-script: >> #/etc/init.d/rsyslog start >> + . /etc/init.d/functions >> ++ TEXTDOMAIN=initscripts >> ++ umask 022 >> ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin >> ++ export PATH >> ++ '[' -z '' ']' >> ++ COLUMNS=80 >> ++ '[' -z '' ']' >> +++ /sbin/consoletype >> ++ CONSOLETYPE=pty >> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >> ++ . /etc/profile.d/lang.sh >> ++ unset LANGSH_SOURCED >> ++ '[' -z '' ']' >> ++ '[' -f /etc/sysconfig/init ']' >> ++ . /etc/sysconfig/init >> +++ BOOTUP=color >> +++ RES_COL=60 >> +++ MOVE_TO_COL='echo -en \033[60G' >> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >> +++ PROMPT=yes >> +++ AUTOSWAP=no >> +++ ACTIVE_CONSOLES='/dev/tty[1-6]' >> +++ SINGLE=/sbin/sushell >> ++ '[' pty = serial ']' >> ++ >> __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d' >> + RETVAL=0 >> + PIDFILE=/var/run/syslogd.pid >> + prog=rsyslogd >> + exec=/usr/sbin/rsyslogd >> + lockfile=/var/lock/subsys/rsyslogd >> + case "$1" in >> + start >> + '[' -x /usr/sbin/rsyslogd ']' >> + '[' -f /etc/sysconfig/rsyslog ']' >> + . /etc/sysconfig/rsyslog >> ++ SYSLOGD_OPTIONS='-c 6' >> + umask 077 >> + echo -n 'Starting system logger: ' >> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >> /usr/sbin/rsyslogd -c 6 >> + local gotbase= force= nicelevel corelimit >> + local pid base= user= nice= bg= pid_file= >> + local cgroup= >> + nicelevel=0 >> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid ']' >> + case $1 in >> + pid_file=/var/run/syslogd.pid >> + shift >> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >> + '[' -z '' ']' >> + base=rsyslogd >> + __pids_var_run rsyslogd /var/run/syslogd.pid >> + local base=rsyslogd >> + local pid_file=/var/run/syslogd.pid >> + pid= >> + '[' -f /var/run/syslogd.pid ']' >> + return 3 >> + '[' -n '' -a -z '' ']' >> + corelimit='ulimit -S -c 0' >> + '[' -n '' ']' >> + '[' -n '' ']' >> + '[' color = verbose -a -z '' ']' >> + '[' -z '' ']' >> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6' >> ... >> (hangs here for a long time) >> ... >> + '[' 1 -eq 0 ']' >> + failure 'rsyslogd startup' >> + local rc=1 >> + '[' color '!=' verbose -a -z '' ']' >> + echo_failure >> + '[' color = color ']' >> + echo -en '\033[60G' >> + echo -n '[' >> [+ '[' color = color ']' >> + echo -en '\033[0;31m' >> + echo -n FAILED >> FAILED+ '[' color = color ']' >> + echo -en '\033[0;39m' >> + echo -n ']' >> ]+ echo -ne '\r' >> + return 1 >> + '[' -x /usr/bin/plymouth ']' >> + /usr/bin/plymouth --details >> + return 1 >> + RETVAL=1 >> + echo >> >> + '[' 1 -eq 0 ']' >> + return 1 >> + exit 1 >> >> I have tried to give 777-access to /var/run and /var/lock/subsys - but >> same thing happens... >> >> >> >> Thanks in advance :-) ! >> >> Br. >> ~maymann >> >> >> >> 2012/2/2 Rainer Gerhards >> >>> I can only help you with that part if you point me to why exactly the >>> script >>> claims what it does. So you may want to try find someone who can do that. >>> I >>> know this is probably a trivial question, but I don't know anything ;) >>> >>> Sry, rainer >>> >>>> -----Original Message----- >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>> Sent: Thursday, February 02, 2012 10:03 AM >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>> >>>> Here is my startup script... only thing changed is the path to the new >>>> 6.3.6-rsyslog-devel binary. >>>> The startup-scripts works also perfectly when i comment out the >>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i >>>> have >>>> both or one of the entries...: >>>> #!/bin/bash >>>> # >>>> # rsyslog Starts rsyslogd/rklogd. >>>> # >>>> # >>>> # chkconfig: 2345 12 88 >>>> # description: Syslog is the facility by which many daemons use to log >>>> \ >>>> # messages to various system log files. It is a good idea to always \ >>>> # run rsyslog. >>>> ### BEGIN INIT INFO >>>> # Provides: $syslog >>>> # Required-Start: $local_fs >>>> # Required-Stop: $local_fs >>>> # Default-Start: 2 3 4 5 >>>> # Default-Stop: 0 1 6 >>>> # Short-Description: Enhanced system logging and kernel message >>>> trapping >>>> daemons >>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>> supporting, >>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>> # sender lists, filtering on any message part, and fine >>>> # grain output format control. >>>> ### END INIT INFO >>>> >>>> # Source function library. >>>> . /etc/init.d/functions >>>> >>>> RETVAL=0 >>>> PIDFILE=/var/run/syslogd.pid >>>> >>>> prog=rsyslogd >>>> #exec=/sbin/rsyslogd >>>> exec=/usr/sbin/rsyslogd >>>> lockfile=/var/lock/subsys/$prog >>>> >>>> start() { >>>> [ -x $exec ] || exit 5 >>>> >>>> # Source config >>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>> . /etc/sysconfig/rsyslog >>>> fi >>>> umask 077 >>>> >>>> echo -n $"Starting system logger: " >>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>> RETVAL=$? >>>> echo >>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>> return $RETVAL >>>> } >>>> stop() { >>>> echo -n $"Shutting down system logger: " >>>> killproc $prog >>>> RETVAL=$? >>>> echo >>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>> return $RETVAL >>>> } >>>> reload() { >>>> RETVAL=1 >>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>> echo -n "Reloading system logger..." >>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>> kill -HUP "$syslog"; >>>> RETVAL=$? >>>> fi >>>> if [ $RETVAL -ne 0 ]; then >>>> failure >>>> else >>>> success >>>> fi >>>> echo >>>> return $RETVAL >>>> } >>>> rhstatus() { >>>> status -p "${PIDFILE}" $prog >>>> } >>>> restart() { >>>> stop >>>> start >>>> } >>>> >>>> case "$1" in >>>> start) >>>> start >>>> ;; >>>> stop) >>>> stop >>>> ;; >>>> restart) >>>> restart >>>> ;; >>>> reload|force-reload) >>>> reload >>>> ;; >>>> status) >>>> rhstatus >>>> ;; >>>> condrestart|try-restart) >>>> rhstatus >/dev/null 2>&1 || exit 0 >>>> restart >>>> ;; >>>> *) >>>> echo $"Usage: $0 >>>> {start|stop|restart|condrestart|try-restart|reload|force- >>>> reload|status}" >>>> exit 2 >>>> esac >>>> >>>> exit $? >>>> >>>> 2012/2/2 Rainer Gerhards >>>> >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>> To: rsyslog-users >>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>> >>>>>> Hi, >>>>>> >>>>>> David: thanks - got it working with permission dropping, by far my >>>>>> prefered >>>>>> configuration... just didn't know of it...:-) ! >>>>>> Rainer: please let us know if the debug info of the "permission >>>>>> dropping: >>>>>> hang+timeout" I send you can solve anything... anyway it works now >>>> - >>>>>> but >>>>>> not optimal if other people have to service my setup...:-) ! >>>>> >>>>> I have reviewed the debug log and I see nothing unexpected. From the >>>>> timestamps I also see that there is no hang whatsoever. So it looks >>>> like >>>>> there is some problem with the startup script, which I don't know. I >>>>> suggest >>>>> to ask what the FAILED status is caused by. We can then look why this >>>>> happens. >>>>> >>>>> Sorry I have no better answer... >>>>> Rainer >>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>> ~maymann >>>>>> >>>>>> 2012/2/1 >>>>>> >>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>> >>>>>>> Hi, >>>>>>>> >>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>> fine >>>>>> running >>>>>>>> as root. >>>>>>>> I would like to run it as non-root user as my logfiles are >>>> located >>>>>> on NFS >>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>> >>>>>>>> Here is my rsyslog.conf: >>>>>>>> #LOAD MODULES >>>>>>>> $ModLoad imudp >>>>>>>> $UDPServerRun 514 >>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>> $ModLoad imtcp >>>>>>>> $InputTCPServerRun 514 >>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>> $template >>>>>>>> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>> $MONTH%_messages" >>>>>>>> $template >>>>>>>> >>>>>> >>>> DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" >>>>>>>> $template >>>>>>>> >>>>>> >>>> DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillo >>>>>> g" >>>>>>>> $template >>>>>> DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>> cron" >>>>>>>> $template >>>>>>>> >>>>>> >>>> DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spoole >>>>>> r" >>>>>>>> $template >>>>>>>> >>>>>> >>>> DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" >>>>>>>> $template >>>>>> DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>> traps" >>>>>>>> #SET LOGGING CONDITIONS >>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>> 'WARNING' >>>>>>>> then ?DYNtraps >>>>>>>> >>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>> user: >>>>>>>> 2012-01-31T15:45:52.997693+02:**00 rsyslogd: [origin >>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>> http://www.rsyslog.com"] start >>>>>>>> 2012-01-31T15:45:52.997294+02:**00 rsyslogd: bind: >>>>>> Permission >>>>>>>> denied >>>>>>>> 2012-01-31T15:45:52.997369+02:**00 rsyslogd: bind: >>>>>> Permission >>>>>>>> denied >>>>>>>> 2012-01-31T15:45:52.997374+02:**00 rsyslogd: No UDP >>>>>> listen >>>>>>>> socket >>>>>>>> could successfully be initialized, message reception via UDP >>>>>> disabled. >>>>>>>> 2012-01-31T15:45:52.997376+02:**00 rsyslogd: imudp: >>>> no >>>>>>>> listeners >>>>>>>> could be started, input not activated. >>>>>>>> 2012-01-31T15:45:52.997379+02:**00 rsyslogd3: >>>> activation >>>>>> of >>>>>>>> module >>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>> 2012-01-31T15:45:52.997643+02:**00 rsyslogd-2077: >>>> Could >>>>>> not >>>>>>>> create >>>>>>>> tcp listener, ignoring port 514. [try >>>> http://www.rsyslog.com/e/2077 >>>>>> ] >>>>>>>> >>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>> >>>>>>> >>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>> making >>>>>> some >>>>>>> other non-standard changes through sysctl) >>>>>>> >>>>>>> >>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>> user >>>>>> - if >>>>>>>> yes: how ? >>>>>>>> >>>>>>> >>>>>>> permission drop features >>>>>>> >>>>>>> >>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>> rsyslog >>>>>>>> server - if yes: how ? >>>>>>>> >>>>>>> >>>>>>> pick a listening port > 1024 and it should work. >>>>>>> >>>>>>> >>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>> chkconfig do >>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>> >>>>>>> >>>>>>> su can run a command as a different user. >>>>>>> >>>>>>> although as Rainer points out, you may just be looking for the >>>>>> permission >>>>>>> dropping features that are already in rsyslog. >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> ______________________________**_________________ >>>>>>> rsyslog mailing list >>>>>>> >>>>>> >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog>>>>> n.net/mailman/listinfo/rsyslog> >>>>>>> http://www.rsyslog.com/**professional- >>>>>> services/ >>>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Thu Feb 2 19:42:43 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 19:42:43 +0100 Subject: [rsyslog] Timestamp wrong...? In-Reply-To: References: Message-ID: Hi, David: thanks for your reply... already replied to own post: http://lists.adiscon.net/pipermail/rsyslog/2012-February/014332.html Case closed... Br. ~maymann 2012/2/2 > On Thu, 2 Feb 2012, Michael Maymann wrote: > > Hi, >> >> David: thanks for your reply...:-) ! >> here is my debug output: >> > > Rainer already answered your question, but this isn't quite what I was > asking for. > > what I was asking for was for you to add a line something like the > following > > *.info;mail.none;authpriv.**none;cron.none /var/log/messages-debug;** > RSYSLOG_DEBUG > > this would create a file with the same logs as you put in > /var/log/messages, but with a different format that gives you a dump of > what all the properties are set for. > > give it a quick try and I think you'll see that it will give you a lot of > the information you are needing to troubleshoot the types of problems that > you are having. > > > David Lang > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Thu Feb 2 19:47:02 2012 From: michael at maymann.org (Michael Maymann) Date: Thu, 2 Feb 2012 19:47:02 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi, David: Thanks for your reply - sounds possible... I will try this first thing tomorrow morning and report back with findings... Br. ~maymann 2012/2/2 > On Thu, 2 Feb 2012, Michael Maymann wrote: > > Hi Rainer, >> >> I really have my doubts it has something to do with my startup script: >> 1. I only changed the exec=/usr/sbin/rsyslogd from default >> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >> >> I'm running on RHEL6.1_x64. >> Do you have a working /etc/init.d/rsyslog what you can share/I can >> test...? >> > > > my guess is that this is a SELINUX related problem. > > what happens if you try to start rsyslog manually (not by running the > startup script, but just running 'rsyslogd -c 6' " > > David Lang > > > >> Thanks in advance :-) ! >> ~maymann >> >> 2012/2/2 Michael Maymann >> >> Hi, >>> >>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>> failing in the logs... and it actually doesn't fail... it works and after >>> the timeout+failed notice only the proccess owned by PrivDropToUser-USER >>> is >>> present, but now owned by the init-proccess (mother proccess dies): >>> >>> # service rsyslog start >>> Starting system logger: [FAILED] >>> >>> BEFORE failed status: >>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 >>> 9131 9126 0 11:07 ? 00:00:00 >>> /usr/sbin/rsyslogd -c 6 >>> >>> AFTER failed status root-owned proccess is killed and PrivDropToUser-USER >>> owned proccess is therefore gets owned by init: >>> 9131 1 0 11:07 ? 00:00:00 >>> /usr/sbin/rsyslogd -c 6 >>> >>> Anyone who can help with this...?: >>> here is the debug output when starting running the init-script: >>> #/etc/init.d/rsyslog start >>> + . /etc/init.d/functions >>> ++ TEXTDOMAIN=initscripts >>> ++ umask 022 >>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin >>> ++ export PATH >>> ++ '[' -z '' ']' >>> ++ COLUMNS=80 >>> ++ '[' -z '' ']' >>> +++ /sbin/consoletype >>> ++ CONSOLETYPE=pty >>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>> ++ . /etc/profile.d/lang.sh >>> ++ unset LANGSH_SOURCED >>> ++ '[' -z '' ']' >>> ++ '[' -f /etc/sysconfig/init ']' >>> ++ . /etc/sysconfig/init >>> +++ BOOTUP=color >>> +++ RES_COL=60 >>> +++ MOVE_TO_COL='echo -en \033[60G' >>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>> +++ PROMPT=yes >>> +++ AUTOSWAP=no >>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' >>> +++ SINGLE=/sbin/sushell >>> ++ '[' pty = serial ']' >>> ++ >>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** >>> \.rpmorig\|\.rpmsave\)$/d' >>> + RETVAL=0 >>> + PIDFILE=/var/run/syslogd.pid >>> + prog=rsyslogd >>> + exec=/usr/sbin/rsyslogd >>> + lockfile=/var/lock/subsys/**rsyslogd >>> + case "$1" in >>> + start >>> + '[' -x /usr/sbin/rsyslogd ']' >>> + '[' -f /etc/sysconfig/rsyslog ']' >>> + . /etc/sysconfig/rsyslog >>> ++ SYSLOGD_OPTIONS='-c 6' >>> + umask 077 >>> + echo -n 'Starting system logger: ' >>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>> /usr/sbin/rsyslogd -c 6 >>> + local gotbase= force= nicelevel corelimit >>> + local pid base= user= nice= bg= pid_file= >>> + local cgroup= >>> + nicelevel=0 >>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid >>> ']' >>> + case $1 in >>> + pid_file=/var/run/syslogd.pid >>> + shift >>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>> + '[' -z '' ']' >>> + base=rsyslogd >>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>> + local base=rsyslogd >>> + local pid_file=/var/run/syslogd.pid >>> + pid= >>> + '[' -f /var/run/syslogd.pid ']' >>> + return 3 >>> + '[' -n '' -a -z '' ']' >>> + corelimit='ulimit -S -c 0' >>> + '[' -n '' ']' >>> + '[' -n '' ']' >>> + '[' color = verbose -a -z '' ']' >>> + '[' -z '' ']' >>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6' >>> ... >>> (hangs here for a long time) >>> ... >>> + '[' 1 -eq 0 ']' >>> + failure 'rsyslogd startup' >>> + local rc=1 >>> + '[' color '!=' verbose -a -z '' ']' >>> + echo_failure >>> + '[' color = color ']' >>> + echo -en '\033[60G' >>> + echo -n '[' >>> [+ '[' color = color ']' >>> + echo -en '\033[0;31m' >>> + echo -n FAILED >>> FAILED+ '[' color = color ']' >>> + echo -en '\033[0;39m' >>> + echo -n ']' >>> ]+ echo -ne '\r' >>> + return 1 >>> + '[' -x /usr/bin/plymouth ']' >>> + /usr/bin/plymouth --details >>> + return 1 >>> + RETVAL=1 >>> + echo >>> >>> + '[' 1 -eq 0 ']' >>> + return 1 >>> + exit 1 >>> >>> I have tried to give 777-access to /var/run and /var/lock/subsys - but >>> same thing happens... >>> >>> >>> >>> Thanks in advance :-) ! >>> >>> Br. >>> ~maymann >>> >>> >>> >>> 2012/2/2 Rainer Gerhards >>> >>> I can only help you with that part if you point me to why exactly the >>>> script >>>> claims what it does. So you may want to try find someone who can do >>>> that. >>>> I >>>> know this is probably a trivial question, but I don't know anything ;) >>>> >>>> Sry, rainer >>>> >>>> -----Original Message----- >>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>> rsyslog- >>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>> >>>>> Here is my startup script... only thing changed is the path to the new >>>>> 6.3.6-rsyslog-devel binary. >>>>> The startup-scripts works also perfectly when i comment out the >>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i >>>>> have >>>>> both or one of the entries...: >>>>> #!/bin/bash >>>>> # >>>>> # rsyslog Starts rsyslogd/rklogd. >>>>> # >>>>> # >>>>> # chkconfig: 2345 12 88 >>>>> # description: Syslog is the facility by which many daemons use to log >>>>> \ >>>>> # messages to various system log files. It is a good idea to always \ >>>>> # run rsyslog. >>>>> ### BEGIN INIT INFO >>>>> # Provides: $syslog >>>>> # Required-Start: $local_fs >>>>> # Required-Stop: $local_fs >>>>> # Default-Start: 2 3 4 5 >>>>> # Default-Stop: 0 1 6 >>>>> # Short-Description: Enhanced system logging and kernel message >>>>> trapping >>>>> daemons >>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>> supporting, >>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>> # sender lists, filtering on any message part, and fine >>>>> # grain output format control. >>>>> ### END INIT INFO >>>>> >>>>> # Source function library. >>>>> . /etc/init.d/functions >>>>> >>>>> RETVAL=0 >>>>> PIDFILE=/var/run/syslogd.pid >>>>> >>>>> prog=rsyslogd >>>>> #exec=/sbin/rsyslogd >>>>> exec=/usr/sbin/rsyslogd >>>>> lockfile=/var/lock/subsys/$**prog >>>>> >>>>> start() { >>>>> [ -x $exec ] || exit 5 >>>>> >>>>> # Source config >>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>> . /etc/sysconfig/rsyslog >>>>> fi >>>>> umask 077 >>>>> >>>>> echo -n $"Starting system logger: " >>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>> RETVAL=$? >>>>> echo >>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>> return $RETVAL >>>>> } >>>>> stop() { >>>>> echo -n $"Shutting down system logger: " >>>>> killproc $prog >>>>> RETVAL=$? >>>>> echo >>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>> return $RETVAL >>>>> } >>>>> reload() { >>>>> RETVAL=1 >>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>> echo -n "Reloading system logger..." >>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>> kill -HUP "$syslog"; >>>>> RETVAL=$? >>>>> fi >>>>> if [ $RETVAL -ne 0 ]; then >>>>> failure >>>>> else >>>>> success >>>>> fi >>>>> echo >>>>> return $RETVAL >>>>> } >>>>> rhstatus() { >>>>> status -p "${PIDFILE}" $prog >>>>> } >>>>> restart() { >>>>> stop >>>>> start >>>>> } >>>>> >>>>> case "$1" in >>>>> start) >>>>> start >>>>> ;; >>>>> stop) >>>>> stop >>>>> ;; >>>>> restart) >>>>> restart >>>>> ;; >>>>> reload|force-reload) >>>>> reload >>>>> ;; >>>>> status) >>>>> rhstatus >>>>> ;; >>>>> condrestart|try-restart) >>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>> restart >>>>> ;; >>>>> *) >>>>> echo $"Usage: $0 >>>>> {start|stop|restart|**condrestart|try-restart|**reload|force- >>>>> reload|status}" >>>>> exit 2 >>>>> esac >>>>> >>>>> exit $? >>>>> >>>>> 2012/2/2 Rainer Gerhards >>>>> >>>>> >>>>>> >>>>>> -----Original Message----- >>>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>>> rsyslog- >>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>> To: rsyslog-users >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> David: thanks - got it working with permission dropping, by far my >>>>>>> prefered >>>>>>> configuration... just didn't know of it...:-) ! >>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>> dropping: >>>>>>> hang+timeout" I send you can solve anything... anyway it works now >>>>>>> >>>>>> - >>>>> >>>>>> but >>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>> >>>>>> >>>>>> I have reviewed the debug log and I see nothing unexpected. From the >>>>>> timestamps I also see that there is no hang whatsoever. So it looks >>>>>> >>>>> like >>>>> >>>>>> there is some problem with the startup script, which I don't know. I >>>>>> suggest >>>>>> to ask what the FAILED status is caused by. We can then look why this >>>>>> happens. >>>>>> >>>>>> Sorry I have no better answer... >>>>>> Rainer >>>>>> >>>>>> >>>>>>> Thanks in advance :-) ! >>>>>>> ~maymann >>>>>>> >>>>>>> 2012/2/1 >>>>>>> >>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>>> >>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>> >>>>>>>> fine >>>>> >>>>>> running >>>>>>> >>>>>>>> as root. >>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>> >>>>>>>> located >>>>> >>>>>> on NFS >>>>>>> >>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>> >>>>>>>>> Here is my rsyslog.conf: >>>>>>>>> #LOAD MODULES >>>>>>>>> $ModLoad imudp >>>>>>>>> $UDPServerRun 514 >>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>> $ModLoad imtcp >>>>>>>>> $InputTCPServerRun 514 >>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>> $template >>>>>>>>> DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>> $MONTH%_messages" >>>>>>>>> $template >>>>>>>>> >>>>>>>>> >>>>>>> DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>> **$MONTH%_secure" >>>>> >>>>>> $template >>>>>>>>> >>>>>>>>> >>>>>>> DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>> **$MONTH%_maillo >>>>> >>>>>> g" >>>>>>> >>>>>>>> $template >>>>>>>>> >>>>>>>> DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>> >>>>>>>> cron" >>>>>>>>> $template >>>>>>>>> >>>>>>>>> >>>>>>> DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>> **$MONTH%_spoole >>>>> >>>>>> r" >>>>>>> >>>>>>>> $template >>>>>>>>> >>>>>>>>> >>>>>>> DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> **boot.log" >>>>> >>>>>> $template >>>>>>>>> >>>>>>>> DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>> >>>>>>>> traps" >>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>> >>>>>>>> 'WARNING' >>>>>>> >>>>>>>> then ?DYNtraps >>>>>>>>> >>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>> >>>>>>>> user: >>>>> >>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: [origin >>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 rsyslogd: bind: >>>>>>>>> >>>>>>>> Permission >>>>>>> >>>>>>>> denied >>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 rsyslogd: bind: >>>>>>>>> >>>>>>>> Permission >>>>>>> >>>>>>>> denied >>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 rsyslogd: No UDP >>>>>>>>> >>>>>>>> listen >>>>>>> >>>>>>>> socket >>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>> >>>>>>>> disabled. >>>>>>> >>>>>>>> 2012-01-31T15:45:52.997376+02:****00 rsyslogd: imudp: >>>>>>>>> >>>>>>>> no >>>>> >>>>>> listeners >>>>>>>>> could be started, input not activated. >>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 rsyslogd3: >>>>>>>>> >>>>>>>> activation >>>>> >>>>>> of >>>>>>> >>>>>>>> module >>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 rsyslogd-2077: >>>>>>>>> >>>>>>>> Could >>>>> >>>>>> not >>>>>>> >>>>>>>> create >>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>> >>>>>>>> http://www.rsyslog.com/e/2077 >>>>> >>>>>> ] >>>>>>> >>>>>>>> >>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>> >>>>>>>>> >>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>> >>>>>>> making >>>>> >>>>>> some >>>>>>> >>>>>>>> other non-standard changes through sysctl) >>>>>>>> >>>>>>>> >>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>> >>>>>>> user >>>>> >>>>>> - if >>>>>>> >>>>>>>> yes: how ? >>>>>>>>> >>>>>>>>> >>>>>>>> permission drop features >>>>>>>> >>>>>>>> >>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>> >>>>>>> rsyslog >>>>>>> >>>>>>>> server - if yes: how ? >>>>>>>>> >>>>>>>>> >>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>> >>>>>>>> >>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>> >>>>>>> chkconfig do >>>>>>> >>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>> >>>>>>>>> >>>>>>>> su can run a command as a different user. >>>>>>>> >>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>> >>>>>>> permission >>>>>>> >>>>>>>> dropping features that are already in rsyslog. >>>>>>>> >>>>>>>> David Lang >>>>>>>> >>>>>>>> ______________________________****_________________ >>>>>>>> rsyslog mailing list >>>>>>>> >>>>>>>> >>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>> >>>>>> n.net/mailman/listinfo/rsyslog**> >>>>>>> >>>>>>>> http://www.rsyslog.com/****professional- >>>>>>>> >>>>>>> services/ >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> ______________________________**_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>> >>>>>> ______________________________**_________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/**professional-services/ >>>>>> >>>>>> ______________________________**_________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/**professional-services/ >>>>> >>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>>> >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Fri Feb 3 07:00:26 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 07:00:26 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: Please... Anyone? On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: > Hi, > > got it started... but still ??? dir+logfiles are showing up... > This is now my rsyslog.conf: > #SET PRIVILEGES > $PreserveFQDN on > $PrivDropToGroup > $PrivDropToUser > $DirCreateMode 0750 > $FileCreateMode 0640 > $UMASK 0027 > > #LOAD MODULES > $ModLoad imudp > $UDPServerRun 514 > $UDPServerAddress 127.0.0.1 > $ModLoad imtcp > $InputTCPServerRun 514 > > #SET DESTINATION FOR LOGS > $template > DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > $template > DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > $template > DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > $template > DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" > $template > DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" > $template > DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" > $template > DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" > $template > DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" > $template > DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" > $template > DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" > > #SET LOGGING CONDITIONS > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > ?DYNsecure > if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron > if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler > if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > and $fromhost != '???' then ?DYNtraps > > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > ?DYNIPsecure > if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog > if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron > if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler > if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > and $fromhost == '???' then ?DYNIPtraps > > I have tried with $fromhost, $fromhost-ip and $hostname - but all creates > ??? dir+files... > What variable should I use to handle this properly ? > > > Thanks in advance :-) ! > ~maymann > > 2012/2/2 Michael Maymann > >> Hi, >> >> David: thanks for your reply... >> Here is my new rsyslog.conf: >> #SET PRIVILEGES >> $PreserveFQDN on >> $PrivDropToGroup >> $PrivDropToUser >> $DirCreateMode 0750 >> $FileCreateMode 0640 >> $UMASK 0027 >> >> #LOAD MODULES >> $ModLoad imudp >> $UDPServerRun 514 >> $UDPServerAddress 127.0.0.1 >> $ModLoad imtcp >> $InputTCPServerRun 514 >> >> #SET DESTINATION FOR LOGS >> $template >> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" >> $template >> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" >> $template >> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" >> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" >> $template >> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" >> $template >> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" >> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" >> >> $template >> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" >> $template >> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" >> $template >> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" >> $template >> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" >> $template >> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" >> $template >> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" >> $template >> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" >> >> #SET LOGGING CONDITIONS >> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >> ?DYNsecure >> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog >> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron >> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler >> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> and %FROMHOST% != '???' then ?DYNtraps >> >> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >> ?DYNIPsecure >> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >> ?DYNIPmaillog >> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron >> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >> ?DYNIPspooler >> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >> ?DYNIPboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> and %FROMHOST% == '???' then ?DYNIPtraps >> >> but it fails...: >> # service rsyslog start >> Starting system logger: rsyslogd: run failed with error -2207 (see >> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number >> means) >> [ OK ] >> >> my guess is it is my %FROMHOST% == '???' - is this format correct or how >> is this done... >> >> >> Thanks in advance :-) ! >> ~maymann >> >> >> 2012/2/1 >> >> On Wed, 1 Feb 2012, Michael Maymann wrote: >>> >>> Hi, >>>> >>>> I want to log information about hosts that are not logging with correct >>>> HOSTNAME. >>>> In my current setup, I get a dir "???" where these host(s) are logging >>>> to... >>>> >>>> I would like to change this to the hosts IP instead, something like: >>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>> >>> >>> rsyslog cannot do what you are asking. It can't assign a value to a >>> property. >>> >>> what you can do is to setup a different template and then if %fromhost% >>> is your special pattern you can log with this different template. >>> >>> David Lang >>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >> >> > From radu0gheorghe at gmail.com Fri Feb 3 07:40:31 2012 From: radu0gheorghe at gmail.com (Radu Gheorghe) Date: Fri, 3 Feb 2012 08:40:31 +0200 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: 2012/2/3 Michael Maymann : > Please... Anyone? I don't think I would be of much help, but here's what I would do: 1. Maybe "???" is not actually the returned string. I would try to print that in the file (just put it in the template and see if it's the real string. If it's not, that would explain the behavior. Or maybe you need to escape it or something. 2. In case I just couldn't solve the problem, I would look at it from a different angle. Basically, there should be two possibilities: a. The IPs of logging hosts are changing. In which case you need to have them report their hostname. Otherwise, there's no point archiving logs with their IP, because you wouldn't know afterwards which logs belong to which machine. Once you have that, you can log only based on $FROMHOST b. If IPs are more static (or you have a way to determine which IP belongs to which machine you're looking for when you search the logs), then you could just log based on $FROMHOST-IP. And maybe you can make a helper script that would help you find the right logs when you want to look at them. Regarding your question: > What variable should I use to handle this properly ? By looking here: http://www.rsyslog.com/doc/property_replacer.html It seems to be that you're using the right variables :) From david at lang.hm Fri Feb 3 07:44:46 2012 From: david at lang.hm (david at lang.hm) Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: what does one of these messages look like if you write it out with the RSYSLOG_DEBUG template? David Lang On Fri, 3 Feb 2012, Michael Maymann wrote: > Date: Fri, 3 Feb 2012 07:00:26 +0100 > From: Michael Maymann > Reply-To: rsyslog-users > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Please... Anyone? > On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: > >> Hi, >> >> got it started... but still ??? dir+logfiles are showing up... >> This is now my rsyslog.conf: >> #SET PRIVILEGES >> $PreserveFQDN on >> $PrivDropToGroup >> $PrivDropToUser >> $DirCreateMode 0750 >> $FileCreateMode 0640 >> $UMASK 0027 >> >> #LOAD MODULES >> $ModLoad imudp >> $UDPServerRun 514 >> $UDPServerAddress 127.0.0.1 >> $ModLoad imtcp >> $InputTCPServerRun 514 >> >> #SET DESTINATION FOR LOGS >> $template >> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" >> $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" >> $template >> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" >> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" >> $template >> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" >> $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" >> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" >> >> $template >> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" >> $template >> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" >> $template >> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" >> $template >> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" >> $template >> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" >> $template >> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" >> $template >> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" >> >> #SET LOGGING CONDITIONS >> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >> ?DYNsecure >> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog >> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler >> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> and $fromhost != '???' then ?DYNtraps >> >> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >> ?DYNIPsecure >> if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog >> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron >> if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler >> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> and $fromhost == '???' then ?DYNIPtraps >> >> I have tried with $fromhost, $fromhost-ip and $hostname - but all creates >> ??? dir+files... >> What variable should I use to handle this properly ? >> >> >> Thanks in advance :-) ! >> ~maymann >> >> 2012/2/2 Michael Maymann >> >>> Hi, >>> >>> David: thanks for your reply... >>> Here is my new rsyslog.conf: >>> #SET PRIVILEGES >>> $PreserveFQDN on >>> $PrivDropToGroup >>> $PrivDropToUser >>> $DirCreateMode 0750 >>> $FileCreateMode 0640 >>> $UMASK 0027 >>> >>> #LOAD MODULES >>> $ModLoad imudp >>> $UDPServerRun 514 >>> $UDPServerAddress 127.0.0.1 >>> $ModLoad imtcp >>> $InputTCPServerRun 514 >>> >>> #SET DESTINATION FOR LOGS >>> $template >>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" >>> $template >>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" >>> $template >>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" >>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" >>> $template >>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" >>> $template >>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" >>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" >>> >>> $template >>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" >>> $template >>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" >>> $template >>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" >>> $template >>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" >>> $template >>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" >>> $template >>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" >>> $template >>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" >>> >>> #SET LOGGING CONDITIONS >>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>> ?DYNsecure >>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog >>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron >>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler >>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot >>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >>> and %FROMHOST% != '???' then ?DYNtraps >>> >>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>> ?DYNIPsecure >>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>> ?DYNIPmaillog >>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron >>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>> ?DYNIPspooler >>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>> ?DYNIPboot >>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >>> and %FROMHOST% == '???' then ?DYNIPtraps >>> >>> but it fails...: >>> # service rsyslog start >>> Starting system logger: rsyslogd: run failed with error -2207 (see >>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number >>> means) >>> [ OK ] >>> >>> my guess is it is my %FROMHOST% == '???' - is this format correct or how >>> is this done... >>> >>> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> >>> 2012/2/1 >>> >>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>> >>>> Hi, >>>>> >>>>> I want to log information about hosts that are not logging with correct >>>>> HOSTNAME. >>>>> In my current setup, I get a dir "???" where these host(s) are logging >>>>> to... >>>>> >>>>> I would like to change this to the hosts IP instead, something like: >>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>> >>>> >>>> rsyslog cannot do what you are asking. It can't assign a value to a >>>> property. >>>> >>>> what you can do is to setup a different template and then if %fromhost% >>>> is your special pattern you can log with this different template. >>>> >>>> David Lang >>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>> >>> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Fri Feb 3 08:08:32 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 08:08:32 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi, David: unfortunately this was not the case...: # cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted What else could cause this problem ? Thanks in advance :-) ! ~maymann 2012/2/2 Michael Maymann > Hi, > > David: Thanks for your reply - sounds possible... I will try this first > thing tomorrow morning and report back with findings... > > Br. > ~maymann > > 2012/2/2 > > On Thu, 2 Feb 2012, Michael Maymann wrote: >> >> Hi Rainer, >>> >>> I really have my doubts it has something to do with my startup script: >>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>> >>> I'm running on RHEL6.1_x64. >>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>> test...? >>> >> >> >> my guess is that this is a SELINUX related problem. >> >> what happens if you try to start rsyslog manually (not by running the >> startup script, but just running 'rsyslogd -c 6' " >> >> David Lang >> >> >> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> 2012/2/2 Michael Maymann >>> >>> Hi, >>>> >>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>> failing in the logs... and it actually doesn't fail... it works and >>>> after >>>> the timeout+failed notice only the proccess owned by >>>> PrivDropToUser-USER is >>>> present, but now owned by the init-proccess (mother proccess dies): >>>> >>>> # service rsyslog start >>>> Starting system logger: [FAILED] >>>> >>>> BEFORE failed status: >>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 >>>> 9131 9126 0 11:07 ? 00:00:00 >>>> /usr/sbin/rsyslogd -c 6 >>>> >>>> AFTER failed status root-owned proccess is killed and >>>> PrivDropToUser-USER >>>> owned proccess is therefore gets owned by init: >>>> 9131 1 0 11:07 ? 00:00:00 >>>> /usr/sbin/rsyslogd -c 6 >>>> >>>> Anyone who can help with this...?: >>>> here is the debug output when starting running the init-script: >>>> #/etc/init.d/rsyslog start >>>> + . /etc/init.d/functions >>>> ++ TEXTDOMAIN=initscripts >>>> ++ umask 022 >>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin >>>> ++ export PATH >>>> ++ '[' -z '' ']' >>>> ++ COLUMNS=80 >>>> ++ '[' -z '' ']' >>>> +++ /sbin/consoletype >>>> ++ CONSOLETYPE=pty >>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>> ++ . /etc/profile.d/lang.sh >>>> ++ unset LANGSH_SOURCED >>>> ++ '[' -z '' ']' >>>> ++ '[' -f /etc/sysconfig/init ']' >>>> ++ . /etc/sysconfig/init >>>> +++ BOOTUP=color >>>> +++ RES_COL=60 >>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>> +++ PROMPT=yes >>>> +++ AUTOSWAP=no >>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' >>>> +++ SINGLE=/sbin/sushell >>>> ++ '[' pty = serial ']' >>>> ++ >>>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** >>>> \.rpmorig\|\.rpmsave\)$/d' >>>> + RETVAL=0 >>>> + PIDFILE=/var/run/syslogd.pid >>>> + prog=rsyslogd >>>> + exec=/usr/sbin/rsyslogd >>>> + lockfile=/var/lock/subsys/**rsyslogd >>>> + case "$1" in >>>> + start >>>> + '[' -x /usr/sbin/rsyslogd ']' >>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>> + . /etc/sysconfig/rsyslog >>>> ++ SYSLOGD_OPTIONS='-c 6' >>>> + umask 077 >>>> + echo -n 'Starting system logger: ' >>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>> /usr/sbin/rsyslogd -c 6 >>>> + local gotbase= force= nicelevel corelimit >>>> + local pid base= user= nice= bg= pid_file= >>>> + local cgroup= >>>> + nicelevel=0 >>>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid >>>> ']' >>>> + case $1 in >>>> + pid_file=/var/run/syslogd.pid >>>> + shift >>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>> + '[' -z '' ']' >>>> + base=rsyslogd >>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>> + local base=rsyslogd >>>> + local pid_file=/var/run/syslogd.pid >>>> + pid= >>>> + '[' -f /var/run/syslogd.pid ']' >>>> + return 3 >>>> + '[' -n '' -a -z '' ']' >>>> + corelimit='ulimit -S -c 0' >>>> + '[' -n '' ']' >>>> + '[' -n '' ']' >>>> + '[' color = verbose -a -z '' ']' >>>> + '[' -z '' ']' >>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c >>>> 6' >>>> ... >>>> (hangs here for a long time) >>>> ... >>>> + '[' 1 -eq 0 ']' >>>> + failure 'rsyslogd startup' >>>> + local rc=1 >>>> + '[' color '!=' verbose -a -z '' ']' >>>> + echo_failure >>>> + '[' color = color ']' >>>> + echo -en '\033[60G' >>>> + echo -n '[' >>>> [+ '[' color = color ']' >>>> + echo -en '\033[0;31m' >>>> + echo -n FAILED >>>> FAILED+ '[' color = color ']' >>>> + echo -en '\033[0;39m' >>>> + echo -n ']' >>>> ]+ echo -ne '\r' >>>> + return 1 >>>> + '[' -x /usr/bin/plymouth ']' >>>> + /usr/bin/plymouth --details >>>> + return 1 >>>> + RETVAL=1 >>>> + echo >>>> >>>> + '[' 1 -eq 0 ']' >>>> + return 1 >>>> + exit 1 >>>> >>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but >>>> same thing happens... >>>> >>>> >>>> >>>> Thanks in advance :-) ! >>>> >>>> Br. >>>> ~maymann >>>> >>>> >>>> >>>> 2012/2/2 Rainer Gerhards >>>> >>>> I can only help you with that part if you point me to why exactly the >>>>> script >>>>> claims what it does. So you may want to try find someone who can do >>>>> that. >>>>> I >>>>> know this is probably a trivial question, but I don't know anything ;) >>>>> >>>>> Sry, rainer >>>>> >>>>> -----Original Message----- >>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>> rsyslog- >>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>> To: rsyslog-users >>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>> >>>>>> Here is my startup script... only thing changed is the path to the new >>>>>> 6.3.6-rsyslog-devel binary. >>>>>> The startup-scripts works also perfectly when i comment out the >>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i >>>>>> have >>>>>> both or one of the entries...: >>>>>> #!/bin/bash >>>>>> # >>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>> # >>>>>> # >>>>>> # chkconfig: 2345 12 88 >>>>>> # description: Syslog is the facility by which many daemons use to log >>>>>> \ >>>>>> # messages to various system log files. It is a good idea to always \ >>>>>> # run rsyslog. >>>>>> ### BEGIN INIT INFO >>>>>> # Provides: $syslog >>>>>> # Required-Start: $local_fs >>>>>> # Required-Stop: $local_fs >>>>>> # Default-Start: 2 3 4 5 >>>>>> # Default-Stop: 0 1 6 >>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>> trapping >>>>>> daemons >>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>> supporting, >>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>> # sender lists, filtering on any message part, and fine >>>>>> # grain output format control. >>>>>> ### END INIT INFO >>>>>> >>>>>> # Source function library. >>>>>> . /etc/init.d/functions >>>>>> >>>>>> RETVAL=0 >>>>>> PIDFILE=/var/run/syslogd.pid >>>>>> >>>>>> prog=rsyslogd >>>>>> #exec=/sbin/rsyslogd >>>>>> exec=/usr/sbin/rsyslogd >>>>>> lockfile=/var/lock/subsys/$**prog >>>>>> >>>>>> start() { >>>>>> [ -x $exec ] || exit 5 >>>>>> >>>>>> # Source config >>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>> . /etc/sysconfig/rsyslog >>>>>> fi >>>>>> umask 077 >>>>>> >>>>>> echo -n $"Starting system logger: " >>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>> RETVAL=$? >>>>>> echo >>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>> return $RETVAL >>>>>> } >>>>>> stop() { >>>>>> echo -n $"Shutting down system logger: " >>>>>> killproc $prog >>>>>> RETVAL=$? >>>>>> echo >>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>> return $RETVAL >>>>>> } >>>>>> reload() { >>>>>> RETVAL=1 >>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>> echo -n "Reloading system logger..." >>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>> kill -HUP "$syslog"; >>>>>> RETVAL=$? >>>>>> fi >>>>>> if [ $RETVAL -ne 0 ]; then >>>>>> failure >>>>>> else >>>>>> success >>>>>> fi >>>>>> echo >>>>>> return $RETVAL >>>>>> } >>>>>> rhstatus() { >>>>>> status -p "${PIDFILE}" $prog >>>>>> } >>>>>> restart() { >>>>>> stop >>>>>> start >>>>>> } >>>>>> >>>>>> case "$1" in >>>>>> start) >>>>>> start >>>>>> ;; >>>>>> stop) >>>>>> stop >>>>>> ;; >>>>>> restart) >>>>>> restart >>>>>> ;; >>>>>> reload|force-reload) >>>>>> reload >>>>>> ;; >>>>>> status) >>>>>> rhstatus >>>>>> ;; >>>>>> condrestart|try-restart) >>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>> restart >>>>>> ;; >>>>>> *) >>>>>> echo $"Usage: $0 >>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force- >>>>>> reload|status}" >>>>>> exit 2 >>>>>> esac >>>>>> >>>>>> exit $? >>>>>> >>>>>> 2012/2/2 Rainer Gerhards >>>>>> >>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>>>> rsyslog- >>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>> To: rsyslog-users >>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> David: thanks - got it working with permission dropping, by far my >>>>>>>> prefered >>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>> dropping: >>>>>>>> hang+timeout" I send you can solve anything... anyway it works now >>>>>>>> >>>>>>> - >>>>>> >>>>>>> but >>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>> >>>>>>> >>>>>>> I have reviewed the debug log and I see nothing unexpected. From the >>>>>>> timestamps I also see that there is no hang whatsoever. So it looks >>>>>>> >>>>>> like >>>>>> >>>>>>> there is some problem with the startup script, which I don't know. I >>>>>>> suggest >>>>>>> to ask what the FAILED status is caused by. We can then look why this >>>>>>> happens. >>>>>>> >>>>>>> Sorry I have no better answer... >>>>>>> Rainer >>>>>>> >>>>>>> >>>>>>>> Thanks in advance :-) ! >>>>>>>> ~maymann >>>>>>>> >>>>>>>> 2012/2/1 >>>>>>>> >>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>> >>>>>>>>> fine >>>>>> >>>>>>> running >>>>>>>> >>>>>>>>> as root. >>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>> >>>>>>>>> located >>>>>> >>>>>>> on NFS >>>>>>>> >>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>> >>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>> #LOAD MODULES >>>>>>>>>> $ModLoad imudp >>>>>>>>>> $UDPServerRun 514 >>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>> $ModLoad imtcp >>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>> $template >>>>>>>>>> DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>> $MONTH%_messages" >>>>>>>>>> $template >>>>>>>>>> >>>>>>>>>> >>>>>>>> DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>> **$MONTH%_secure" >>>>>> >>>>>>> $template >>>>>>>>>> >>>>>>>>>> >>>>>>>> DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>> **$MONTH%_maillo >>>>>> >>>>>>> g" >>>>>>>> >>>>>>>>> $template >>>>>>>>>> >>>>>>>>> DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>>> >>>>>>>>> cron" >>>>>>>>>> $template >>>>>>>>>> >>>>>>>>>> >>>>>>>> DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>> **$MONTH%_spoole >>>>>> >>>>>>> r" >>>>>>>> >>>>>>>>> $template >>>>>>>>>> >>>>>>>>>> >>>>>>>> DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>> **boot.log" >>>>>> >>>>>>> $template >>>>>>>>>> >>>>>>>>> DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>>> _** >>>>>>>> >>>>>>>>> traps" >>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>> >>>>>>>>> 'WARNING' >>>>>>>> >>>>>>>>> then ?DYNtraps >>>>>>>>>> >>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>> >>>>>>>>> user: >>>>>> >>>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: [origin >>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 rsyslogd: bind: >>>>>>>>>> >>>>>>>>> Permission >>>>>>>> >>>>>>>>> denied >>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 rsyslogd: bind: >>>>>>>>>> >>>>>>>>> Permission >>>>>>>> >>>>>>>>> denied >>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 rsyslogd: No UDP >>>>>>>>>> >>>>>>>>> listen >>>>>>>> >>>>>>>>> socket >>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>> >>>>>>>>> disabled. >>>>>>>> >>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 rsyslogd: imudp: >>>>>>>>>> >>>>>>>>> no >>>>>> >>>>>>> listeners >>>>>>>>>> could be started, input not activated. >>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 rsyslogd3: >>>>>>>>>> >>>>>>>>> activation >>>>>> >>>>>>> of >>>>>>>> >>>>>>>>> module >>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 rsyslogd-2077: >>>>>>>>>> >>>>>>>>> Could >>>>>> >>>>>>> not >>>>>>>> >>>>>>>>> create >>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>> >>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>> >>>>>>> ] >>>>>>>> >>>>>>>>> >>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>> >>>>>>>>>> >>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>> >>>>>>>> making >>>>>> >>>>>>> some >>>>>>>> >>>>>>>>> other non-standard changes through sysctl) >>>>>>>>> >>>>>>>>> >>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>> >>>>>>>> user >>>>>> >>>>>>> - if >>>>>>>> >>>>>>>>> yes: how ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>> permission drop features >>>>>>>>> >>>>>>>>> >>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>> >>>>>>>> rsyslog >>>>>>>> >>>>>>>>> server - if yes: how ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>> >>>>>>>>> >>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>> >>>>>>>> chkconfig do >>>>>>>> >>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>> su can run a command as a different user. >>>>>>>>> >>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>> >>>>>>>> permission >>>>>>>> >>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>> >>>>>>>>> David Lang >>>>>>>>> >>>>>>>>> ______________________________****_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> >>>>>>>>> >>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>> >>>>>>> n.net/mailman/listinfo/rsyslog**> >>>>>>>> >>>>>>>>> http://www.rsyslog.com/****professional- >>>>>>>>> >>>>>>>> services/ >>>>>>>> > >>>>>>>> >>>>>>>>> >>>>>>>>> ______________________________**_________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>>> >>>>>>> ______________________________**_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>> >>>>>>> ______________________________**_________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/**professional-services/ >>>>>> >>>>> ______________________________**_________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/**professional-services/ >>>>> >>>>> >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > > From michael at maymann.org Fri Feb 3 08:38:06 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 08:38:06 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi, forgot to mention, that when i run: # /usr/sbin/rsyslogd -c 6 it does the same thing... (hang+timeout+live init/PrivDropToUser-owned-child-proccess) again only when PrivDropTo is enabled in /etc/rsyslog.conf... otherwise working perfectly... Would this possibly be solved in yesterdays release: 6.3.7-devel ? Thanks in advance :-) ! ~maymann 2012/2/3 Michael Maymann > Hi, > > David: unfortunately this was not the case...: > # cat /etc/sysconfig/selinux > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=disabled > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > > What else could cause this problem ? > > > > Thanks in advance :-) ! > ~maymann > > 2012/2/2 Michael Maymann > >> Hi, >> >> David: Thanks for your reply - sounds possible... I will try this first >> thing tomorrow morning and report back with findings... >> >> Br. >> ~maymann >> >> 2012/2/2 >> >> On Thu, 2 Feb 2012, Michael Maymann wrote: >>> >>> Hi Rainer, >>>> >>>> I really have my doubts it has something to do with my startup script: >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>> >>>> I'm running on RHEL6.1_x64. >>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>> test...? >>>> >>> >>> >>> my guess is that this is a SELINUX related problem. >>> >>> what happens if you try to start rsyslog manually (not by running the >>> startup script, but just running 'rsyslogd -c 6' " >>> >>> David Lang >>> >>> >>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/2 Michael Maymann >>>> >>>> Hi, >>>>> >>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>>> failing in the logs... and it actually doesn't fail... it works and >>>>> after >>>>> the timeout+failed notice only the proccess owned by >>>>> PrivDropToUser-USER is >>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>> >>>>> # service rsyslog start >>>>> Starting system logger: [FAILED] >>>>> >>>>> BEFORE failed status: >>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 >>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>> /usr/sbin/rsyslogd -c 6 >>>>> >>>>> AFTER failed status root-owned proccess is killed and >>>>> PrivDropToUser-USER >>>>> owned proccess is therefore gets owned by init: >>>>> 9131 1 0 11:07 ? 00:00:00 >>>>> /usr/sbin/rsyslogd -c 6 >>>>> >>>>> Anyone who can help with this...?: >>>>> here is the debug output when starting running the init-script: >>>>> #/etc/init.d/rsyslog start >>>>> + . /etc/init.d/functions >>>>> ++ TEXTDOMAIN=initscripts >>>>> ++ umask 022 >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin >>>>> ++ export PATH >>>>> ++ '[' -z '' ']' >>>>> ++ COLUMNS=80 >>>>> ++ '[' -z '' ']' >>>>> +++ /sbin/consoletype >>>>> ++ CONSOLETYPE=pty >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>> ++ . /etc/profile.d/lang.sh >>>>> ++ unset LANGSH_SOURCED >>>>> ++ '[' -z '' ']' >>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>> ++ . /etc/sysconfig/init >>>>> +++ BOOTUP=color >>>>> +++ RES_COL=60 >>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>> +++ PROMPT=yes >>>>> +++ AUTOSWAP=no >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' >>>>> +++ SINGLE=/sbin/sushell >>>>> ++ '[' pty = serial ']' >>>>> ++ >>>>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** >>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>> + RETVAL=0 >>>>> + PIDFILE=/var/run/syslogd.pid >>>>> + prog=rsyslogd >>>>> + exec=/usr/sbin/rsyslogd >>>>> + lockfile=/var/lock/subsys/**rsyslogd >>>>> + case "$1" in >>>>> + start >>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>> + . /etc/sysconfig/rsyslog >>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>> + umask 077 >>>>> + echo -n 'Starting system logger: ' >>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>> /usr/sbin/rsyslogd -c 6 >>>>> + local gotbase= force= nicelevel corelimit >>>>> + local pid base= user= nice= bg= pid_file= >>>>> + local cgroup= >>>>> + nicelevel=0 >>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>> -pidfile=/var/run/syslogd.pid ']' >>>>> + case $1 in >>>>> + pid_file=/var/run/syslogd.pid >>>>> + shift >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>> + '[' -z '' ']' >>>>> + base=rsyslogd >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>> + local base=rsyslogd >>>>> + local pid_file=/var/run/syslogd.pid >>>>> + pid= >>>>> + '[' -f /var/run/syslogd.pid ']' >>>>> + return 3 >>>>> + '[' -n '' -a -z '' ']' >>>>> + corelimit='ulimit -S -c 0' >>>>> + '[' -n '' ']' >>>>> + '[' -n '' ']' >>>>> + '[' color = verbose -a -z '' ']' >>>>> + '[' -z '' ']' >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c >>>>> 6' >>>>> ... >>>>> (hangs here for a long time) >>>>> ... >>>>> + '[' 1 -eq 0 ']' >>>>> + failure 'rsyslogd startup' >>>>> + local rc=1 >>>>> + '[' color '!=' verbose -a -z '' ']' >>>>> + echo_failure >>>>> + '[' color = color ']' >>>>> + echo -en '\033[60G' >>>>> + echo -n '[' >>>>> [+ '[' color = color ']' >>>>> + echo -en '\033[0;31m' >>>>> + echo -n FAILED >>>>> FAILED+ '[' color = color ']' >>>>> + echo -en '\033[0;39m' >>>>> + echo -n ']' >>>>> ]+ echo -ne '\r' >>>>> + return 1 >>>>> + '[' -x /usr/bin/plymouth ']' >>>>> + /usr/bin/plymouth --details >>>>> + return 1 >>>>> + RETVAL=1 >>>>> + echo >>>>> >>>>> + '[' 1 -eq 0 ']' >>>>> + return 1 >>>>> + exit 1 >>>>> >>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but >>>>> same thing happens... >>>>> >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>> >>>>> Br. >>>>> ~maymann >>>>> >>>>> >>>>> >>>>> 2012/2/2 Rainer Gerhards >>>>> >>>>> I can only help you with that part if you point me to why exactly the >>>>>> script >>>>>> claims what it does. So you may want to try find someone who can do >>>>>> that. >>>>>> I >>>>>> know this is probably a trivial question, but I don't know anything ;) >>>>>> >>>>>> Sry, rainer >>>>>> >>>>>> -----Original Message----- >>>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>>> rsyslog- >>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>> To: rsyslog-users >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>> >>>>>>> Here is my startup script... only thing changed is the path to the >>>>>>> new >>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i >>>>>>> have >>>>>>> both or one of the entries...: >>>>>>> #!/bin/bash >>>>>>> # >>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>> # >>>>>>> # >>>>>>> # chkconfig: 2345 12 88 >>>>>>> # description: Syslog is the facility by which many daemons use to >>>>>>> log >>>>>>> \ >>>>>>> # messages to various system log files. It is a good idea to always >>>>>>> \ >>>>>>> # run rsyslog. >>>>>>> ### BEGIN INIT INFO >>>>>>> # Provides: $syslog >>>>>>> # Required-Start: $local_fs >>>>>>> # Required-Stop: $local_fs >>>>>>> # Default-Start: 2 3 4 5 >>>>>>> # Default-Stop: 0 1 6 >>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>> trapping >>>>>>> daemons >>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>> supporting, >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>>> # sender lists, filtering on any message part, and fine >>>>>>> # grain output format control. >>>>>>> ### END INIT INFO >>>>>>> >>>>>>> # Source function library. >>>>>>> . /etc/init.d/functions >>>>>>> >>>>>>> RETVAL=0 >>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>> >>>>>>> prog=rsyslogd >>>>>>> #exec=/sbin/rsyslogd >>>>>>> exec=/usr/sbin/rsyslogd >>>>>>> lockfile=/var/lock/subsys/$**prog >>>>>>> >>>>>>> start() { >>>>>>> [ -x $exec ] || exit 5 >>>>>>> >>>>>>> # Source config >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>> . /etc/sysconfig/rsyslog >>>>>>> fi >>>>>>> umask 077 >>>>>>> >>>>>>> echo -n $"Starting system logger: " >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>> RETVAL=$? >>>>>>> echo >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>> return $RETVAL >>>>>>> } >>>>>>> stop() { >>>>>>> echo -n $"Shutting down system logger: " >>>>>>> killproc $prog >>>>>>> RETVAL=$? >>>>>>> echo >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>> return $RETVAL >>>>>>> } >>>>>>> reload() { >>>>>>> RETVAL=1 >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>> echo -n "Reloading system logger..." >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>> kill -HUP "$syslog"; >>>>>>> RETVAL=$? >>>>>>> fi >>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>> failure >>>>>>> else >>>>>>> success >>>>>>> fi >>>>>>> echo >>>>>>> return $RETVAL >>>>>>> } >>>>>>> rhstatus() { >>>>>>> status -p "${PIDFILE}" $prog >>>>>>> } >>>>>>> restart() { >>>>>>> stop >>>>>>> start >>>>>>> } >>>>>>> >>>>>>> case "$1" in >>>>>>> start) >>>>>>> start >>>>>>> ;; >>>>>>> stop) >>>>>>> stop >>>>>>> ;; >>>>>>> restart) >>>>>>> restart >>>>>>> ;; >>>>>>> reload|force-reload) >>>>>>> reload >>>>>>> ;; >>>>>>> status) >>>>>>> rhstatus >>>>>>> ;; >>>>>>> condrestart|try-restart) >>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>> restart >>>>>>> ;; >>>>>>> *) >>>>>>> echo $"Usage: $0 >>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force- >>>>>>> reload|status}" >>>>>>> exit 2 >>>>>>> esac >>>>>>> >>>>>>> exit $? >>>>>>> >>>>>>> 2012/2/2 Rainer Gerhards >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>>>>> rsyslog- >>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>> To: rsyslog-users >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> David: thanks - got it working with permission dropping, by far my >>>>>>>>> prefered >>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>> dropping: >>>>>>>>> hang+timeout" I send you can solve anything... anyway it works now >>>>>>>>> >>>>>>>> - >>>>>>> >>>>>>>> but >>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>> >>>>>>>> >>>>>>>> I have reviewed the debug log and I see nothing unexpected. From the >>>>>>>> timestamps I also see that there is no hang whatsoever. So it looks >>>>>>>> >>>>>>> like >>>>>>> >>>>>>>> there is some problem with the startup script, which I don't know. I >>>>>>>> suggest >>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>> this >>>>>>>> happens. >>>>>>>> >>>>>>>> Sorry I have no better answer... >>>>>>>> Rainer >>>>>>>> >>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> 2012/2/1 >>>>>>>>> >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>> >>>>>>>>>> fine >>>>>>> >>>>>>>> running >>>>>>>>> >>>>>>>>>> as root. >>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>> >>>>>>>>>> located >>>>>>> >>>>>>>> on NFS >>>>>>>>> >>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>> >>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>> #LOAD MODULES >>>>>>>>>>> $ModLoad imudp >>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>> $template >>>>>>>>>>> DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>> **$MONTH%_secure" >>>>>>> >>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>> **$MONTH%_maillo >>>>>>> >>>>>>>> g" >>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>> DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>> ** >>>>>>>>> >>>>>>>>>> cron" >>>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>> **$MONTH%_spoole >>>>>>> >>>>>>>> r" >>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>> **boot.log" >>>>>>> >>>>>>>> $template >>>>>>>>>>> >>>>>>>>>> DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>>>> _** >>>>>>>>> >>>>>>>>>> traps" >>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>>> >>>>>>>>>> 'WARNING' >>>>>>>>> >>>>>>>>>> then ?DYNtraps >>>>>>>>>>> >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>> >>>>>>>>>> user: >>>>>>> >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: [origin >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 rsyslogd: bind: >>>>>>>>>>> >>>>>>>>>> Permission >>>>>>>>> >>>>>>>>>> denied >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 rsyslogd: bind: >>>>>>>>>>> >>>>>>>>>> Permission >>>>>>>>> >>>>>>>>>> denied >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 rsyslogd: No UDP >>>>>>>>>>> >>>>>>>>>> listen >>>>>>>>> >>>>>>>>>> socket >>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>> >>>>>>>>>> disabled. >>>>>>>>> >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 rsyslogd: imudp: >>>>>>>>>>> >>>>>>>>>> no >>>>>>> >>>>>>>> listeners >>>>>>>>>>> could be started, input not activated. >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 rsyslogd3: >>>>>>>>>>> >>>>>>>>>> activation >>>>>>> >>>>>>>> of >>>>>>>>> >>>>>>>>>> module >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 rsyslogd-2077: >>>>>>>>>>> >>>>>>>>>> Could >>>>>>> >>>>>>>> not >>>>>>>>> >>>>>>>>>> create >>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>> >>>>>>>> ] >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>>> >>>>>>>>> making >>>>>>> >>>>>>>> some >>>>>>>>> >>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>>> >>>>>>>>> user >>>>>>> >>>>>>>> - if >>>>>>>>> >>>>>>>>>> yes: how ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> permission drop features >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>>> >>>>>>>>> rsyslog >>>>>>>>> >>>>>>>>>> server - if yes: how ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>> >>>>>>>>> chkconfig do >>>>>>>>> >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> su can run a command as a different user. >>>>>>>>>> >>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>> >>>>>>>>> permission >>>>>>>>> >>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>> >>>>>>>>>> David Lang >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>>> rsyslog mailing list >>>>>>>>>> >>>>>>>>>> >>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>> >>>>>>> >>>>>>>> n.net/mailman/listinfo/rsyslog**> >>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/****professional- >>>>>>>>>> >>>>>>>>> services/ >>>>>>>>> > >>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________**_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>>>> >>>>>>>> ______________________________**_________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>>> >>>>>>>> ______________________________**_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>> >>>>>> ______________________________**_________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/**professional-services/ >>>>>> >>>>>> >>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >> >> > From rgerhards at hq.adiscon.com Fri Feb 3 08:54:04 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 08:54:04 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 8:38 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi, > > forgot to mention, that when i run: > # /usr/sbin/rsyslogd -c 6 > it does the same thing... (hang+timeout+live What do you mean with "hang"? I could see no indication of any slowed-down processing inside the debug log. It may also be useful if you shared the debug log publically, in case someone else has an idea. rainer > init/PrivDropToUser-owned-child-proccess) again only when PrivDropTo is > enabled in /etc/rsyslog.conf... otherwise working perfectly... > Would this possibly be solved in yesterdays release: 6.3.7-devel ? > > Thanks in advance :-) ! > ~maymann > > 2012/2/3 Michael Maymann > > > Hi, > > > > David: unfortunately this was not the case...: > > # cat /etc/sysconfig/selinux > > # This file controls the state of SELinux on the system. > > # SELINUX= can take one of these three values: > > # enforcing - SELinux security policy is enforced. > > # permissive - SELinux prints warnings instead of enforcing. > > # disabled - SELinux is fully disabled. > > SELINUX=disabled > > # SELINUXTYPE= type of policy in use. Possible values are: > > # targeted - Only targeted network daemons are protected. > > # strict - Full SELinux protection. > > SELINUXTYPE=targeted > > > > What else could cause this problem ? > > > > > > > > Thanks in advance :-) ! > > ~maymann > > > > 2012/2/2 Michael Maymann > > > >> Hi, > >> > >> David: Thanks for your reply - sounds possible... I will try this > first > >> thing tomorrow morning and report back with findings... > >> > >> Br. > >> ~maymann > >> > >> 2012/2/2 > >> > >> On Thu, 2 Feb 2012, Michael Maymann wrote: > >>> > >>> Hi Rainer, > >>>> > >>>> I really have my doubts it has something to do with my startup > script: > >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default > >>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. > >>>> > >>>> I'm running on RHEL6.1_x64. > >>>> Do you have a working /etc/init.d/rsyslog what you can share/I can > >>>> test...? > >>>> > >>> > >>> > >>> my guess is that this is a SELINUX related problem. > >>> > >>> what happens if you try to start rsyslog manually (not by running > the > >>> startup script, but just running 'rsyslogd -c 6' " > >>> > >>> David Lang > >>> > >>> > >>> > >>>> Thanks in advance :-) ! > >>>> ~maymann > >>>> > >>>> 2012/2/2 Michael Maymann > >>>> > >>>> Hi, > >>>>> > >>>>> Rainer: Sorry... forgot to mention that it doesn't say anything > about > >>>>> failing in the logs... and it actually doesn't fail... it works > and > >>>>> after > >>>>> the timeout+failed notice only the proccess owned by > >>>>> PrivDropToUser-USER is > >>>>> present, but now owned by the init-proccess (mother proccess > dies): > >>>>> > >>>>> # service rsyslog start > >>>>> Starting system logger: > [FAILED] > >>>>> > >>>>> BEFORE failed status: > >>>>> root 9126 9125 0 11:07 pts/1 00:00:00 > /usr/sbin/rsyslogd -c 6 > >>>>> 9131 9126 0 11:07 ? 00:00:00 > >>>>> /usr/sbin/rsyslogd -c 6 > >>>>> > >>>>> AFTER failed status root-owned proccess is killed and > >>>>> PrivDropToUser-USER > >>>>> owned proccess is therefore gets owned by init: > >>>>> 9131 1 0 11:07 ? 00:00:00 > >>>>> /usr/sbin/rsyslogd -c 6 > >>>>> > >>>>> Anyone who can help with this...?: > >>>>> here is the debug output when starting running the init-script: > >>>>> #/etc/init.d/rsyslog start > >>>>> + . /etc/init.d/functions > >>>>> ++ TEXTDOMAIN=initscripts > >>>>> ++ umask 022 > >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin > >>>>> ++ export PATH > >>>>> ++ '[' -z '' ']' > >>>>> ++ COLUMNS=80 > >>>>> ++ '[' -z '' ']' > >>>>> +++ /sbin/consoletype > >>>>> ++ CONSOLETYPE=pty > >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > >>>>> ++ . /etc/profile.d/lang.sh > >>>>> ++ unset LANGSH_SOURCED > >>>>> ++ '[' -z '' ']' > >>>>> ++ '[' -f /etc/sysconfig/init ']' > >>>>> ++ . /etc/sysconfig/init > >>>>> +++ BOOTUP=color > >>>>> +++ RES_COL=60 > >>>>> +++ MOVE_TO_COL='echo -en \033[60G' > >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > >>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > >>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' > >>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > >>>>> +++ PROMPT=yes > >>>>> +++ AUTOSWAP=no > >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' > >>>>> +++ SINGLE=/sbin/sushell > >>>>> ++ '[' pty = serial ']' > >>>>> ++ > >>>>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** > >>>>> \.rpmorig\|\.rpmsave\)$/d' > >>>>> + RETVAL=0 > >>>>> + PIDFILE=/var/run/syslogd.pid > >>>>> + prog=rsyslogd > >>>>> + exec=/usr/sbin/rsyslogd > >>>>> + lockfile=/var/lock/subsys/**rsyslogd > >>>>> + case "$1" in > >>>>> + start > >>>>> + '[' -x /usr/sbin/rsyslogd ']' > >>>>> + '[' -f /etc/sysconfig/rsyslog ']' > >>>>> + . /etc/sysconfig/rsyslog > >>>>> ++ SYSLOGD_OPTIONS='-c 6' > >>>>> + umask 077 > >>>>> + echo -n 'Starting system logger: ' > >>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid > >>>>> /usr/sbin/rsyslogd -c 6 > >>>>> + local gotbase= force= nicelevel corelimit > >>>>> + local pid base= user= nice= bg= pid_file= > >>>>> + local cgroup= > >>>>> + nicelevel=0 > >>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' > >>>>> -pidfile=/var/run/syslogd.pid ']' > >>>>> + case $1 in > >>>>> + pid_file=/var/run/syslogd.pid > >>>>> + shift > >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > >>>>> + '[' -z '' ']' > >>>>> + base=rsyslogd > >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid > >>>>> + local base=rsyslogd > >>>>> + local pid_file=/var/run/syslogd.pid > >>>>> + pid= > >>>>> + '[' -f /var/run/syslogd.pid ']' > >>>>> + return 3 > >>>>> + '[' -n '' -a -z '' ']' > >>>>> + corelimit='ulimit -S -c 0' > >>>>> + '[' -n '' ']' > >>>>> + '[' -n '' ']' > >>>>> + '[' color = verbose -a -z '' ']' > >>>>> + '[' -z '' ']' > >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; > /usr/sbin/rsyslogd -c > >>>>> 6' > >>>>> ... > >>>>> (hangs here for a long time) > >>>>> ... > >>>>> + '[' 1 -eq 0 ']' > >>>>> + failure 'rsyslogd startup' > >>>>> + local rc=1 > >>>>> + '[' color '!=' verbose -a -z '' ']' > >>>>> + echo_failure > >>>>> + '[' color = color ']' > >>>>> + echo -en '\033[60G' > >>>>> + echo > -n '[' > >>>>> [+ '[' color = color ']' > >>>>> + echo -en '\033[0;31m' > >>>>> + echo -n FAILED > >>>>> FAILED+ '[' color = color ']' > >>>>> + echo -en '\033[0;39m' > >>>>> + echo -n ']' > >>>>> ]+ echo -ne '\r' > >>>>> + return 1 > >>>>> + '[' -x /usr/bin/plymouth ']' > >>>>> + /usr/bin/plymouth --details > >>>>> + return 1 > >>>>> + RETVAL=1 > >>>>> + echo > >>>>> > >>>>> + '[' 1 -eq 0 ']' > >>>>> + return 1 > >>>>> + exit 1 > >>>>> > >>>>> I have tried to give 777-access to /var/run and /var/lock/subsys > - but > >>>>> same thing happens... > >>>>> > >>>>> > >>>>> > >>>>> Thanks in advance :-) ! > >>>>> > >>>>> Br. > >>>>> ~maymann > >>>>> > >>>>> > >>>>> > >>>>> 2012/2/2 Rainer Gerhards > >>>>> > >>>>> I can only help you with that part if you point me to why > exactly the > >>>>>> script > >>>>>> claims what it does. So you may want to try find someone who can > do > >>>>>> that. > >>>>>> I > >>>>>> know this is probably a trivial question, but I don't know > anything ;) > >>>>>> > >>>>>> Sry, rainer > >>>>>> > >>>>>> -----Original Message----- > >>>>>>> From: rsyslog-bounces at lists.adiscon.**com bounces at lists.adiscon.com>[mailto: > >>>>>>> rsyslog- > >>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM > >>>>>>> To: rsyslog-users > >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user > >>>>>>> > >>>>>>> Here is my startup script... only thing changed is the path to > the > >>>>>>> new > >>>>>>> 6.3.6-rsyslog-devel binary. > >>>>>>> The startup-scripts works also perfectly when i comment out the > >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but > failes if i > >>>>>>> have > >>>>>>> both or one of the entries...: > >>>>>>> #!/bin/bash > >>>>>>> # > >>>>>>> # rsyslog Starts rsyslogd/rklogd. > >>>>>>> # > >>>>>>> # > >>>>>>> # chkconfig: 2345 12 88 > >>>>>>> # description: Syslog is the facility by which many daemons use > to > >>>>>>> log > >>>>>>> \ > >>>>>>> # messages to various system log files. It is a good idea to > always > >>>>>>> \ > >>>>>>> # run rsyslog. > >>>>>>> ### BEGIN INIT INFO > >>>>>>> # Provides: $syslog > >>>>>>> # Required-Start: $local_fs > >>>>>>> # Required-Stop: $local_fs > >>>>>>> # Default-Start: 2 3 4 5 > >>>>>>> # Default-Stop: 0 1 6 > >>>>>>> # Short-Description: Enhanced system logging and kernel message > >>>>>>> trapping > >>>>>>> daemons > >>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd > >>>>>>> supporting, > >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, > permitted > >>>>>>> # sender lists, filtering on any message part, and > fine > >>>>>>> # grain output format control. > >>>>>>> ### END INIT INFO > >>>>>>> > >>>>>>> # Source function library. > >>>>>>> . /etc/init.d/functions > >>>>>>> > >>>>>>> RETVAL=0 > >>>>>>> PIDFILE=/var/run/syslogd.pid > >>>>>>> > >>>>>>> prog=rsyslogd > >>>>>>> #exec=/sbin/rsyslogd > >>>>>>> exec=/usr/sbin/rsyslogd > >>>>>>> lockfile=/var/lock/subsys/$**prog > >>>>>>> > >>>>>>> start() { > >>>>>>> [ -x $exec ] || exit 5 > >>>>>>> > >>>>>>> # Source config > >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then > >>>>>>> . /etc/sysconfig/rsyslog > >>>>>>> fi > >>>>>>> umask 077 > >>>>>>> > >>>>>>> echo -n $"Starting system logger: " > >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > >>>>>>> RETVAL=$? > >>>>>>> echo > >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile > >>>>>>> return $RETVAL > >>>>>>> } > >>>>>>> stop() { > >>>>>>> echo -n $"Shutting down system logger: " > >>>>>>> killproc $prog > >>>>>>> RETVAL=$? > >>>>>>> echo > >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile > >>>>>>> return $RETVAL > >>>>>>> } > >>>>>>> reload() { > >>>>>>> RETVAL=1 > >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) > >>>>>>> echo -n "Reloading system logger..." > >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > >>>>>>> kill -HUP "$syslog"; > >>>>>>> RETVAL=$? > >>>>>>> fi > >>>>>>> if [ $RETVAL -ne 0 ]; then > >>>>>>> failure > >>>>>>> else > >>>>>>> success > >>>>>>> fi > >>>>>>> echo > >>>>>>> return $RETVAL > >>>>>>> } > >>>>>>> rhstatus() { > >>>>>>> status -p "${PIDFILE}" $prog > >>>>>>> } > >>>>>>> restart() { > >>>>>>> stop > >>>>>>> start > >>>>>>> } > >>>>>>> > >>>>>>> case "$1" in > >>>>>>> start) > >>>>>>> start > >>>>>>> ;; > >>>>>>> stop) > >>>>>>> stop > >>>>>>> ;; > >>>>>>> restart) > >>>>>>> restart > >>>>>>> ;; > >>>>>>> reload|force-reload) > >>>>>>> reload > >>>>>>> ;; > >>>>>>> status) > >>>>>>> rhstatus > >>>>>>> ;; > >>>>>>> condrestart|try-restart) > >>>>>>> rhstatus >/dev/null 2>&1 || exit 0 > >>>>>>> restart > >>>>>>> ;; > >>>>>>> *) > >>>>>>> echo $"Usage: $0 > >>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force- > >>>>>>> reload|status}" > >>>>>>> exit 2 > >>>>>>> esac > >>>>>>> > >>>>>>> exit $? > >>>>>>> > >>>>>>> 2012/2/2 Rainer Gerhards > >>>>>>> > >>>>>>> > >>>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>>> From: rsyslog-bounces at lists.adiscon.**com bounces at lists.adiscon.com>[mailto: > >>>>>>>>> rsyslog- > >>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM > >>>>>>>>> To: rsyslog-users > >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user > >>>>>>>>> > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> David: thanks - got it working with permission dropping, by > far my > >>>>>>>>> prefered > >>>>>>>>> configuration... just didn't know of it...:-) ! > >>>>>>>>> Rainer: please let us know if the debug info of the > "permission > >>>>>>>>> dropping: > >>>>>>>>> hang+timeout" I send you can solve anything... anyway it > works now > >>>>>>>>> > >>>>>>>> - > >>>>>>> > >>>>>>>> but > >>>>>>>>> not optimal if other people have to service my setup...:-) ! > >>>>>>>>> > >>>>>>>> > >>>>>>>> I have reviewed the debug log and I see nothing unexpected. > From the > >>>>>>>> timestamps I also see that there is no hang whatsoever. So it > looks > >>>>>>>> > >>>>>>> like > >>>>>>> > >>>>>>>> there is some problem with the startup script, which I don't > know. I > >>>>>>>> suggest > >>>>>>>> to ask what the FAILED status is caused by. We can then look > why > >>>>>>>> this > >>>>>>>> happens. > >>>>>>>> > >>>>>>>> Sorry I have no better answer... > >>>>>>>> Rainer > >>>>>>>> > >>>>>>>> > >>>>>>>>> Thanks in advance :-) ! > >>>>>>>>> ~maymann > >>>>>>>>> > >>>>>>>>> 2012/2/1 > >>>>>>>>> > >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: > >>>>>>>>>> > >>>>>>>>>> Hi, > >>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is > working > >>>>>>>>>>> > >>>>>>>>>> fine > >>>>>>> > >>>>>>>> running > >>>>>>>>> > >>>>>>>>>> as root. > >>>>>>>>>>> I would like to run it as non-root user as my logfiles are > >>>>>>>>>>> > >>>>>>>>>> located > >>>>>>> > >>>>>>>> on NFS > >>>>>>>>> > >>>>>>>>>> (and root export of NFS is generally not a good idea !). > >>>>>>>>>>> > >>>>>>>>>>> Here is my rsyslog.conf: > >>>>>>>>>>> #LOAD MODULES > >>>>>>>>>>> $ModLoad imudp > >>>>>>>>>>> $UDPServerRun 514 > >>>>>>>>>>> $UDPServerAddress 127.0.0.1 > >>>>>>>>>>> $ModLoad imtcp > >>>>>>>>>>> $InputTCPServerRun 514 > >>>>>>>>>>> #SET DESTINATION FOR LOGS > >>>>>>>>>>> $template > >>>>>>>>>>> > DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > >>>>>>>>>>> $MONTH%_messages" > >>>>>>>>>>> $template > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > >>>>>>> **$MONTH%_secure" > >>>>>>> > >>>>>>>> $template > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > >>>>>>> **$MONTH%_maillo > >>>>>>> > >>>>>>>> g" > >>>>>>>>> > >>>>>>>>>> $template > >>>>>>>>>>> > >>>>>>>>>> > DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>>>> ** > >>>>>>>>> > >>>>>>>>>> cron" > >>>>>>>>>>> $template > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > >>>>>>> **$MONTH%_spoole > >>>>>>> > >>>>>>>> r" > >>>>>>>>> > >>>>>>>>>> $template > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> > DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>> **boot.log" > >>>>>>> > >>>>>>>> $template > >>>>>>>>>>> > >>>>>>>>>> > DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > >>>>>>>>> _** > >>>>>>>>> > >>>>>>>>>> traps" > >>>>>>>>>>> #SET LOGGING CONDITIONS > >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages > >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure > >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog > >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron > >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler > >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot > >>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity- > text == > >>>>>>>>>>> > >>>>>>>>>> 'WARNING' > >>>>>>>>> > >>>>>>>>>> then ?DYNtraps > >>>>>>>>>>> > >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non- > root > >>>>>>>>>>> > >>>>>>>>>> user: > >>>>>>> > >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: > [origin > >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x- > info=" > >>>>>>>>>>> http://www.rsyslog.com"] start > >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 rsyslogd: > bind: > >>>>>>>>>>> > >>>>>>>>>> Permission > >>>>>>>>> > >>>>>>>>>> denied > >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 rsyslogd: > bind: > >>>>>>>>>>> > >>>>>>>>>> Permission > >>>>>>>>> > >>>>>>>>>> denied > >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 rsyslogd: > No UDP > >>>>>>>>>>> > >>>>>>>>>> listen > >>>>>>>>> > >>>>>>>>>> socket > >>>>>>>>>>> could successfully be initialized, message reception via > UDP > >>>>>>>>>>> > >>>>>>>>>> disabled. > >>>>>>>>> > >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 rsyslogd: > imudp: > >>>>>>>>>>> > >>>>>>>>>> no > >>>>>>> > >>>>>>>> listeners > >>>>>>>>>>> could be started, input not activated. > >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 rsyslogd3: > >>>>>>>>>>> > >>>>>>>>>> activation > >>>>>>> > >>>>>>>> of > >>>>>>>>> > >>>>>>>>>> module > >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] > >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 rsyslogd- > 2077: > >>>>>>>>>>> > >>>>>>>>>> Could > >>>>>>> > >>>>>>>> not > >>>>>>>>> > >>>>>>>>>> create > >>>>>>>>>>> tcp listener, ignoring port 514. [try > >>>>>>>>>>> > >>>>>>>>>> http://www.rsyslog.com/e/2077 > >>>>>>> > >>>>>>>> ] > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> So permissions to bind and sockets seems to be the > problem... > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user > (without > >>>>>>>>>> > >>>>>>>>> making > >>>>>>> > >>>>>>>> some > >>>>>>>>> > >>>>>>>>>> other non-standard changes through sysctl) > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non- > root > >>>>>>>>>> > >>>>>>>>> user > >>>>>>> > >>>>>>>> - if > >>>>>>>>> > >>>>>>>>>> yes: how ? > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> permission drop features > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> 2a. Is it possible to add permissions for non-root user to > run > >>>>>>>>>> > >>>>>>>>> rsyslog > >>>>>>>>> > >>>>>>>>>> server - if yes: how ? > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> pick a listening port > 1024 and it should work. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - > can > >>>>>>>>>> > >>>>>>>>> chkconfig do > >>>>>>>>> > >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> su can run a command as a different user. > >>>>>>>>>> > >>>>>>>>>> although as Rainer points out, you may just be looking for > the > >>>>>>>>>> > >>>>>>>>> permission > >>>>>>>>> > >>>>>>>>>> dropping features that are already in rsyslog. > >>>>>>>>>> > >>>>>>>>>> David Lang > >>>>>>>>>> > >>>>>>>>>> ______________________________****_________________ > >>>>>>>>>> rsyslog mailing list > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>>>>>> > >>>>>>> > >>>>>>>> n.net/mailman/listinfo/rsyslog**> > >>>>>>>>> > >>>>>>>>>> http://www.rsyslog.com/****professional- > > >>>>>>>>>> > >>>>>>>>> services/ services/ > >>>>>>>>> > > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> ______________________________**_________________ > >>>>>>>>> rsyslog mailing list > >>>>>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>>>>>>>> http://www.rsyslog.com/**professional- > services/ > >>>>>>>>> > >>>>>>>> ______________________________**_________________ > >>>>>>>> rsyslog mailing list > >>>>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>>>>>>> http://www.rsyslog.com/**professional- > services/ > >>>>>>>> > >>>>>>>> ______________________________**_________________ > >>>>>>> rsyslog mailing list > >>>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>>>>>> http://www.rsyslog.com/**professional- > services/ > >>>>>>> > >>>>>> ______________________________**_________________ > >>>>>> rsyslog mailing list > >>>>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>>>>> http://www.rsyslog.com/**professional- > services/ > >>>>>> > >>>>>> > >>>>> > >>>>> ______________________________**_________________ > >>>> rsyslog mailing list > >>>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>>> http://www.rsyslog.com/**professional- > services/ > >>>> > >>>> ______________________________**_________________ > >>> rsyslog mailing list > >>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>> http://www.rsyslog.com/**professional- > services/ > >>> > >> > >> > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Fri Feb 3 09:23:50 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 09:23:50 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> Message-ID: Hi, I have attached debug info both when PrivDropTo is enabled and disabled. Only difference I can see is the 5 minutes it takes for the PrivDropTo_enabled run to timeout (motherproccess dies and childproccess thereby gets owned by init)... Hopefully someone can see something more...:-) ! Thanks in advance :-) ! ~maymann 2012/2/3 Rainer Gerhards > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Friday, February 03, 2012 8:38 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > Hi, > > > > forgot to mention, that when i run: > > # /usr/sbin/rsyslogd -c 6 > > it does the same thing... (hang+timeout+live > What do you mean with "hang"? I could see no indication of any slowed-down > processing inside the debug log. It may also be useful if you shared the > debug log publically, in case someone else has an idea. > > rainer > > > init/PrivDropToUser-owned-child-proccess) again only when PrivDropTo is > > enabled in /etc/rsyslog.conf... otherwise working perfectly... > > Would this possibly be solved in yesterdays release: 6.3.7-devel ? > > > > Thanks in advance :-) ! > > ~maymann > > > > 2012/2/3 Michael Maymann > > > > > Hi, > > > > > > David: unfortunately this was not the case...: > > > # cat /etc/sysconfig/selinux > > > # This file controls the state of SELinux on the system. > > > # SELINUX= can take one of these three values: > > > # enforcing - SELinux security policy is enforced. > > > # permissive - SELinux prints warnings instead of enforcing. > > > # disabled - SELinux is fully disabled. > > > SELINUX=disabled > > > # SELINUXTYPE= type of policy in use. Possible values are: > > > # targeted - Only targeted network daemons are protected. > > > # strict - Full SELinux protection. > > > SELINUXTYPE=targeted > > > > > > What else could cause this problem ? > > > > > > > > > > > > Thanks in advance :-) ! > > > ~maymann > > > > > > 2012/2/2 Michael Maymann > > > > > >> Hi, > > >> > > >> David: Thanks for your reply - sounds possible... I will try this > > first > > >> thing tomorrow morning and report back with findings... > > >> > > >> Br. > > >> ~maymann > > >> > > >> 2012/2/2 > > >> > > >> On Thu, 2 Feb 2012, Michael Maymann wrote: > > >>> > > >>> Hi Rainer, > > >>>> > > >>>> I really have my doubts it has something to do with my startup > > script: > > >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default > > >>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. > > >>>> > > >>>> I'm running on RHEL6.1_x64. > > >>>> Do you have a working /etc/init.d/rsyslog what you can share/I can > > >>>> test...? > > >>>> > > >>> > > >>> > > >>> my guess is that this is a SELINUX related problem. > > >>> > > >>> what happens if you try to start rsyslog manually (not by running > > the > > >>> startup script, but just running 'rsyslogd -c 6' " > > >>> > > >>> David Lang > > >>> > > >>> > > >>> > > >>>> Thanks in advance :-) ! > > >>>> ~maymann > > >>>> > > >>>> 2012/2/2 Michael Maymann > > >>>> > > >>>> Hi, > > >>>>> > > >>>>> Rainer: Sorry... forgot to mention that it doesn't say anything > > about > > >>>>> failing in the logs... and it actually doesn't fail... it works > > and > > >>>>> after > > >>>>> the timeout+failed notice only the proccess owned by > > >>>>> PrivDropToUser-USER is > > >>>>> present, but now owned by the init-proccess (mother proccess > > dies): > > >>>>> > > >>>>> # service rsyslog start > > >>>>> Starting system logger: > > [FAILED] > > >>>>> > > >>>>> BEFORE failed status: > > >>>>> root 9126 9125 0 11:07 pts/1 00:00:00 > > /usr/sbin/rsyslogd -c 6 > > >>>>> 9131 9126 0 11:07 ? 00:00:00 > > >>>>> /usr/sbin/rsyslogd -c 6 > > >>>>> > > >>>>> AFTER failed status root-owned proccess is killed and > > >>>>> PrivDropToUser-USER > > >>>>> owned proccess is therefore gets owned by init: > > >>>>> 9131 1 0 11:07 ? 00:00:00 > > >>>>> /usr/sbin/rsyslogd -c 6 > > >>>>> > > >>>>> Anyone who can help with this...?: > > >>>>> here is the debug output when starting running the init-script: > > >>>>> #/etc/init.d/rsyslog start > > >>>>> + . /etc/init.d/functions > > >>>>> ++ TEXTDOMAIN=initscripts > > >>>>> ++ umask 022 > > >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin > > >>>>> ++ export PATH > > >>>>> ++ '[' -z '' ']' > > >>>>> ++ COLUMNS=80 > > >>>>> ++ '[' -z '' ']' > > >>>>> +++ /sbin/consoletype > > >>>>> ++ CONSOLETYPE=pty > > >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > > >>>>> ++ . /etc/profile.d/lang.sh > > >>>>> ++ unset LANGSH_SOURCED > > >>>>> ++ '[' -z '' ']' > > >>>>> ++ '[' -f /etc/sysconfig/init ']' > > >>>>> ++ . /etc/sysconfig/init > > >>>>> +++ BOOTUP=color > > >>>>> +++ RES_COL=60 > > >>>>> +++ MOVE_TO_COL='echo -en \033[60G' > > >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > > >>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > > >>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' > > >>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > > >>>>> +++ PROMPT=yes > > >>>>> +++ AUTOSWAP=no > > >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' > > >>>>> +++ SINGLE=/sbin/sushell > > >>>>> ++ '[' pty = serial ']' > > >>>>> ++ > > >>>>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** > > >>>>> \.rpmorig\|\.rpmsave\)$/d' > > >>>>> + RETVAL=0 > > >>>>> + PIDFILE=/var/run/syslogd.pid > > >>>>> + prog=rsyslogd > > >>>>> + exec=/usr/sbin/rsyslogd > > >>>>> + lockfile=/var/lock/subsys/**rsyslogd > > >>>>> + case "$1" in > > >>>>> + start > > >>>>> + '[' -x /usr/sbin/rsyslogd ']' > > >>>>> + '[' -f /etc/sysconfig/rsyslog ']' > > >>>>> + . /etc/sysconfig/rsyslog > > >>>>> ++ SYSLOGD_OPTIONS='-c 6' > > >>>>> + umask 077 > > >>>>> + echo -n 'Starting system logger: ' > > >>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid > > >>>>> /usr/sbin/rsyslogd -c 6 > > >>>>> + local gotbase= force= nicelevel corelimit > > >>>>> + local pid base= user= nice= bg= pid_file= > > >>>>> + local cgroup= > > >>>>> + nicelevel=0 > > >>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' > > >>>>> -pidfile=/var/run/syslogd.pid ']' > > >>>>> + case $1 in > > >>>>> + pid_file=/var/run/syslogd.pid > > >>>>> + shift > > >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > > >>>>> + '[' -z '' ']' > > >>>>> + base=rsyslogd > > >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid > > >>>>> + local base=rsyslogd > > >>>>> + local pid_file=/var/run/syslogd.pid > > >>>>> + pid= > > >>>>> + '[' -f /var/run/syslogd.pid ']' > > >>>>> + return 3 > > >>>>> + '[' -n '' -a -z '' ']' > > >>>>> + corelimit='ulimit -S -c 0' > > >>>>> + '[' -n '' ']' > > >>>>> + '[' -n '' ']' > > >>>>> + '[' color = verbose -a -z '' ']' > > >>>>> + '[' -z '' ']' > > >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; > > /usr/sbin/rsyslogd -c > > >>>>> 6' > > >>>>> ... > > >>>>> (hangs here for a long time) > > >>>>> ... > > >>>>> + '[' 1 -eq 0 ']' > > >>>>> + failure 'rsyslogd startup' > > >>>>> + local rc=1 > > >>>>> + '[' color '!=' verbose -a -z '' ']' > > >>>>> + echo_failure > > >>>>> + '[' color = color ']' > > >>>>> + echo -en '\033[60G' > > >>>>> + echo > > -n '[' > > >>>>> [+ '[' color = color ']' > > >>>>> + echo -en '\033[0;31m' > > >>>>> + echo -n FAILED > > >>>>> FAILED+ '[' color = color ']' > > >>>>> + echo -en '\033[0;39m' > > >>>>> + echo -n ']' > > >>>>> ]+ echo -ne '\r' > > >>>>> + return 1 > > >>>>> + '[' -x /usr/bin/plymouth ']' > > >>>>> + /usr/bin/plymouth --details > > >>>>> + return 1 > > >>>>> + RETVAL=1 > > >>>>> + echo > > >>>>> > > >>>>> + '[' 1 -eq 0 ']' > > >>>>> + return 1 > > >>>>> + exit 1 > > >>>>> > > >>>>> I have tried to give 777-access to /var/run and /var/lock/subsys > > - but > > >>>>> same thing happens... > > >>>>> > > >>>>> > > >>>>> > > >>>>> Thanks in advance :-) ! > > >>>>> > > >>>>> Br. > > >>>>> ~maymann > > >>>>> > > >>>>> > > >>>>> > > >>>>> 2012/2/2 Rainer Gerhards > > >>>>> > > >>>>> I can only help you with that part if you point me to why > > exactly the > > >>>>>> script > > >>>>>> claims what it does. So you may want to try find someone who can > > do > > >>>>>> that. > > >>>>>> I > > >>>>>> know this is probably a trivial question, but I don't know > > anything ;) > > >>>>>> > > >>>>>> Sry, rainer > > >>>>>> > > >>>>>> -----Original Message----- > > >>>>>>> From: rsyslog-bounces at lists.adiscon.**com > bounces at lists.adiscon.com>[mailto: > > >>>>>>> rsyslog- > > >>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM > > >>>>>>> To: rsyslog-users > > >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user > > >>>>>>> > > >>>>>>> Here is my startup script... only thing changed is the path to > > the > > >>>>>>> new > > >>>>>>> 6.3.6-rsyslog-devel binary. > > >>>>>>> The startup-scripts works also perfectly when i comment out the > > >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but > > failes if i > > >>>>>>> have > > >>>>>>> both or one of the entries...: > > >>>>>>> #!/bin/bash > > >>>>>>> # > > >>>>>>> # rsyslog Starts rsyslogd/rklogd. > > >>>>>>> # > > >>>>>>> # > > >>>>>>> # chkconfig: 2345 12 88 > > >>>>>>> # description: Syslog is the facility by which many daemons use > > to > > >>>>>>> log > > >>>>>>> \ > > >>>>>>> # messages to various system log files. It is a good idea to > > always > > >>>>>>> \ > > >>>>>>> # run rsyslog. > > >>>>>>> ### BEGIN INIT INFO > > >>>>>>> # Provides: $syslog > > >>>>>>> # Required-Start: $local_fs > > >>>>>>> # Required-Stop: $local_fs > > >>>>>>> # Default-Start: 2 3 4 5 > > >>>>>>> # Default-Stop: 0 1 6 > > >>>>>>> # Short-Description: Enhanced system logging and kernel message > > >>>>>>> trapping > > >>>>>>> daemons > > >>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd > > >>>>>>> supporting, > > >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, > > permitted > > >>>>>>> # sender lists, filtering on any message part, and > > fine > > >>>>>>> # grain output format control. > > >>>>>>> ### END INIT INFO > > >>>>>>> > > >>>>>>> # Source function library. > > >>>>>>> . /etc/init.d/functions > > >>>>>>> > > >>>>>>> RETVAL=0 > > >>>>>>> PIDFILE=/var/run/syslogd.pid > > >>>>>>> > > >>>>>>> prog=rsyslogd > > >>>>>>> #exec=/sbin/rsyslogd > > >>>>>>> exec=/usr/sbin/rsyslogd > > >>>>>>> lockfile=/var/lock/subsys/$**prog > > >>>>>>> > > >>>>>>> start() { > > >>>>>>> [ -x $exec ] || exit 5 > > >>>>>>> > > >>>>>>> # Source config > > >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then > > >>>>>>> . /etc/sysconfig/rsyslog > > >>>>>>> fi > > >>>>>>> umask 077 > > >>>>>>> > > >>>>>>> echo -n $"Starting system logger: " > > >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > > >>>>>>> RETVAL=$? > > >>>>>>> echo > > >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile > > >>>>>>> return $RETVAL > > >>>>>>> } > > >>>>>>> stop() { > > >>>>>>> echo -n $"Shutting down system logger: " > > >>>>>>> killproc $prog > > >>>>>>> RETVAL=$? > > >>>>>>> echo > > >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile > > >>>>>>> return $RETVAL > > >>>>>>> } > > >>>>>>> reload() { > > >>>>>>> RETVAL=1 > > >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) > > >>>>>>> echo -n "Reloading system logger..." > > >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > > >>>>>>> kill -HUP "$syslog"; > > >>>>>>> RETVAL=$? > > >>>>>>> fi > > >>>>>>> if [ $RETVAL -ne 0 ]; then > > >>>>>>> failure > > >>>>>>> else > > >>>>>>> success > > >>>>>>> fi > > >>>>>>> echo > > >>>>>>> return $RETVAL > > >>>>>>> } > > >>>>>>> rhstatus() { > > >>>>>>> status -p "${PIDFILE}" $prog > > >>>>>>> } > > >>>>>>> restart() { > > >>>>>>> stop > > >>>>>>> start > > >>>>>>> } > > >>>>>>> > > >>>>>>> case "$1" in > > >>>>>>> start) > > >>>>>>> start > > >>>>>>> ;; > > >>>>>>> stop) > > >>>>>>> stop > > >>>>>>> ;; > > >>>>>>> restart) > > >>>>>>> restart > > >>>>>>> ;; > > >>>>>>> reload|force-reload) > > >>>>>>> reload > > >>>>>>> ;; > > >>>>>>> status) > > >>>>>>> rhstatus > > >>>>>>> ;; > > >>>>>>> condrestart|try-restart) > > >>>>>>> rhstatus >/dev/null 2>&1 || exit 0 > > >>>>>>> restart > > >>>>>>> ;; > > >>>>>>> *) > > >>>>>>> echo $"Usage: $0 > > >>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force- > > >>>>>>> reload|status}" > > >>>>>>> exit 2 > > >>>>>>> esac > > >>>>>>> > > >>>>>>> exit $? > > >>>>>>> > > >>>>>>> 2012/2/2 Rainer Gerhards > > >>>>>>> > > >>>>>>> > > >>>>>>>> > > >>>>>>>> -----Original Message----- > > >>>>>>>>> From: rsyslog-bounces at lists.adiscon.**com > bounces at lists.adiscon.com>[mailto: > > >>>>>>>>> rsyslog- > > >>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM > > >>>>>>>>> To: rsyslog-users > > >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user > > >>>>>>>>> > > >>>>>>>>> Hi, > > >>>>>>>>> > > >>>>>>>>> David: thanks - got it working with permission dropping, by > > far my > > >>>>>>>>> prefered > > >>>>>>>>> configuration... just didn't know of it...:-) ! > > >>>>>>>>> Rainer: please let us know if the debug info of the > > "permission > > >>>>>>>>> dropping: > > >>>>>>>>> hang+timeout" I send you can solve anything... anyway it > > works now > > >>>>>>>>> > > >>>>>>>> - > > >>>>>>> > > >>>>>>>> but > > >>>>>>>>> not optimal if other people have to service my setup...:-) ! > > >>>>>>>>> > > >>>>>>>> > > >>>>>>>> I have reviewed the debug log and I see nothing unexpected. > > From the > > >>>>>>>> timestamps I also see that there is no hang whatsoever. So it > > looks > > >>>>>>>> > > >>>>>>> like > > >>>>>>> > > >>>>>>>> there is some problem with the startup script, which I don't > > know. I > > >>>>>>>> suggest > > >>>>>>>> to ask what the FAILED status is caused by. We can then look > > why > > >>>>>>>> this > > >>>>>>>> happens. > > >>>>>>>> > > >>>>>>>> Sorry I have no better answer... > > >>>>>>>> Rainer > > >>>>>>>> > > >>>>>>>> > > >>>>>>>>> Thanks in advance :-) ! > > >>>>>>>>> ~maymann > > >>>>>>>>> > > >>>>>>>>> 2012/2/1 > > >>>>>>>>> > > >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: > > >>>>>>>>>> > > >>>>>>>>>> Hi, > > >>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is > > working > > >>>>>>>>>>> > > >>>>>>>>>> fine > > >>>>>>> > > >>>>>>>> running > > >>>>>>>>> > > >>>>>>>>>> as root. > > >>>>>>>>>>> I would like to run it as non-root user as my logfiles are > > >>>>>>>>>>> > > >>>>>>>>>> located > > >>>>>>> > > >>>>>>>> on NFS > > >>>>>>>>> > > >>>>>>>>>> (and root export of NFS is generally not a good idea !). > > >>>>>>>>>>> > > >>>>>>>>>>> Here is my rsyslog.conf: > > >>>>>>>>>>> #LOAD MODULES > > >>>>>>>>>>> $ModLoad imudp > > >>>>>>>>>>> $UDPServerRun 514 > > >>>>>>>>>>> $UDPServerAddress 127.0.0.1 > > >>>>>>>>>>> $ModLoad imtcp > > >>>>>>>>>>> $InputTCPServerRun 514 > > >>>>>>>>>>> #SET DESTINATION FOR LOGS > > >>>>>>>>>>> $template > > >>>>>>>>>>> > > DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > >>>>>>>>>>> $MONTH%_messages" > > >>>>>>>>>>> $template > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>> DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >>>>>>> **$MONTH%_secure" > > >>>>>>> > > >>>>>>>> $template > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>> DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >>>>>>> **$MONTH%_maillo > > >>>>>>> > > >>>>>>>> g" > > >>>>>>>>> > > >>>>>>>>>> $template > > >>>>>>>>>>> > > >>>>>>>>>> > > DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>>>>> ** > > >>>>>>>>> > > >>>>>>>>>> cron" > > >>>>>>>>>>> $template > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>> DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >>>>>>> **$MONTH%_spoole > > >>>>>>> > > >>>>>>>> r" > > >>>>>>>>> > > >>>>>>>>>> $template > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>> > > DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>>> **boot.log" > > >>>>>>> > > >>>>>>>> $template > > >>>>>>>>>>> > > >>>>>>>>>> > > DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > >>>>>>>>> _** > > >>>>>>>>> > > >>>>>>>>>> traps" > > >>>>>>>>>>> #SET LOGGING CONDITIONS > > >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages > > >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure > > >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog > > >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron > > >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler > > >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot > > >>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity- > > text == > > >>>>>>>>>>> > > >>>>>>>>>> 'WARNING' > > >>>>>>>>> > > >>>>>>>>>> then ?DYNtraps > > >>>>>>>>>>> > > >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non- > > root > > >>>>>>>>>>> > > >>>>>>>>>> user: > > >>>>>>> > > >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: > > [origin > > >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x- > > info=" > > >>>>>>>>>>> http://www.rsyslog.com"] start > > >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 rsyslogd: > > bind: > > >>>>>>>>>>> > > >>>>>>>>>> Permission > > >>>>>>>>> > > >>>>>>>>>> denied > > >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 rsyslogd: > > bind: > > >>>>>>>>>>> > > >>>>>>>>>> Permission > > >>>>>>>>> > > >>>>>>>>>> denied > > >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 rsyslogd: > > No UDP > > >>>>>>>>>>> > > >>>>>>>>>> listen > > >>>>>>>>> > > >>>>>>>>>> socket > > >>>>>>>>>>> could successfully be initialized, message reception via > > UDP > > >>>>>>>>>>> > > >>>>>>>>>> disabled. > > >>>>>>>>> > > >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 rsyslogd: > > imudp: > > >>>>>>>>>>> > > >>>>>>>>>> no > > >>>>>>> > > >>>>>>>> listeners > > >>>>>>>>>>> could be started, input not activated. > > >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 rsyslogd3: > > >>>>>>>>>>> > > >>>>>>>>>> activation > > >>>>>>> > > >>>>>>>> of > > >>>>>>>>> > > >>>>>>>>>> module > > >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] > > >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 rsyslogd- > > 2077: > > >>>>>>>>>>> > > >>>>>>>>>> Could > > >>>>>>> > > >>>>>>>> not > > >>>>>>>>> > > >>>>>>>>>> create > > >>>>>>>>>>> tcp listener, ignoring port 514. [try > > >>>>>>>>>>> > > >>>>>>>>>> http://www.rsyslog.com/e/2077 > > >>>>>>> > > >>>>>>>> ] > > >>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>>> So permissions to bind and sockets seems to be the > > problem... > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user > > (without > > >>>>>>>>>> > > >>>>>>>>> making > > >>>>>>> > > >>>>>>>> some > > >>>>>>>>> > > >>>>>>>>>> other non-standard changes through sysctl) > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non- > > root > > >>>>>>>>>> > > >>>>>>>>> user > > >>>>>>> > > >>>>>>>> - if > > >>>>>>>>> > > >>>>>>>>>> yes: how ? > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> permission drop features > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> 2a. Is it possible to add permissions for non-root user to > > run > > >>>>>>>>>> > > >>>>>>>>> rsyslog > > >>>>>>>>> > > >>>>>>>>>> server - if yes: how ? > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> pick a listening port > 1024 and it should work. > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - > > can > > >>>>>>>>>> > > >>>>>>>>> chkconfig do > > >>>>>>>>> > > >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> su can run a command as a different user. > > >>>>>>>>>> > > >>>>>>>>>> although as Rainer points out, you may just be looking for > > the > > >>>>>>>>>> > > >>>>>>>>> permission > > >>>>>>>>> > > >>>>>>>>>> dropping features that are already in rsyslog. > > >>>>>>>>>> > > >>>>>>>>>> David Lang > > >>>>>>>>>> > > >>>>>>>>>> ______________________________****_________________ > > >>>>>>>>>> rsyslog mailing list > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > con.net/**mailman/listinfo/rsyslog> > > >>>>>>> > > >>>>>>> > > >>>>>>>> n.net/mailman/listinfo/rsyslog**> > > >>>>>>>>> > > >>>>>>>>>> http://www.rsyslog.com/****professional- > > > > >>>>>>>>>> > > >>>>>>>>> services/ > services/ > > >>>>>>>>> > > > >>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> ______________________________**_________________ > > >>>>>>>>> rsyslog mailing list > > >>>>>>>>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >>>>>>>>> http://www.rsyslog.com/**professional- > > services/ > > >>>>>>>>> > > >>>>>>>> ______________________________**_________________ > > >>>>>>>> rsyslog mailing list > > >>>>>>>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >>>>>>>> http://www.rsyslog.com/**professional- > > services/ > > >>>>>>>> > > >>>>>>>> ______________________________**_________________ > > >>>>>>> rsyslog mailing list > > >>>>>>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >>>>>>> http://www.rsyslog.com/**professional- > > services/ > > >>>>>>> > > >>>>>> ______________________________**_________________ > > >>>>>> rsyslog mailing list > > >>>>>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >>>>>> http://www.rsyslog.com/**professional- > > services/ > > >>>>>> > > >>>>>> > > >>>>> > > >>>>> ______________________________**_________________ > > >>>> rsyslog mailing list > > >>>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >>>> http://www.rsyslog.com/**professional- > > services/ > > >>>> > > >>>> ______________________________**_________________ > > >>> rsyslog mailing list > > >>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >>> http://www.rsyslog.com/**professional- > > services/ > > >>> > > >> > > >> > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > -------------- next part -------------- # time /usr/sbin/rsyslogd -c 6 -d 5828.827246209:7febc1da8700: rsyslogd 6.3.6 startup, compatibility mode 6, module path '', cwd:/root 5828.827372364:7febc1da8700: caller requested object 'net', not found (iRet -3003) 5828.827382482:7febc1da8700: Requested to load module 'lmnet' 5828.827385280:7febc1da8700: loading module '/usr/lib64/rsyslog/lmnet.so' 5828.827468072:7febc1da8700: module lmnet of type 2 being loaded. 5828.827472404:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.827474611:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827476661:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827479768:7febc1da8700: source file conf.c requested reference for module 'lmnet', reference count now 1 5828.827499586:7febc1da8700: rsyslog runtime initialized, version 6.3.6, current users 1 5828.827528583:7febc1da8700: source file syslogd.c requested reference for module 'lmnet', reference count now 2 5828.827539078:7febc1da8700: GenerateLocalHostName uses 'oulog001' 5828.827546144:7febc1da8700: omfile: using transactional output interface. 5828.827561977:7febc1da8700: module builtin-file of type 1 being loaded. 5828.827565127:7febc1da8700: module config name is 'omfile' 5828.827567315:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827573650:7febc1da8700: module builtin-pipe of type 1 being loaded. 5828.827576567:7febc1da8700: module config name is 'ompipe' 5828.827578626:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827581864:7febc1da8700: entry point 'beginTransaction' not present in module 5828.827584093:7febc1da8700: entry point 'endTransaction' not present in module 5828.827586086:7febc1da8700: entry point 'newActInst' not present in module 5828.827589213:7febc1da8700: module builtin-shell of type 1 being loaded. 5828.827591759:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827593878:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827596797:7febc1da8700: entry point 'doHUP' not present in module 5828.827598981:7febc1da8700: entry point 'beginTransaction' not present in module 5828.827600949:7febc1da8700: entry point 'endTransaction' not present in module 5828.827603018:7febc1da8700: entry point 'newActInst' not present in module 5828.827608103:7febc1da8700: module builtin-discard of type 1 being loaded. 5828.827610703:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827612687:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827615830:7febc1da8700: entry point 'doHUP' not present in module 5828.827617756:7febc1da8700: entry point 'beginTransaction' not present in module 5828.827619655:7febc1da8700: entry point 'endTransaction' not present in module 5828.827621748:7febc1da8700: entry point 'newActInst' not present in module 5828.827626172:7febc1da8700: source file omfwd.c requested reference for module 'lmnet', reference count now 3 5828.827635290:7febc1da8700: module builtin-fwd of type 1 being loaded. 5828.827637850:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827639972:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827642974:7febc1da8700: entry point 'doHUP' not present in module 5828.827645371:7febc1da8700: entry point 'newActInst' not present in module 5828.827653068:7febc1da8700: module builtin-usrmsg of type 1 being loaded. 5828.827656136:7febc1da8700: module config name is 'omusrmsg' 5828.827658232:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827661288:7febc1da8700: entry point 'doHUP' not present in module 5828.827663545:7febc1da8700: entry point 'beginTransaction' not present in module 5828.827665581:7febc1da8700: entry point 'endTransaction' not present in module 5828.827672453:7febc1da8700: rfc5424 parser init called 5828.827674927:7febc1da8700: GetParserName addr 0x413e90 5828.827677025:7febc1da8700: module builtin-pmrfc5424 of type 3 being loaded. 5828.827679142:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827681219:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827684367:7febc1da8700: Parser 'rsyslog.rfc5424' added to list of available parsers. 5828.827691493:7febc1da8700: rfc3164 parser init called 5828.827694010:7febc1da8700: module builtin-pmrfc3164 of type 3 being loaded. 5828.827696185:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827698221:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827700741:7febc1da8700: Parser 'rsyslog.rfc3164' added to list of available parsers. 5828.827702998:7febc1da8700: Parser 'rsyslog.rfc5424' added to default parser set. 5828.827705150:7febc1da8700: Parser 'rsyslog.rfc3164' added to default parser set. 5828.827707655:7febc1da8700: rsyslog standard file format strgen init called, compiled with version 6.3.6 5828.827709994:7febc1da8700: module builtin-smfile of type 4 being loaded. 5828.827712014:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.827714180:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827716200:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827720576:7febc1da8700: Strgen 'RSYSLOG_FileFormat' added to list of available strgens. 5828.827723172:7febc1da8700: traditional file format strgen init called, compiled with version 6.3.6 5828.827725398:7febc1da8700: module builtin-smtradfile of type 4 being loaded. 5828.827730522:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.827732654:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827734534:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827737230:7febc1da8700: Strgen 'RSYSLOG_TraditionalFileFormat' added to list of available strgens. 5828.827739708:7febc1da8700: rsyslog standard (network) forward format strgen init called, compiled with version 6.3.6 5828.827742198:7febc1da8700: module builtin-smfwd of type 4 being loaded. 5828.827744175:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.827746213:7febc1da8700: entry point 'getModCnfName' not present in module 5828.827748043:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.827750263:7febc1da8700: Strgen 'RSYSLOG_ForwardFormat' added to list of available strgens. 5828.827752652:7febc1da8700: rsyslog traditional (network) forward format strgen init called, compiled with version 6.3.6 5828.827754898:7febc1da8700: module builtin-smtradfwd of type 4 being loaded. 5828.828403970:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.828407398:7febc1da8700: entry point 'getModCnfName' not present in module 5828.828409494:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.828413800:7febc1da8700: Strgen 'RSYSLOG_TraditionalForwardFormat' added to list of available strgens. 5828.828416683:7febc1da8700: doing legacy config system init 5828.828510702:7febc1da8700: template bound to strgen 'RSYSLOG_FileFormat' 5828.828514772:7febc1da8700: template bound to strgen 'RSYSLOG_TraditionalFileFormat' 5828.828521240:7febc1da8700: template bound to strgen 'RSYSLOG_ForwardFormat' 5828.828523809:7febc1da8700: template bound to strgen 'RSYSLOG_TraditionalForwardFormat' 5828.828611628:7febc1da8700: cnf:global:cfsysline: $PreserveFQDN on 5828.828617370:7febc1da8700: cnf:global:cfsysline: $PrivDropToGroup rme_it 5828.828713317:7febc1da8700: gid 201105 obtained for group 'rme_it' 5828.828718999:7febc1da8700: cnf:global:cfsysline: $PrivDropToUser _rsyslog 5828.828762911:7febc1da8700: uid 900000029 obtained for user '_rsyslog' 5828.828767735:7febc1da8700: cnf:global:cfsysline: $DirCreateMode 0750 5828.828771520:7febc1da8700: cnf:global:cfsysline: $FileCreateMode 0640 5828.828774426:7febc1da8700: cnf:global:cfsysline: $UMASK 0027 5828.828778051:7febc1da8700: cnf:global:cfsysline: $ModLoad imudp 5828.828781243:7febc1da8700: Requested to load module 'imudp' 5828.828785530:7febc1da8700: loading module '/usr/lib64/rsyslog/imudp.so' 5828.828841307:7febc1da8700: source file imudp.c requested reference for module 'lmnet', reference count now 4 5828.828856778:7febc1da8700: module imudp of type 0 being loaded. 5828.828860036:7febc1da8700: module config name is 'imudp' 5828.828861986:7febc1da8700: module imudp supports rsyslog v6 config interface 5828.828867377:7febc1da8700: cnf:global:cfsysline: $UDPServerRun 514 5828.828871673:7febc1da8700: doGetWord: get newval '514' (len 3), hdlr 0x7febc1935cb0 5828.828874920:7febc1da8700: cnf:global:cfsysline: $UDPServerAddress 127.0.0.1 5828.828879779:7febc1da8700: doGetWord: get newval '127.0.0.1' (len 9), hdlr (nil) 5828.828882535:7febc1da8700: cnf:global:cfsysline: $ModLoad imtcp 5828.828885242:7febc1da8700: Requested to load module 'imtcp' 5828.828887709:7febc1da8700: loading module '/usr/lib64/rsyslog/imtcp.so' 5828.828928616:7febc1da8700: source file imtcp.c requested reference for module 'lmnet', reference count now 5 5828.828933363:7febc1da8700: caller requested object 'netstrm', not found (iRet -3003) 5828.828938944:7febc1da8700: Requested to load module 'lmnetstrms' 5828.828941643:7febc1da8700: loading module '/usr/lib64/rsyslog/lmnetstrms.so' 5828.828989815:7febc1da8700: doing nsselClassInit 5828.828994338:7febc1da8700: doing nspollClassInit 5828.828998021:7febc1da8700: module lmnetstrms of type 2 being loaded. 5828.829000235:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.829002192:7febc1da8700: entry point 'getModCnfName' not present in module 5828.829004224:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.829006789:7febc1da8700: source file imtcp.c requested reference for module 'lmnetstrms', reference count now 1 5828.829009748:7febc1da8700: caller requested object 'tcps_sess', not found (iRet -3003) 5828.829011660:7febc1da8700: Requested to load module 'lmtcpsrv' 5828.829013978:7febc1da8700: loading module '/usr/lib64/rsyslog/lmtcpsrv.so' 5828.829063271:7febc1da8700: source file tcps_sess.c requested reference for module 'lmnetstrms', reference count now 2 5828.829069366:7febc1da8700: source file tcpsrv.c requested reference for module 'lmnet', reference count now 6 5828.829072097:7febc1da8700: source file tcpsrv.c requested reference for module 'lmnetstrms', reference count now 3 5828.829268222:7febc1da8700: module lmtcpsrv of type 2 being loaded. 5828.829272806:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5828.829274912:7febc1da8700: entry point 'getModCnfName' not present in module 5828.829276831:7febc1da8700: entry point 'beginCnfLoad' not present in module 5828.829280222:7febc1da8700: source file imtcp.c requested reference for module 'lmtcpsrv', reference count now 1 5828.829283520:7febc1da8700: source file imtcp.c requested reference for module 'lmtcpsrv', reference count now 2 5828.829305777:7febc1da8700: module imtcp of type 0 being loaded. 5828.829309130:7febc1da8700: module config name is 'imtcp' 5828.829311036:7febc1da8700: module imtcp supports rsyslog v6 config interface 5828.829317156:7febc1da8700: cnf:global:cfsysline: $InputTCPServerRun 514 5828.829321380:7febc1da8700: doGetWord: get newval '514' (len 3), hdlr 0x7febc1732660 5828.829325484:7febc1da8700: cnf:global:cfsysline: $template DYNmessages,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" 5828.829337074:7febc1da8700: cnf:global:cfsysline: $template DYNsecure,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" 5828.829346219:7febc1da8700: cnf:global:cfsysline: $template DYNmaillog,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" 5828.829355111:7febc1da8700: cnf:global:cfsysline: $template DYNcron,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" 5828.829364113:7febc1da8700: cnf:global:cfsysline: $template DYNspooler,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" 5828.829371251:7febc1da8700: cnf:global:cfsysline: $template DYNboot,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" 5828.829381284:7febc1da8700: cnf:global:cfsysline: $template DYNtraps,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" 5828.829388690:7febc1da8700: cnf:global:cfsysline: $template DYNIPmessages,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" 5828.829397541:7febc1da8700: cnf:global:cfsysline: $template DYNIPsecure,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" 5828.829406316:7febc1da8700: cnf:global:cfsysline: $template DYNIPmaillog,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" 5828.829413243:7febc1da8700: cnf:global:cfsysline: $template DYNIPcron,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" 5828.829421902:7febc1da8700: cnf:global:cfsysline: $template DYNIPspooler,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" 5828.829429110:7febc1da8700: cnf:global:cfsysline: $template DYNIPboot,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" 5828.829437663:7febc1da8700: cnf:global:cfsysline: $template DYNIPtraps,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" 5828.829454589:7febc1da8700: cnf:global:rule 5828.829457227:7febc1da8700: ------ start rule 0x26da140: 5828.829459134:7febc1da8700: filter:script: 5828.829462023:7febc1da8700: var '$syslogseverity' 5828.829465553:7febc1da8700: <= 5828.829468124:7febc1da8700: string '6' 5828.829472795:7febc1da8700: AND 5828.829474507:7febc1da8700: var '$fromhost-ip' 5828.829478024:7febc1da8700: != 5828.829480532:7febc1da8700: string '???' 5828.829485185:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNmessages' 5828.829488095:7febc1da8700: ------ end rule 0x26da140 5828.829490825:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNmessages 5828.829497021:7febc1da8700: tried selector action for builtin-file: 0 5828.829501227:7febc1da8700: Module builtin-file processes this action. 5828.829505543:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.829507830:7febc1da8700: template: 'DYNmessages' assigned 5828.829514099:7febc1da8700: action 1 queue: save on shutdown 1, max disk space allowed 0 5828.829516379:7febc1da8700: Action 0x26da3a0: queue 0x26da4b0 created 5828.829519085:7febc1da8700: selector line successfully processed 5828.829523729:7febc1da8700: cnf:global:rule 5828.829525687:7febc1da8700: ------ start rule 0x26da860: 5828.829527477:7febc1da8700: filter:script: 5828.829530045:7febc1da8700: var '$syslogfacility-text' 5828.829533642:7febc1da8700: == 5828.829536157:7febc1da8700: string 'authpriv' 5828.829540549:7febc1da8700: AND 5828.829542206:7febc1da8700: var '$fromhost-ip' 5828.829545561:7febc1da8700: != 5828.829547931:7febc1da8700: string '???' 5828.829552372:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNsecure' 5828.829555115:7febc1da8700: ------ end rule 0x26da860 5828.829557180:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNsecure 5828.829560807:7febc1da8700: tried selector action for builtin-file: 0 5828.829562683:7febc1da8700: Module builtin-file processes this action. 5828.829564972:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.829567116:7febc1da8700: template: 'DYNsecure' assigned 5828.829569520:7febc1da8700: action 2 queue: save on shutdown 1, max disk space allowed 0 5828.829571638:7febc1da8700: Action 0x26daac0: queue 0x26dac00 created 5828.829573632:7febc1da8700: selector line successfully processed 5828.829577494:7febc1da8700: cnf:global:rule 5828.829579517:7febc1da8700: ------ start rule 0x26dafb0: 5828.829581325:7febc1da8700: filter:script: 5828.829583787:7febc1da8700: var '$syslogfacility-text' 5828.829587302:7febc1da8700: == 5828.829589853:7febc1da8700: string 'mail' 5828.829594461:7febc1da8700: AND 5828.829596057:7febc1da8700: var '$fromhost-ip' 5828.829599516:7febc1da8700: != 5828.829602049:7febc1da8700: string '???' 5828.829606553:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNmaillog' 5828.830350043:7febc1da8700: ------ end rule 0x26dafb0 5828.830357597:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNmaillog 5828.830362852:7febc1da8700: tried selector action for builtin-file: 0 5828.830365374:7febc1da8700: Module builtin-file processes this action. 5828.830368681:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.830370971:7febc1da8700: template: 'DYNmaillog' assigned 5828.830374507:7febc1da8700: action 3 queue: save on shutdown 1, max disk space allowed 0 5828.830376697:7febc1da8700: Action 0x26db210: queue 0x26db350 created 5828.830379327:7febc1da8700: selector line successfully processed 5828.830387191:7febc1da8700: cnf:global:rule 5828.830389122:7febc1da8700: ------ start rule 0x26db700: 5828.830390950:7febc1da8700: filter:script: 5828.830393545:7febc1da8700: var '$syslogfacility-text' 5828.830397205:7febc1da8700: == 5828.830399775:7febc1da8700: string 'cron' 5828.830404488:7febc1da8700: AND 5828.830406205:7febc1da8700: var '$fromhost-ip' 5828.830409576:7febc1da8700: != 5828.830411942:7febc1da8700: string '???' 5828.830416556:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNcron' 5828.830419372:7febc1da8700: ------ end rule 0x26db700 5828.830421416:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNcron 5828.830425062:7febc1da8700: tried selector action for builtin-file: 0 5828.830426974:7febc1da8700: Module builtin-file processes this action. 5828.830429126:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.830431256:7febc1da8700: template: 'DYNcron' assigned 5828.830433696:7febc1da8700: action 4 queue: save on shutdown 1, max disk space allowed 0 5828.830435806:7febc1da8700: Action 0x26db960: queue 0x26dbaa0 created 5828.830437813:7febc1da8700: selector line successfully processed 5828.830441838:7febc1da8700: cnf:global:rule 5828.830443796:7febc1da8700: ------ start rule 0x26dbe50: 5828.830445446:7febc1da8700: filter:script: 5828.830447950:7febc1da8700: var '$syslogseverity-text' 5828.830451503:7febc1da8700: == 5828.830454055:7febc1da8700: string 'crit' 5828.830458651:7febc1da8700: AND 5828.830460324:7febc1da8700: var '$fromhost-ip' 5828.830463800:7febc1da8700: != 5828.830466294:7febc1da8700: string '???' 5828.830470884:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNspooler' 5828.830473780:7febc1da8700: ------ end rule 0x26dbe50 5828.830475777:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNspooler 5828.830481387:7febc1da8700: tried selector action for builtin-file: 0 5828.830483544:7febc1da8700: Module builtin-file processes this action. 5828.830485719:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.830487952:7febc1da8700: template: 'DYNspooler' assigned 5828.830490406:7febc1da8700: action 5 queue: save on shutdown 1, max disk space allowed 0 5828.830492551:7febc1da8700: Action 0x26dc0b0: queue 0x26dc1f0 created 5828.830494562:7febc1da8700: selector line successfully processed 5828.830498472:7febc1da8700: cnf:global:rule 5828.830500428:7febc1da8700: ------ start rule 0x26dc5a0: 5828.830502082:7febc1da8700: filter:script: 5828.830504408:7febc1da8700: var '$syslogfacility-text' 5828.830507806:7febc1da8700: == 5828.830510328:7febc1da8700: string 'local7' 5828.830514846:7febc1da8700: AND 5828.830516402:7febc1da8700: var '$fromhost-ip' 5828.830519901:7febc1da8700: != 5828.830522394:7febc1da8700: string '???' 5828.830526888:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNboot' 5828.830529808:7febc1da8700: ------ end rule 0x26dc5a0 5828.830531837:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNboot 5828.830535313:7febc1da8700: tried selector action for builtin-file: 0 5828.830537220:7febc1da8700: Module builtin-file processes this action. 5828.830539349:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.830541472:7febc1da8700: template: 'DYNboot' assigned 5828.830543778:7febc1da8700: action 6 queue: save on shutdown 1, max disk space allowed 0 5828.830545873:7febc1da8700: Action 0x26dc800: queue 0x26dc940 created 5828.830547824:7febc1da8700: selector line successfully processed 5828.830552433:7febc1da8700: cnf:global:rule 5828.830554353:7febc1da8700: ------ start rule 0x26dcdb0: 5828.830556006:7febc1da8700: filter:script: 5828.830558513:7febc1da8700: var '$syslogfacility-text' 5828.830562842:7febc1da8700: == 5828.830566172:7febc1da8700: string 'local6' 5828.830571450:7febc1da8700: AND 5828.830574053:7febc1da8700: var '$syslogseverity-text' 5828.830578333:7febc1da8700: == 5828.830581625:7febc1da8700: string 'WARNING' 5828.830586877:7febc1da8700: AND 5828.830588569:7febc1da8700: var '$fromhost-ip' 5828.830592143:7febc1da8700: != 5828.830594637:7febc1da8700: string '???' 5828.830599151:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNtraps' 5828.830609892:7febc1da8700: ------ end rule 0x26dcdb0 5828.830612071:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNtraps 5828.830617951:7febc1da8700: tried selector action for builtin-file: 0 5828.830620062:7febc1da8700: Module builtin-file processes this action. 5828.830622544:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.830624645:7febc1da8700: template: 'DYNtraps' assigned 5828.830627200:7febc1da8700: action 7 queue: save on shutdown 1, max disk space allowed 0 5828.830629301:7febc1da8700: Action 0x26dd010: queue 0x26dd150 created 5828.830631493:7febc1da8700: selector line successfully processed 5828.830635902:7febc1da8700: cnf:global:rule 5828.830637824:7febc1da8700: ------ start rule 0x26dd500: 5828.830639640:7febc1da8700: filter:script: 5828.830642171:7febc1da8700: var '$syslogseverity' 5828.830645846:7febc1da8700: <= 5828.830648442:7febc1da8700: string '6' 5828.830653025:7febc1da8700: AND 5828.830654569:7febc1da8700: var '$fromhost-ip' 5828.830658087:7febc1da8700: == 5828.830660489:7febc1da8700: string '???' 5828.830665037:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPmessages' 5828.830668009:7febc1da8700: ------ end rule 0x26dd500 5828.830670076:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPmessages 5828.830673674:7febc1da8700: tried selector action for builtin-file: 0 5828.830675563:7febc1da8700: Module builtin-file processes this action. 5828.830677705:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.830679800:7febc1da8700: template: 'DYNIPmessages' assigned 5828.830682177:7febc1da8700: action 8 queue: save on shutdown 1, max disk space allowed 0 5828.830684278:7febc1da8700: Action 0x26dd760: queue 0x26dd8a0 created 5828.830686250:7febc1da8700: selector line successfully processed 5828.830690244:7febc1da8700: cnf:global:rule 5828.830692171:7febc1da8700: ------ start rule 0x26ddc50: 5828.830693854:7febc1da8700: filter:script: 5828.830696345:7febc1da8700: var '$syslogfacility-text' 5828.830699926:7febc1da8700: == 5828.830702469:7febc1da8700: string 'authpriv' 5828.830707047:7febc1da8700: AND 5828.830708702:7febc1da8700: var '$fromhost-ip' 5828.830712160:7febc1da8700: == 5828.830714648:7febc1da8700: string '???' 5828.831380914:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPsecure' 5828.831384366:7febc1da8700: ------ end rule 0x26ddc50 5828.831387329:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPsecure 5828.831392022:7febc1da8700: tried selector action for builtin-file: 0 5828.831394177:7febc1da8700: Module builtin-file processes this action. 5828.831397223:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.831399751:7febc1da8700: template: 'DYNIPsecure' assigned 5828.831408246:7febc1da8700: action 9 queue: save on shutdown 1, max disk space allowed 0 5828.831410802:7febc1da8700: Action 0x26ddeb0: queue 0x26ddff0 created 5828.831413219:7febc1da8700: selector line successfully processed 5828.831419576:7febc1da8700: cnf:global:rule 5828.831421731:7febc1da8700: ------ start rule 0x26de3a0: 5828.831423573:7febc1da8700: filter:script: 5828.831426109:7febc1da8700: var '$syslogfacility-text' 5828.831429612:7febc1da8700: == 5828.831432073:7febc1da8700: string 'mail' 5828.831436590:7febc1da8700: AND 5828.831438169:7febc1da8700: var '$fromhost-ip' 5828.831441714:7febc1da8700: == 5828.831444223:7febc1da8700: string '???' 5828.831448697:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPmaillog' 5828.831451697:7febc1da8700: ------ end rule 0x26de3a0 5828.831453787:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPmaillog 5828.831457542:7febc1da8700: tried selector action for builtin-file: 0 5828.831459598:7febc1da8700: Module builtin-file processes this action. 5828.831461980:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.831464103:7febc1da8700: template: 'DYNIPmaillog' assigned 5828.831466824:7febc1da8700: action 10 queue: save on shutdown 1, max disk space allowed 0 5828.831469030:7febc1da8700: Action 0x26de600: queue 0x26de740 created 5828.831471141:7febc1da8700: selector line successfully processed 5828.831475274:7febc1da8700: cnf:global:rule 5828.831477068:7febc1da8700: ------ start rule 0x26deaf0: 5828.831478865:7febc1da8700: filter:script: 5828.831481414:7febc1da8700: var '$syslogfacility-text' 5828.831485028:7febc1da8700: == 5828.831487563:7febc1da8700: string 'cron' 5828.831491996:7febc1da8700: AND 5828.831493549:7febc1da8700: var '$fromhost-ip' 5828.831497049:7febc1da8700: == 5828.831499523:7febc1da8700: string '???' 5828.831503926:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPcron' 5828.831506813:7febc1da8700: ------ end rule 0x26deaf0 5828.831508871:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPcron 5828.831512533:7febc1da8700: tried selector action for builtin-file: 0 5828.831514455:7febc1da8700: Module builtin-file processes this action. 5828.831516620:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.831518717:7febc1da8700: template: 'DYNIPcron' assigned 5828.831523222:7febc1da8700: action 11 queue: save on shutdown 1, max disk space allowed 0 5828.831525560:7febc1da8700: Action 0x26ded50: queue 0x26dee90 created 5828.831527621:7febc1da8700: selector line successfully processed 5828.831531467:7febc1da8700: cnf:global:rule 5828.831533422:7febc1da8700: ------ start rule 0x26df240: 5828.831535235:7febc1da8700: filter:script: 5828.831537744:7febc1da8700: var '$syslogseverity-text' 5828.831541346:7febc1da8700: == 5828.831543874:7febc1da8700: string 'crit' 5828.831548334:7febc1da8700: AND 5828.831549892:7febc1da8700: var '$fromhost-ip' 5828.831553403:7febc1da8700: == 5828.831555894:7febc1da8700: string '???' 5828.831560366:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPspooler' 5828.831563252:7febc1da8700: ------ end rule 0x26df240 5828.831565281:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPspooler 5828.831568823:7febc1da8700: tried selector action for builtin-file: 0 5828.831570796:7febc1da8700: Module builtin-file processes this action. 5828.831573008:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.831575158:7febc1da8700: template: 'DYNIPspooler' assigned 5828.831577688:7febc1da8700: action 12 queue: save on shutdown 1, max disk space allowed 0 5828.831579805:7febc1da8700: Action 0x26df4a0: queue 0x26df5e0 created 5828.831581791:7febc1da8700: selector line successfully processed 5828.831585637:7febc1da8700: cnf:global:rule 5828.831587433:7febc1da8700: ------ start rule 0x26df990: 5828.831589224:7febc1da8700: filter:script: 5828.831591701:7febc1da8700: var '$syslogfacility-text' 5828.831595321:7febc1da8700: == 5828.831597828:7febc1da8700: string 'local7' 5828.831602289:7febc1da8700: AND 5828.831603843:7febc1da8700: var '$fromhost-ip' 5828.831607319:7febc1da8700: == 5828.831609822:7febc1da8700: string '???' 5828.831614260:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPboot' 5828.831617128:7febc1da8700: ------ end rule 0x26df990 5828.831619179:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPboot 5828.831622734:7febc1da8700: tried selector action for builtin-file: 0 5828.831624700:7febc1da8700: Module builtin-file processes this action. 5828.831626910:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.831628974:7febc1da8700: template: 'DYNIPboot' assigned 5828.831631433:7febc1da8700: action 13 queue: save on shutdown 1, max disk space allowed 0 5828.831633534:7febc1da8700: Action 0x26dfbf0: queue 0x26dfd30 created 5828.831635654:7febc1da8700: selector line successfully processed 5828.831643141:7febc1da8700: cnf:global:rule 5828.831645282:7febc1da8700: ------ start rule 0x26cc240: 5828.831647101:7febc1da8700: filter:script: 5828.831649583:7febc1da8700: var '$syslogfacility-text' 5828.831653997:7febc1da8700: == 5828.831657204:7febc1da8700: string 'local6' 5828.831662512:7febc1da8700: AND 5828.831665100:7febc1da8700: var '$syslogseverity-text' 5828.831669273:7febc1da8700: == 5828.831672439:7febc1da8700: string 'WARNING' 5828.831677658:7febc1da8700: AND 5828.831679335:7febc1da8700: var '$fromhost-ip' 5828.831682701:7febc1da8700: == 5828.831685069:7febc1da8700: string '???' 5828.831689523:7febc1da8700: aclst 0x26da0e0: legacy action line: '?DYNIPtraps' 5828.831692325:7febc1da8700: ------ end rule 0x26cc240 5828.831694400:7febc1da8700: aclst 0x26da0e0: legacy action line:?DYNIPtraps 5828.831698018:7febc1da8700: tried selector action for builtin-file: 0 5828.831699963:7febc1da8700: Module builtin-file processes this action. 5828.831702128:7febc1da8700: template: 'RSYSLOG_FileFormat' assigned 5828.831704267:7febc1da8700: template: 'DYNIPtraps' assigned 5828.831706970:7febc1da8700: action 14 queue: save on shutdown 1, max disk space allowed 0 5828.831709144:7febc1da8700: Action 0x26cc4a0: queue 0x26cc5b0 created 5828.831711261:7febc1da8700: selector line successfully processed 5828.831713985:7febc1da8700: telling modules that config load for 0x26c1150 is done 5828.831717525:7febc1da8700: telling modules to check config 0x26c1150 5828.831720049:7febc1da8700: module imudp tells us config can be activated 5828.831722171:7febc1da8700: module imtcp tells us config can be activated 5828.831724115:7febc1da8700: rsyslog finished loading master config 0x26c1150 5828.831726057:7febc1da8700: configuration object 0x26c1150 5828.832376972:7febc1da8700: Global Settings: 5828.832380162:7febc1da8700: bDebugPrintTemplateList.............: 1 5828.832382139:7febc1da8700: bDebugPrintModuleList : 1 5828.832383896:7febc1da8700: bDebugPrintCfSysLineHandlerList.....: 1 5828.832385741:7febc1da8700: bLogStatusMsgs : 1 5828.832387606:7febc1da8700: bErrMsgToStderr.....................: 1 5828.832389556:7febc1da8700: drop Msgs with malicious PTR Record : 0 5828.832391510:7febc1da8700: All Rulesets: 5828.832394777:7febc1da8700: ruleset 0x26c3ae0: rsyslog ruleset RSYSLOG_DefaultRuleset: 5828.832397434:7febc1da8700: rule 0x26da180: rsyslog rule: 5828.832399537:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.832402794:7febc1da8700: builtin-file: [dynamic] 5828.832405497:7febc1da8700: template='DYNmessages' 5828.832407684:7febc1da8700: use async writer=0 5828.832409805:7febc1da8700: flush on TX end=1 5828.832411805:7febc1da8700: flush interval=1 5828.832413819:7febc1da8700: file cache size=10 5828.832415753:7febc1da8700: create directories: yes 5828.832418102:7febc1da8700: file owner -1, group -1 5828.832420320:7febc1da8700: directory owner -1, group -1 5828.832422685:7febc1da8700: dir create mode 0750, file create mode 0640 5828.832424794:7febc1da8700: fail if owner/group can not be set: yes 5828.832426939:7febc1da8700: Instance data: 0x26da220 5828.832429166:7febc1da8700: RepeatedMsgReduction: 0 5828.832437618:7febc1da8700: Resume Interval: 30 5828.832440144:7febc1da8700: State: rdy 5828.832442376:7febc1da8700: Exec only when previous is suspended: 0 5828.832444626:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.832446644:7febc1da8700: 5828.832448209:7febc1da8700: 5828.832449960:7febc1da8700: 5828.832452049:7febc1da8700: rule 0x26da8a0: rsyslog rule: 5828.832453968:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.832456863:7febc1da8700: builtin-file: [dynamic] 5828.832459358:7febc1da8700: template='DYNsecure' 5828.832461415:7febc1da8700: use async writer=0 5828.832463406:7febc1da8700: flush on TX end=1 5828.832465367:7febc1da8700: flush interval=1 5828.832467341:7febc1da8700: file cache size=10 5828.832469296:7febc1da8700: create directories: yes 5828.832471592:7febc1da8700: file owner -1, group -1 5828.832473768:7febc1da8700: directory owner -1, group -1 5828.832475988:7febc1da8700: dir create mode 0750, file create mode 0640 5828.832478042:7febc1da8700: fail if owner/group can not be set: yes 5828.832480290:7febc1da8700: Instance data: 0x26da940 5828.832482512:7febc1da8700: RepeatedMsgReduction: 0 5828.832484545:7febc1da8700: Resume Interval: 30 5828.832486625:7febc1da8700: State: rdy 5828.832488720:7febc1da8700: Exec only when previous is suspended: 0 5828.832490958:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.832493080:7febc1da8700: 5828.832494623:7febc1da8700: 5828.832496317:7febc1da8700: 5828.832498237:7febc1da8700: rule 0x26daff0: rsyslog rule: 5828.832500042:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.832503023:7febc1da8700: builtin-file: [dynamic] 5828.832505625:7febc1da8700: template='DYNmaillog' 5828.832507857:7febc1da8700: use async writer=0 5828.832509830:7febc1da8700: flush on TX end=1 5828.832511795:7febc1da8700: flush interval=1 5828.832513779:7febc1da8700: file cache size=10 5828.832515724:7febc1da8700: create directories: yes 5828.832518053:7febc1da8700: file owner -1, group -1 5828.832520213:7febc1da8700: directory owner -1, group -1 5828.832522416:7febc1da8700: dir create mode 0750, file create mode 0640 5828.832524497:7febc1da8700: fail if owner/group can not be set: yes 5828.832526765:7febc1da8700: Instance data: 0x26db090 5828.832528978:7febc1da8700: RepeatedMsgReduction: 0 5828.832531011:7febc1da8700: Resume Interval: 30 5828.832533081:7febc1da8700: State: rdy 5828.832535156:7febc1da8700: Exec only when previous is suspended: 0 5828.832537342:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.832539459:7febc1da8700: 5828.832540996:7febc1da8700: 5828.832542668:7febc1da8700: 5828.832544571:7febc1da8700: rule 0x26db740: rsyslog rule: 5828.832546362:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.832549328:7febc1da8700: builtin-file: [dynamic] 5828.832551912:7febc1da8700: template='DYNcron' 5828.832554082:7febc1da8700: use async writer=0 5828.832556051:7febc1da8700: flush on TX end=1 5828.832558018:7febc1da8700: flush interval=1 5828.832560011:7febc1da8700: file cache size=10 5828.832561956:7febc1da8700: create directories: yes 5828.832564245:7febc1da8700: file owner -1, group -1 5828.832566420:7febc1da8700: directory owner -1, group -1 5828.832568621:7febc1da8700: dir create mode 0750, file create mode 0640 5828.832570702:7febc1da8700: fail if owner/group can not be set: yes 5828.832572946:7febc1da8700: Instance data: 0x26db7e0 5828.832575156:7febc1da8700: RepeatedMsgReduction: 0 5828.832577181:7febc1da8700: Resume Interval: 30 5828.832579248:7febc1da8700: State: rdy 5828.832581329:7febc1da8700: Exec only when previous is suspended: 0 5828.832583508:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.832585633:7febc1da8700: 5828.832587169:7febc1da8700: 5828.832588836:7febc1da8700: 5828.832590733:7febc1da8700: rule 0x26dbe90: rsyslog rule: 5828.832592523:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.832595500:7febc1da8700: builtin-file: [dynamic] 5828.832598113:7febc1da8700: template='DYNspooler' 5828.832600334:7febc1da8700: use async writer=0 5828.832602304:7febc1da8700: flush on TX end=1 5828.832604272:7febc1da8700: flush interval=1 5828.832606258:7febc1da8700: file cache size=10 5828.832608212:7febc1da8700: create directories: yes 5828.832610530:7febc1da8700: file owner -1, group -1 5828.832612689:7febc1da8700: directory owner -1, group -1 5828.832614909:7febc1da8700: dir create mode 0750, file create mode 0640 5828.832617006:7febc1da8700: fail if owner/group can not be set: yes 5828.832619300:7febc1da8700: Instance data: 0x26dbf30 5828.832626099:7febc1da8700: RepeatedMsgReduction: 0 5828.832628369:7febc1da8700: Resume Interval: 30 5828.832630364:7febc1da8700: State: rdy 5828.832632519:7febc1da8700: Exec only when previous is suspended: 0 5828.832634763:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.832636916:7febc1da8700: 5828.832638461:7febc1da8700: 5828.832640179:7febc1da8700: 5828.832642115:7febc1da8700: rule 0x26dc5e0: rsyslog rule: 5828.832643929:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.832646787:7febc1da8700: builtin-file: [dynamic] 5828.832649261:7febc1da8700: template='DYNboot' 5828.832651281:7febc1da8700: use async writer=0 5828.832653245:7febc1da8700: flush on TX end=1 5828.832655215:7febc1da8700: flush interval=1 5828.832657202:7febc1da8700: file cache size=10 5828.832659138:7febc1da8700: create directories: yes 5828.832661455:7febc1da8700: file owner -1, group -1 5828.832663622:7febc1da8700: directory owner -1, group -1 5828.832665820:7febc1da8700: dir create mode 0750, file create mode 0640 5828.832667905:7febc1da8700: fail if owner/group can not be set: yes 5828.833378462:7febc1da8700: Instance data: 0x26dc680 5828.833382120:7febc1da8700: RepeatedMsgReduction: 0 5828.833384334:7febc1da8700: Resume Interval: 30 5828.833386455:7febc1da8700: State: rdy 5828.833388708:7febc1da8700: Exec only when previous is suspended: 0 5828.833390964:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.833393033:7febc1da8700: 5828.833394667:7febc1da8700: 5828.833396508:7febc1da8700: 5828.833399649:7febc1da8700: rule 0x26dcdf0: rsyslog rule: 5828.833401663:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.833404801:7febc1da8700: builtin-file: [dynamic] 5828.833407540:7febc1da8700: template='DYNtraps' 5828.833409591:7febc1da8700: use async writer=0 5828.833411604:7febc1da8700: flush on TX end=1 5828.833413645:7febc1da8700: flush interval=1 5828.833415667:7febc1da8700: file cache size=10 5828.833417662:7febc1da8700: create directories: yes 5828.833420042:7febc1da8700: file owner -1, group -1 5828.833422269:7febc1da8700: directory owner -1, group -1 5828.833424606:7febc1da8700: dir create mode 0750, file create mode 0640 5828.833426870:7febc1da8700: fail if owner/group can not be set: yes 5828.833429198:7febc1da8700: Instance data: 0x26dce90 5828.833431450:7febc1da8700: RepeatedMsgReduction: 0 5828.833433531:7febc1da8700: Resume Interval: 30 5828.833435529:7febc1da8700: State: rdy 5828.833437628:7febc1da8700: Exec only when previous is suspended: 0 5828.833439893:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.833442034:7febc1da8700: 5828.833443595:7febc1da8700: 5828.833445184:7febc1da8700: 5828.833447121:7febc1da8700: rule 0x26dd540: rsyslog rule: 5828.833448902:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.833451913:7febc1da8700: builtin-file: [dynamic] 5828.833454532:7febc1da8700: template='DYNIPmessages' 5828.833464183:7febc1da8700: use async writer=0 5828.833466346:7febc1da8700: flush on TX end=1 5828.833468315:7febc1da8700: flush interval=1 5828.833470329:7febc1da8700: file cache size=10 5828.833472516:7febc1da8700: create directories: yes 5828.833474831:7febc1da8700: file owner -1, group -1 5828.833476998:7febc1da8700: directory owner -1, group -1 5828.833479251:7febc1da8700: dir create mode 0750, file create mode 0640 5828.833481478:7febc1da8700: fail if owner/group can not be set: yes 5828.833483749:7febc1da8700: Instance data: 0x26dd5e0 5828.833485965:7febc1da8700: RepeatedMsgReduction: 0 5828.833488004:7febc1da8700: Resume Interval: 30 5828.833490106:7febc1da8700: State: rdy 5828.833492191:7febc1da8700: Exec only when previous is suspended: 0 5828.833494415:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.833496518:7febc1da8700: 5828.833498060:7febc1da8700: 5828.833499740:7febc1da8700: 5828.833501756:7febc1da8700: rule 0x26ddc90: rsyslog rule: 5828.833503588:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.833506572:7febc1da8700: builtin-file: [dynamic] 5828.833509091:7febc1da8700: template='DYNIPsecure' 5828.833511210:7febc1da8700: use async writer=0 5828.833513189:7febc1da8700: flush on TX end=1 5828.833515154:7febc1da8700: flush interval=1 5828.833517142:7febc1da8700: file cache size=10 5828.833519110:7febc1da8700: create directories: yes 5828.833521421:7febc1da8700: file owner -1, group -1 5828.833523599:7febc1da8700: directory owner -1, group -1 5828.833525807:7febc1da8700: dir create mode 0750, file create mode 0640 5828.833527912:7febc1da8700: fail if owner/group can not be set: yes 5828.833530085:7febc1da8700: Instance data: 0x26ddd30 5828.833532288:7febc1da8700: RepeatedMsgReduction: 0 5828.833534327:7febc1da8700: Resume Interval: 30 5828.833536412:7febc1da8700: State: rdy 5828.833538476:7febc1da8700: Exec only when previous is suspended: 0 5828.833540666:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.833542788:7febc1da8700: 5828.833544344:7febc1da8700: 5828.833546021:7febc1da8700: 5828.833548091:7febc1da8700: rule 0x26de3e0: rsyslog rule: 5828.833549855:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.833552839:7febc1da8700: builtin-file: [dynamic] 5828.833555493:7febc1da8700: template='DYNIPmaillog' 5828.833562094:7febc1da8700: use async writer=0 5828.833564267:7febc1da8700: flush on TX end=1 5828.833566287:7febc1da8700: flush interval=1 5828.833568349:7febc1da8700: file cache size=10 5828.833570339:7febc1da8700: create directories: yes 5828.833572760:7febc1da8700: file owner -1, group -1 5828.833574965:7febc1da8700: directory owner -1, group -1 5828.833577214:7febc1da8700: dir create mode 0750, file create mode 0640 5828.833579476:7febc1da8700: fail if owner/group can not be set: yes 5828.833581654:7febc1da8700: Instance data: 0x26de480 5828.833583882:7febc1da8700: RepeatedMsgReduction: 0 5828.833585950:7febc1da8700: Resume Interval: 30 5828.833588097:7febc1da8700: State: rdy 5828.833590223:7febc1da8700: Exec only when previous is suspended: 0 5828.833592489:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.833594648:7febc1da8700: 5828.833596197:7febc1da8700: 5828.833597920:7febc1da8700: 5828.833600113:7febc1da8700: rule 0x26deb30: rsyslog rule: 5828.833601889:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.833604804:7febc1da8700: builtin-file: [dynamic] 5828.833607341:7febc1da8700: template='DYNIPcron' 5828.833609470:7febc1da8700: use async writer=0 5828.833611485:7febc1da8700: flush on TX end=1 5828.833613473:7febc1da8700: flush interval=1 5828.833615486:7febc1da8700: file cache size=10 5828.833617444:7febc1da8700: create directories: yes 5828.833619814:7febc1da8700: file owner -1, group -1 5828.833622003:7febc1da8700: directory owner -1, group -1 5828.833624231:7febc1da8700: dir create mode 0750, file create mode 0640 5828.833626533:7febc1da8700: fail if owner/group can not be set: yes 5828.833628700:7febc1da8700: Instance data: 0x26debd0 5828.833630928:7febc1da8700: RepeatedMsgReduction: 0 5828.833632984:7febc1da8700: Resume Interval: 30 5828.833635092:7febc1da8700: State: rdy 5828.833637190:7febc1da8700: Exec only when previous is suspended: 0 5828.833639432:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.833641568:7febc1da8700: 5828.833643113:7febc1da8700: 5828.833644804:7febc1da8700: 5828.833646836:7febc1da8700: rule 0x26df280: rsyslog rule: 5828.833648696:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.833651714:7febc1da8700: builtin-file: [dynamic] 5828.833654359:7febc1da8700: template='DYNIPspooler' 5828.833656582:7febc1da8700: use async writer=0 5828.833662777:7febc1da8700: flush on TX end=1 5828.833664962:7febc1da8700: flush interval=1 5828.833667000:7febc1da8700: file cache size=10 5828.833669164:7febc1da8700: create directories: yes 5828.833671435:7febc1da8700: file owner -1, group -1 5828.833673611:7febc1da8700: directory owner -1, group -1 5828.833675827:7febc1da8700: dir create mode 0750, file create mode 0640 5828.833677933:7febc1da8700: fail if owner/group can not be set: yes 5828.833680243:7febc1da8700: Instance data: 0x26df320 5828.833682452:7febc1da8700: RepeatedMsgReduction: 0 5828.833684493:7febc1da8700: Resume Interval: 30 5828.833686590:7febc1da8700: State: rdy 5828.833688689:7febc1da8700: Exec only when previous is suspended: 0 5828.834376755:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.834379798:7febc1da8700: 5828.834381543:7febc1da8700: 5828.834383405:7febc1da8700: 5828.834386451:7febc1da8700: rule 0x26df9d0: rsyslog rule: 5828.834388384:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.834391435:7febc1da8700: builtin-file: [dynamic] 5828.834394185:7febc1da8700: template='DYNIPboot' 5828.834396290:7febc1da8700: use async writer=0 5828.834398384:7febc1da8700: flush on TX end=1 5828.834400450:7febc1da8700: flush interval=1 5828.834402450:7febc1da8700: file cache size=10 5828.834404447:7febc1da8700: create directories: yes 5828.834406777:7febc1da8700: file owner -1, group -1 5828.834409005:7febc1da8700: directory owner -1, group -1 5828.834411377:7febc1da8700: dir create mode 0750, file create mode 0640 5828.834413595:7febc1da8700: fail if owner/group can not be set: yes 5828.834415807:7febc1da8700: Instance data: 0x26dfa70 5828.834418050:7febc1da8700: RepeatedMsgReduction: 0 5828.834420131:7febc1da8700: Resume Interval: 30 5828.834422271:7febc1da8700: State: rdy 5828.834424271:7febc1da8700: Exec only when previous is suspended: 0 5828.834426472:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.834428574:7febc1da8700: 5828.834430143:7febc1da8700: 5828.834431695:7febc1da8700: 5828.834433629:7febc1da8700: rule 0x26cc280: rsyslog rule: 5828.834435401:7febc1da8700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 5828.834438374:7febc1da8700: builtin-file: [dynamic] 5828.834440983:7febc1da8700: template='DYNIPtraps' 5828.834443218:7febc1da8700: use async writer=0 5828.834445206:7febc1da8700: flush on TX end=1 5828.834447177:7febc1da8700: flush interval=1 5828.834449174:7febc1da8700: file cache size=10 5828.834451127:7febc1da8700: create directories: yes 5828.834453437:7febc1da8700: file owner -1, group -1 5828.834455623:7febc1da8700: directory owner -1, group -1 5828.834457842:7febc1da8700: dir create mode 0750, file create mode 0640 5828.834459947:7febc1da8700: fail if owner/group can not be set: yes 5828.834462116:7febc1da8700: Instance data: 0x26cc320 5828.834464327:7febc1da8700: RepeatedMsgReduction: 0 5828.834466371:7febc1da8700: Resume Interval: 30 5828.834468433:7febc1da8700: State: rdy 5828.834470503:7febc1da8700: Exec only when previous is suspended: 0 5828.834472698:7febc1da8700: submission mode: fast, but supports partial mark messages 5828.834474796:7febc1da8700: 5828.834476355:7febc1da8700: 5828.834478020:7febc1da8700: 5828.834479764:7febc1da8700: End of Rulesets. 5828.834481550:7febc1da8700: 5828.834483533:7febc1da8700: Template: Name='RSYSLOG_DebugFormat' 5828.834486242:7febc1da8700: Entry(26c62e0): type 1, (CONSTANT), value: 'Debug line with all properties: FROMHOST: '' 5828.834490718:7febc1da8700: Entry(26c6380): type 2, (FIELD), value: '7' 5828.834494745:7febc1da8700: Entry(26c64d0): type 1, (CONSTANT), value: '', fromhost-ip: '' 5828.834498645:7febc1da8700: Entry(26c6570): type 2, (FIELD), value: '8' 5828.834502494:7febc1da8700: Entry(26c66a0): type 1, (CONSTANT), value: '', HOSTNAME: '' 5828.834506305:7febc1da8700: Entry(26c6740): type 2, (FIELD), value: '3' 5828.834510091:7febc1da8700: Entry(26c6870): type 1, (CONSTANT), value: '', PRI: ' 5828.834513948:7febc1da8700: Entry(26c6910): type 2, (FIELD), value: '9' 5828.834517736:7febc1da8700: Entry(26c6a40): type 1, (CONSTANT), value: ', syslogtag '' 5828.834521929:7febc1da8700: Entry(26c6ae0): type 2, (FIELD), value: '4' 5828.834525776:7febc1da8700: Entry(26c6c10): type 1, (CONSTANT), value: '', programname: '' 5828.834529634:7febc1da8700: Entry(26c6cb0): type 2, (FIELD), value: '17' 5828.834533468:7febc1da8700: Entry(26c6de0): type 1, (CONSTANT), value: '', APP-NAME: '' 5828.834537308:7febc1da8700: Entry(26c6e80): type 2, (FIELD), value: '20' 5828.834541106:7febc1da8700: Entry(26c6fb0): type 1, (CONSTANT), value: '', PROCID: '' 5828.834544908:7febc1da8700: Entry(26c7050): type 2, (FIELD), value: '21' 5828.834548732:7febc1da8700: Entry(26c7180): type 1, (CONSTANT), value: '', MSGID: '' 5828.834552480:7febc1da8700: Entry(26c7220): type 2, (FIELD), value: '22' 5828.834556267:7febc1da8700: Entry(26c7350): type 1, (CONSTANT), value: '', TIMESTAMP: '' 5828.834560528:7febc1da8700: Entry(26c73f0): type 2, (FIELD), value: '2' 5828.834564341:7febc1da8700: Entry(26c7520): type 1, (CONSTANT), value: '', STRUCTURED-DATA: '' 5828.834568154:7febc1da8700: Entry(26c75c0): type 2, (FIELD), value: '19' 5828.834571979:7febc1da8700: Entry(26c76f0): type 1, (CONSTANT), value: '', msg: '' 5828.834576126:7febc1da8700: Entry(26c7790): type 2, (FIELD), value: '1' 5828.834579930:7febc1da8700: Entry(26c78c0): type 1, (CONSTANT), value: '' escaped msg: '' 5828.834584183:7febc1da8700: Entry(26c7960): type 2, (FIELD), value: '1' [drop control-characters] 5828.834588990:7febc1da8700: Entry(26c7a90): type 1, (CONSTANT), value: '' inputname: ' 5828.834593212:7febc1da8700: Entry(26c7b30): type 2, (FIELD), value: '6' 5828.834597010:7febc1da8700: Entry(26c7c60): type 1, (CONSTANT), value: ' rawmsg: '' 5828.834600810:7febc1da8700: Entry(26c7d00): type 2, (FIELD), value: '5' 5828.834604607:7febc1da8700: Entry(26c7e30): type 1, (CONSTANT), value: '' ' 5828.834608827:7febc1da8700: Template: Name='RSYSLOG_SyslogProtocol23Format' 5828.834611371:7febc1da8700: Entry(26c7fe0): type 1, (CONSTANT), value: '<' 5828.834615178:7febc1da8700: Entry(26c8080): type 2, (FIELD), value: '9' 5828.834618999:7febc1da8700: Entry(26c81b0): type 1, (CONSTANT), value: '>1 ' 5828.834622721:7febc1da8700: Entry(26c8250): type 2, (FIELD), value: '2' [Format as RFC3339-Date] 5828.834627578:7febc1da8700: Entry(26c8380): type 1, (CONSTANT), value: ' ' 5828.834631408:7febc1da8700: Entry(26c8420): type 2, (FIELD), value: '3' 5828.834635225:7febc1da8700: Entry(26c8550): type 1, (CONSTANT), value: ' ' 5828.834639064:7febc1da8700: Entry(26c85f0): type 2, (FIELD), value: '20' 5828.834642860:7febc1da8700: Entry(26c8720): type 1, (CONSTANT), value: ' ' 5828.834646679:7febc1da8700: Entry(26c87c0): type 2, (FIELD), value: '21' 5828.834650505:7febc1da8700: Entry(26c88f0): type 1, (CONSTANT), value: ' ' 5828.834654320:7febc1da8700: Entry(26c8990): type 2, (FIELD), value: '22' 5828.834658100:7febc1da8700: Entry(26c8ac0): type 1, (CONSTANT), value: ' ' 5828.834661866:7febc1da8700: Entry(26c8b60): type 2, (FIELD), value: '19' 5828.834665666:7febc1da8700: Entry(26c8c90): type 1, (CONSTANT), value: ' ' 5828.834675934:7febc1da8700: Entry(26c8d30): type 2, (FIELD), value: '1' 5828.834680010:7febc1da8700: Entry(26c8e60): type 1, (CONSTANT), value: ' ' 5828.834684127:7febc1da8700: Template: Name='RSYSLOG_FileFormat' 5828.834686660:7febc1da8700: Template: Name='RSYSLOG_TraditionalFileFormat' 5828.834689129:7febc1da8700: Template: Name=' WallFmt' 5828.834691693:7febc1da8700: Entry(26c90d0): type 1, (CONSTANT), value: ' Message from syslogd@' 5828.834696133:7febc1da8700: Entry(26c9170): type 2, (FIELD), value: '3' 5828.834700150:7febc1da8700: Entry(26c92c0): type 1, (CONSTANT), value: ' at ' 5828.834703963:7febc1da8700: Entry(26c9360): type 2, (FIELD), value: '16' 5828.834707795:7febc1da8700: Entry(26c9490): type 1, (CONSTANT), value: ' ... ' 5828.834711922:7febc1da8700: Entry(26c9530): type 2, (FIELD), value: '4' 5828.835388589:7febc1da8700: Entry(26c95d0): type 2, (FIELD), value: '1' 5828.835393273:7febc1da8700: Entry(26c9700): type 1, (CONSTANT), value: ' ' 5828.835397855:7febc1da8700: Template: Name='RSYSLOG_ForwardFormat' 5828.835400631:7febc1da8700: Template: Name='RSYSLOG_TraditionalForwardFormat' 5828.835403235:7febc1da8700: Template: Name=' StdUsrMsgFmt' 5828.835405694:7febc1da8700: Entry(26c9970): type 1, (CONSTANT), value: ' ' 5828.835409581:7febc1da8700: Entry(26c9a10): type 2, (FIELD), value: '4' 5828.835413345:7febc1da8700: Entry(26c9b60): type 2, (FIELD), value: '1' 5828.835417220:7febc1da8700: Entry(26c9c00): type 1, (CONSTANT), value: ' ' 5828.835421327:7febc1da8700: Template: Name=' StdDBFmt' [SQL-Format (MySQL)] 5828.835424777:7febc1da8700: Entry(26c9e80): type 1, (CONSTANT), value: 'insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('' 5828.835429071:7febc1da8700: Entry(26c9f20): type 2, (FIELD), value: '1' 5828.835432819:7febc1da8700: Entry(26ca070): type 1, (CONSTANT), value: '', ' 5828.835436597:7febc1da8700: Entry(26ca110): type 2, (FIELD), value: '12' 5828.835440451:7febc1da8700: Entry(26ca240): type 1, (CONSTANT), value: ', '' 5828.835444179:7febc1da8700: Entry(26ca2e0): type 2, (FIELD), value: '3' 5828.835448032:7febc1da8700: Entry(26ca410): type 1, (CONSTANT), value: '', ' 5828.835451783:7febc1da8700: Entry(26ca4b0): type 2, (FIELD), value: '14' 5828.835455571:7febc1da8700: Entry(26ca5e0): type 1, (CONSTANT), value: ', '' 5828.835459214:7febc1da8700: Entry(26ca680): type 2, (FIELD), value: '2' [Format as MySQL-Date] 5828.835463917:7febc1da8700: Entry(26ca7b0): type 1, (CONSTANT), value: '', '' 5828.835467663:7febc1da8700: Entry(26ca850): type 2, (FIELD), value: '16' [Format as MySQL-Date] 5828.835472285:7febc1da8700: Entry(26ca980): type 1, (CONSTANT), value: '', ' 5828.835475956:7febc1da8700: Entry(26caa20): type 2, (FIELD), value: '11' 5828.835479715:7febc1da8700: Entry(26cab50): type 1, (CONSTANT), value: ', '' 5828.835483398:7febc1da8700: Entry(26cabf0): type 2, (FIELD), value: '4' 5828.835487127:7febc1da8700: Entry(26cad20): type 1, (CONSTANT), value: '')' 5828.835490871:7febc1da8700: Template: Name=' StdPgSQLFmt' [SQL-Format (standard SQL)] 5828.835494145:7febc1da8700: Entry(26cafa0): type 1, (CONSTANT), value: 'insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('' 5828.835498361:7febc1da8700: Entry(26cb040): type 2, (FIELD), value: '1' 5828.835502095:7febc1da8700: Entry(26cb190): type 1, (CONSTANT), value: '', ' 5828.835505841:7febc1da8700: Entry(26cb230): type 2, (FIELD), value: '12' 5828.835509615:7febc1da8700: Entry(26cb360): type 1, (CONSTANT), value: ', '' 5828.835513340:7febc1da8700: Entry(26cb400): type 2, (FIELD), value: '3' 5828.835517096:7febc1da8700: Entry(26cb530): type 1, (CONSTANT), value: '', ' 5828.835520807:7febc1da8700: Entry(26cb5d0): type 2, (FIELD), value: '14' 5828.835524538:7febc1da8700: Entry(26cb700): type 1, (CONSTANT), value: ', '' 5828.835528264:7febc1da8700: Entry(26cb7a0): type 2, (FIELD), value: '2' [Format as PgSQL-Date] 5828.835532971:7febc1da8700: Entry(26cb8d0): type 1, (CONSTANT), value: '', '' 5828.835536687:7febc1da8700: Entry(26cb970): type 2, (FIELD), value: '16' [Format as PgSQL-Date] 5828.835541318:7febc1da8700: Entry(26cbaa0): type 1, (CONSTANT), value: '', ' 5828.835545046:7febc1da8700: Entry(26cbb40): type 2, (FIELD), value: '11' 5828.835548801:7febc1da8700: Entry(26cbc70): type 1, (CONSTANT), value: ', '' 5828.835552535:7febc1da8700: Entry(26cbd10): type 2, (FIELD), value: '4' 5828.835556281:7febc1da8700: Entry(26cbe40): type 1, (CONSTANT), value: '')' 5828.835560025:7febc1da8700: Template: Name='RSYSLOG_omudpspoofDfltSourceTpl' 5828.835562520:7febc1da8700: Entry(26cbf60): type 2, (FIELD), value: '8' 5828.835566316:7febc1da8700: Template: Name='DYNmessages' 5828.835568713:7febc1da8700: Entry(26d1e60): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.835572650:7febc1da8700: Entry(26d1f00): type 2, (FIELD), value: '7' 5828.835576418:7febc1da8700: Entry(26d2050): type 1, (CONSTANT), value: '/' 5828.835580239:7febc1da8700: Entry(26d20f0): type 2, (FIELD), value: '7' 5828.835584002:7febc1da8700: Entry(26d2220): type 1, (CONSTANT), value: '_' 5828.835587754:7febc1da8700: Entry(26d22c0): type 2, (FIELD), value: '151' 5828.835591582:7febc1da8700: Entry(26d23f0): type 1, (CONSTANT), value: '.' 5828.835595314:7febc1da8700: Entry(26d2490): type 2, (FIELD), value: '152' 5828.835599068:7febc1da8700: Entry(26d25c0): type 1, (CONSTANT), value: '_messages' 5828.835602837:7febc1da8700: Template: Name='DYNsecure' 5828.835605269:7febc1da8700: Entry(26d27b0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.835609131:7febc1da8700: Entry(26d2850): type 2, (FIELD), value: '7' 5828.835612916:7febc1da8700: Entry(26d29a0): type 1, (CONSTANT), value: '/' 5828.835616716:7febc1da8700: Entry(26d2a40): type 2, (FIELD), value: '7' 5828.835620449:7febc1da8700: Entry(26d2b70): type 1, (CONSTANT), value: '_' 5828.835624252:7febc1da8700: Entry(26d2c10): type 2, (FIELD), value: '151' 5828.835627994:7febc1da8700: Entry(26d2d40): type 1, (CONSTANT), value: '.' 5828.835631770:7febc1da8700: Entry(26d2de0): type 2, (FIELD), value: '152' 5828.835635556:7febc1da8700: Entry(26d2f10): type 1, (CONSTANT), value: '_secure' 5828.835639323:7febc1da8700: Template: Name='DYNmaillog' 5828.835641703:7febc1da8700: Entry(26d3100): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.835645611:7febc1da8700: Entry(26d31a0): type 2, (FIELD), value: '7' 5828.835649360:7febc1da8700: Entry(26d32f0): type 1, (CONSTANT), value: '/' 5828.835653158:7febc1da8700: Entry(26d3390): type 2, (FIELD), value: '7' 5828.835656917:7febc1da8700: Entry(26d34c0): type 1, (CONSTANT), value: '_' 5828.835660709:7febc1da8700: Entry(26d3560): type 2, (FIELD), value: '151' 5828.835664468:7febc1da8700: Entry(26d3690): type 1, (CONSTANT), value: '.' 5828.835668294:7febc1da8700: Entry(26d3730): type 2, (FIELD), value: '152' 5828.835672042:7febc1da8700: Entry(26d3860): type 1, (CONSTANT), value: '_maillog' 5828.835675771:7febc1da8700: Template: Name='DYNcron' 5828.835678257:7febc1da8700: Entry(26d3a50): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.835682161:7febc1da8700: Entry(26d3af0): type 2, (FIELD), value: '7' 5828.835685945:7febc1da8700: Entry(26d3c40): type 1, (CONSTANT), value: '/' 5828.835689795:7febc1da8700: Entry(26d3ce0): type 2, (FIELD), value: '7' 5828.835693561:7febc1da8700: Entry(26d3e10): type 1, (CONSTANT), value: '_' 5828.835697370:7febc1da8700: Entry(26d3eb0): type 2, (FIELD), value: '151' 5828.835707698:7febc1da8700: Entry(26d3fe0): type 1, (CONSTANT), value: '.' 5828.835712181:7febc1da8700: Entry(26d4080): type 2, (FIELD), value: '152' 5828.835719027:7febc1da8700: Entry(26d41b0): type 1, (CONSTANT), value: '_cron' 5828.836363778:7febc1da8700: Template: Name='DYNspooler' 5828.836366680:7febc1da8700: Entry(26d43a0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836370781:7febc1da8700: Entry(26d4440): type 2, (FIELD), value: '7' 5828.836374706:7febc1da8700: Entry(26d4590): type 1, (CONSTANT), value: '/' 5828.836384218:7febc1da8700: Entry(26d4630): type 2, (FIELD), value: '7' 5828.836388328:7febc1da8700: Entry(26d4760): type 1, (CONSTANT), value: '_' 5828.836392176:7febc1da8700: Entry(26d4800): type 2, (FIELD), value: '151' 5828.836396070:7febc1da8700: Entry(26d4930): type 1, (CONSTANT), value: '.' 5828.836399890:7febc1da8700: Entry(26d49d0): type 2, (FIELD), value: '152' 5828.836403785:7febc1da8700: Entry(26d4b00): type 1, (CONSTANT), value: '_spooler' 5828.836407615:7febc1da8700: Template: Name='DYNboot' 5828.836410251:7febc1da8700: Entry(26d4cf0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836414251:7febc1da8700: Entry(26d4d90): type 2, (FIELD), value: '7' 5828.836418070:7febc1da8700: Entry(26d4ee0): type 1, (CONSTANT), value: '/' 5828.836421839:7febc1da8700: Entry(26d4f80): type 2, (FIELD), value: '7' 5828.836425809:7febc1da8700: Entry(26d50b0): type 1, (CONSTANT), value: '_' 5828.836429589:7febc1da8700: Entry(26d5150): type 2, (FIELD), value: '151' 5828.836433429:7febc1da8700: Entry(26d5280): type 1, (CONSTANT), value: '.' 5828.836437209:7febc1da8700: Entry(26d5320): type 2, (FIELD), value: '152' 5828.836441039:7febc1da8700: Entry(26d5450): type 1, (CONSTANT), value: '_boot.log' 5828.836444787:7febc1da8700: Template: Name='DYNtraps' 5828.836447411:7febc1da8700: Entry(26d5640): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836451324:7febc1da8700: Entry(26d56e0): type 2, (FIELD), value: '7' 5828.836455139:7febc1da8700: Entry(26d5830): type 1, (CONSTANT), value: '/' 5828.836458936:7febc1da8700: Entry(26d58d0): type 2, (FIELD), value: '7' 5828.836462746:7febc1da8700: Entry(26d5a00): type 1, (CONSTANT), value: '_' 5828.836466510:7febc1da8700: Entry(26d5aa0): type 2, (FIELD), value: '151' 5828.836470358:7febc1da8700: Entry(26d5bd0): type 1, (CONSTANT), value: '.' 5828.836474120:7febc1da8700: Entry(26d5c70): type 2, (FIELD), value: '152' 5828.836477947:7febc1da8700: Entry(26d5da0): type 1, (CONSTANT), value: '_traps' 5828.836481651:7febc1da8700: Template: Name='DYNIPmessages' 5828.836484223:7febc1da8700: Entry(26d5fa0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836488155:7febc1da8700: Entry(26d6040): type 2, (FIELD), value: '8' 5828.836492022:7febc1da8700: Entry(26d6190): type 1, (CONSTANT), value: '/' 5828.836495803:7febc1da8700: Entry(26d6230): type 2, (FIELD), value: '8' 5828.836499629:7febc1da8700: Entry(26d6360): type 1, (CONSTANT), value: '_' 5828.836503457:7febc1da8700: Entry(26d6400): type 2, (FIELD), value: '151' 5828.836507292:7febc1da8700: Entry(26d6530): type 1, (CONSTANT), value: '.' 5828.836511060:7febc1da8700: Entry(26d65d0): type 2, (FIELD), value: '152' 5828.836514912:7febc1da8700: Entry(26d6700): type 1, (CONSTANT), value: '_messages' 5828.836518689:7febc1da8700: Template: Name='DYNIPsecure' 5828.836521213:7febc1da8700: Entry(26d68f0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836525154:7febc1da8700: Entry(26d6990): type 2, (FIELD), value: '8' 5828.836528983:7febc1da8700: Entry(26d6ae0): type 1, (CONSTANT), value: '/' 5828.836532751:7febc1da8700: Entry(26d6b80): type 2, (FIELD), value: '8' 5828.836536618:7febc1da8700: Entry(26d6cb0): type 1, (CONSTANT), value: '_' 5828.836540398:7febc1da8700: Entry(26d6d50): type 2, (FIELD), value: '151' 5828.836544223:7febc1da8700: Entry(26d6e80): type 1, (CONSTANT), value: '.' 5828.836548006:7febc1da8700: Entry(26d6f20): type 2, (FIELD), value: '152' 5828.836551846:7febc1da8700: Entry(26d7050): type 1, (CONSTANT), value: '_secure' 5828.836555604:7febc1da8700: Template: Name='DYNIPmaillog' 5828.836558133:7febc1da8700: Entry(26d7240): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836562076:7febc1da8700: Entry(26d72e0): type 2, (FIELD), value: '8' 5828.836565887:7febc1da8700: Entry(26d7430): type 1, (CONSTANT), value: '/' 5828.836569675:7febc1da8700: Entry(26d74d0): type 2, (FIELD), value: '8' 5828.836573467:7febc1da8700: Entry(26d7600): type 1, (CONSTANT), value: '_' 5828.836577222:7febc1da8700: Entry(26d76a0): type 2, (FIELD), value: '151' 5828.836581734:7febc1da8700: Entry(26d77d0): type 1, (CONSTANT), value: '.' 5828.836588161:7febc1da8700: Entry(26d7870): type 2, (FIELD), value: '152' 5828.836593827:7febc1da8700: Entry(26d79a0): type 1, (CONSTANT), value: '_maillog' 5828.836598836:7febc1da8700: Template: Name='DYNIPcron' 5828.836601340:7febc1da8700: Entry(26d7b90): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836605264:7febc1da8700: Entry(26d7c30): type 2, (FIELD), value: '8' 5828.836609034:7febc1da8700: Entry(26d7d80): type 1, (CONSTANT), value: '/' 5828.836612842:7febc1da8700: Entry(26d7e20): type 2, (FIELD), value: '8' 5828.836616589:7febc1da8700: Entry(26d7f50): type 1, (CONSTANT), value: '_' 5828.836620404:7febc1da8700: Entry(26d7ff0): type 2, (FIELD), value: '151' 5828.836624251:7febc1da8700: Entry(26d8120): type 1, (CONSTANT), value: '.' 5828.836628044:7febc1da8700: Entry(26d81c0): type 2, (FIELD), value: '152' 5828.836631848:7febc1da8700: Entry(26d82f0): type 1, (CONSTANT), value: '_cron' 5828.836635551:7febc1da8700: Template: Name='DYNIPspooler' 5828.836638011:7febc1da8700: Entry(26d84e0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836641918:7febc1da8700: Entry(26d8580): type 2, (FIELD), value: '8' 5828.836645678:7febc1da8700: Entry(26d86d0): type 1, (CONSTANT), value: '/' 5828.836649487:7febc1da8700: Entry(26d8770): type 2, (FIELD), value: '8' 5828.836653287:7febc1da8700: Entry(26d88a0): type 1, (CONSTANT), value: '_' 5828.836657125:7febc1da8700: Entry(26d8940): type 2, (FIELD), value: '151' 5828.836660919:7febc1da8700: Entry(26d8a70): type 1, (CONSTANT), value: '.' 5828.836664755:7febc1da8700: Entry(26d8b10): type 2, (FIELD), value: '152' 5828.836668515:7febc1da8700: Entry(26d8c40): type 1, (CONSTANT), value: '_spooler' 5828.836672254:7febc1da8700: Template: Name='DYNIPboot' 5828.836674733:7febc1da8700: Entry(26d8e30): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836678594:7febc1da8700: Entry(26d8ed0): type 2, (FIELD), value: '8' 5828.836682394:7febc1da8700: Entry(26d9020): type 1, (CONSTANT), value: '/' 5828.836686235:7febc1da8700: Entry(26d90c0): type 2, (FIELD), value: '8' 5828.836690019:7febc1da8700: Entry(26d91f0): type 1, (CONSTANT), value: '_' 5828.836693833:7febc1da8700: Entry(26d9290): type 2, (FIELD), value: '151' 5828.836697643:7febc1da8700: Entry(26d93c0): type 1, (CONSTANT), value: '.' 5828.836701451:7febc1da8700: Entry(26d9460): type 2, (FIELD), value: '152' 5828.836705242:7febc1da8700: Entry(26d9590): type 1, (CONSTANT), value: '_boot.log' 5828.836709033:7febc1da8700: Template: Name='DYNIPtraps' 5828.836711511:7febc1da8700: Entry(26d9780): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 5828.836715373:7febc1da8700: Entry(26d9820): type 2, (FIELD), value: '8' 5828.837389671:7febc1da8700: Entry(26d9970): type 1, (CONSTANT), value: '/' 5828.837394044:7febc1da8700: Entry(26d9a10): type 2, (FIELD), value: '8' 5828.837397828:7febc1da8700: Entry(26d9b40): type 1, (CONSTANT), value: '_' 5828.837401670:7febc1da8700: Entry(26d9be0): type 2, (FIELD), value: '151' 5828.837405447:7febc1da8700: Entry(26d9d10): type 1, (CONSTANT), value: '.' 5828.837409246:7febc1da8700: Entry(26d9db0): type 2, (FIELD), value: '152' 5828.837413014:7febc1da8700: Entry(26d9ee0): type 1, (CONSTANT), value: '_traps' 5828.837417366:7febc1da8700: Loaded Module: Name='lmnet', IFVersion=6, type=library module. 5828.837421753:7febc1da8700: Entry points: 5828.837423455:7febc1da8700: queryEtryPt: 0x7febc1ba3790 5828.837425656:7febc1da8700: dbgPrintInstInfo: 0x0 5828.837427804:7febc1da8700: freeInstance: 0x0 5828.837429983:7febc1da8700: beginCnfLoad: 0x0 5828.837432111:7febc1da8700: checkCnf: 0x0 5828.837434261:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.837436254:7febc1da8700: activateCnf: 0x0 5828.837438300:7febc1da8700: freeCnf: 0x0 5828.837440369:7febc1da8700: 5828.837442146:7febc1da8700: Loaded Module: Name='builtin-file', IFVersion=6, type=output module. 5828.837446589:7febc1da8700: Entry points: 5828.837448197:7febc1da8700: queryEtryPt: 0x411440 5828.837450352:7febc1da8700: dbgPrintInstInfo: 0x411320 5828.837452498:7febc1da8700: freeInstance: 0x411e20 5828.837454634:7febc1da8700: beginCnfLoad: 0x0 5828.837456756:7febc1da8700: checkCnf: 0x0 5828.837458870:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.837460935:7febc1da8700: activateCnf: 0x0 5828.837463050:7febc1da8700: freeCnf: 0x0 5828.837465109:7febc1da8700: Output Module Entry Points: 5828.837466828:7febc1da8700: doAction: 0x412a60 5828.837468957:7febc1da8700: parseSelectorAct: 0x412e40 5828.837471065:7febc1da8700: newActInst: 0x411ea0 5828.837473183:7febc1da8700: tryResume: 0x4112d0 5828.837475282:7febc1da8700: doHUP: 0x411da0 5828.837477390:7febc1da8700: newScope: 0x411c20 5828.837479488:7febc1da8700: restoreScope: 0x411240 5828.837481590:7febc1da8700: BeginTransaction: 0x4112e0 5828.837483731:7febc1da8700: EndTransaction: 0x4112f0 5828.837485755:7febc1da8700: 5828.837487507:7febc1da8700: Loaded Module: Name='builtin-pipe', IFVersion=6, type=output module. 5828.837491915:7febc1da8700: Entry points: 5828.837493619:7febc1da8700: queryEtryPt: 0x4134a0 5828.837495705:7febc1da8700: dbgPrintInstInfo: 0x4136c0 5828.837497827:7febc1da8700: freeInstance: 0x413730 5828.837499934:7febc1da8700: beginCnfLoad: 0x0 5828.837502049:7febc1da8700: checkCnf: 0x0 5828.837504212:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.837506272:7febc1da8700: activateCnf: 0x0 5828.837508368:7febc1da8700: freeCnf: 0x0 5828.837510416:7febc1da8700: Output Module Entry Points: 5828.837512079:7febc1da8700: doAction: 0x413a30 5828.837514198:7febc1da8700: parseSelectorAct: 0x413760 5828.837516806:7febc1da8700: newActInst: (nil) 5828.837518907:7febc1da8700: tryResume: 0x4133c0 5828.837521011:7febc1da8700: doHUP: 0x413700 5828.837523100:7febc1da8700: newScope: 0x413390 5828.837525201:7febc1da8700: restoreScope: 0x4133a0 5828.837527301:7febc1da8700: BeginTransaction: (nil) 5828.837529398:7febc1da8700: EndTransaction: (nil) 5828.837531364:7febc1da8700: 5828.837533184:7febc1da8700: Loaded Module: Name='builtin-shell', IFVersion=6, type=output module. 5828.837537500:7febc1da8700: Entry points: 5828.837539183:7febc1da8700: queryEtryPt: 0x40e7c0 5828.837541258:7febc1da8700: dbgPrintInstInfo: 0x40eae0 5828.837543356:7febc1da8700: freeInstance: 0x40e9a0 5828.837545442:7febc1da8700: beginCnfLoad: 0x0 5828.837547553:7febc1da8700: checkCnf: 0x0 5828.837549670:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.837551724:7febc1da8700: activateCnf: 0x0 5828.837553805:7febc1da8700: freeCnf: 0x0 5828.837555830:7febc1da8700: Output Module Entry Points: 5828.837557503:7febc1da8700: doAction: 0x40eb00 5828.837559577:7febc1da8700: parseSelectorAct: 0x40e9c0 5828.837561648:7febc1da8700: newActInst: (nil) 5828.837563718:7febc1da8700: tryResume: 0x40e6e0 5828.837565825:7febc1da8700: doHUP: (nil) 5828.837567850:7febc1da8700: newScope: 0x40e6b0 5828.837569952:7febc1da8700: restoreScope: 0x40e6c0 5828.837571961:7febc1da8700: BeginTransaction: (nil) 5828.837573944:7febc1da8700: EndTransaction: (nil) 5828.837575956:7febc1da8700: 5828.837577662:7febc1da8700: Loaded Module: Name='builtin-discard', IFVersion=6, type=output module. 5828.837582041:7febc1da8700: Entry points: 5828.837583666:7febc1da8700: queryEtryPt: 0x413ba0 5828.837585794:7febc1da8700: dbgPrintInstInfo: 0x413ac0 5828.837587894:7febc1da8700: freeInstance: 0x413e50 5828.837589976:7febc1da8700: beginCnfLoad: 0x0 5828.837592098:7febc1da8700: checkCnf: 0x0 5828.837594201:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.837596242:7febc1da8700: activateCnf: 0x0 5828.837598309:7febc1da8700: freeCnf: 0x0 5828.837600338:7febc1da8700: Output Module Entry Points: 5828.837601968:7febc1da8700: doAction: 0x413d80 5828.837604038:7febc1da8700: parseSelectorAct: 0x413da0 5828.837606114:7febc1da8700: newActInst: (nil) 5828.837608218:7febc1da8700: tryResume: 0x413ae0 5828.837610333:7febc1da8700: doHUP: (nil) 5828.837612360:7febc1da8700: newScope: 0x413aa0 5828.837614463:7febc1da8700: restoreScope: 0x413ab0 5828.837616476:7febc1da8700: BeginTransaction: (nil) 5828.837618459:7febc1da8700: EndTransaction: (nil) 5828.837620474:7febc1da8700: 5828.837622180:7febc1da8700: Loaded Module: Name='builtin-fwd', IFVersion=6, type=output module. 5828.837626631:7febc1da8700: Entry points: 5828.837628262:7febc1da8700: queryEtryPt: 0x40fdb0 5828.837630399:7febc1da8700: dbgPrintInstInfo: 0x410100 5828.837632504:7febc1da8700: freeInstance: 0x410410 5828.837634597:7febc1da8700: beginCnfLoad: 0x0 5828.837636766:7febc1da8700: checkCnf: 0x0 5828.837638870:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.837640912:7febc1da8700: activateCnf: 0x0 5828.837642981:7febc1da8700: freeCnf: 0x0 5828.837645010:7febc1da8700: Output Module Entry Points: 5828.837646666:7febc1da8700: doAction: 0x410fc0 5828.837648750:7febc1da8700: parseSelectorAct: 0x410490 5828.837650837:7febc1da8700: newActInst: (nil) 5828.837652920:7febc1da8700: tryResume: 0x410e30 5828.837655054:7febc1da8700: doHUP: (nil) 5828.837657092:7febc1da8700: newScope: 0x40f9b0 5828.837659204:7febc1da8700: restoreScope: 0x40fa60 5828.837661234:7febc1da8700: BeginTransaction: 0x4100e0 5828.837663278:7febc1da8700: EndTransaction: 0x4100a0 5828.837665240:7febc1da8700: 5828.837666976:7febc1da8700: Loaded Module: Name='builtin-usrmsg', IFVersion=6, type=output module. 5828.837671362:7febc1da8700: Entry points: 5828.838204335:7febc1da8700: queryEtryPt: 0x40eca0 5828.838207830:7febc1da8700: dbgPrintInstInfo: 0x40eec0 5828.838210069:7febc1da8700: freeInstance: 0x40ef00 5828.838212188:7febc1da8700: beginCnfLoad: 0x0 5828.838214389:7febc1da8700: checkCnf: 0x0 5828.838216580:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.838218626:7febc1da8700: activateCnf: 0x0 5828.838220732:7febc1da8700: freeCnf: 0x0 5828.838222814:7febc1da8700: Output Module Entry Points: 5828.838224546:7febc1da8700: doAction: 0x40f550 5828.838226682:7febc1da8700: parseSelectorAct: 0x40f590 5828.838228774:7febc1da8700: newActInst: 0x40ef20 5828.838230873:7febc1da8700: tryResume: 0x40ebc0 5828.838233265:7febc1da8700: doHUP: (nil) 5828.838235353:7febc1da8700: newScope: 0x40eb90 5828.838237422:7febc1da8700: restoreScope: 0x40eba0 5828.838239485:7febc1da8700: BeginTransaction: (nil) 5828.838241576:7febc1da8700: EndTransaction: (nil) 5828.838243563:7febc1da8700: 5828.838245500:7febc1da8700: Loaded Module: Name='builtin-pmrfc5424', IFVersion=6, type=parser module. 5828.838250233:7febc1da8700: Entry points: 5828.838251871:7febc1da8700: queryEtryPt: 0x414090 5828.838254035:7febc1da8700: dbgPrintInstInfo: 0x0 5828.838256157:7febc1da8700: freeInstance: 0x0 5828.838258259:7febc1da8700: beginCnfLoad: 0x0 5828.838260355:7febc1da8700: checkCnf: 0x0 5828.838262436:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.838271680:7febc1da8700: activateCnf: 0x0 5828.838274748:7febc1da8700: freeCnf: 0x0 5828.838276797:7febc1da8700: Parser Module Entry Points 5828.838278522:7febc1da8700: parse: 0x4141c0 5828.838280637:7febc1da8700: 5828.838282438:7febc1da8700: Loaded Module: Name='builtin-pmrfc3164', IFVersion=6, type=parser module. 5828.838286839:7febc1da8700: Entry points: 5828.838288474:7febc1da8700: queryEtryPt: 0x414730 5828.838290643:7febc1da8700: dbgPrintInstInfo: 0x0 5828.838292788:7febc1da8700: freeInstance: 0x0 5828.838294917:7febc1da8700: beginCnfLoad: 0x0 5828.838297061:7febc1da8700: checkCnf: 0x0 5828.838299195:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.838301265:7febc1da8700: activateCnf: 0x0 5828.838303385:7febc1da8700: freeCnf: 0x0 5828.838305439:7febc1da8700: Parser Module Entry Points 5828.838307148:7febc1da8700: parse: 0x414860 5828.838309222:7febc1da8700: 5828.838311094:7febc1da8700: Loaded Module: Name='builtin-smfile', IFVersion=6, type=strgen module. 5828.838315462:7febc1da8700: Entry points: 5828.838317250:7febc1da8700: queryEtryPt: 0x415080 5828.838319277:7febc1da8700: dbgPrintInstInfo: 0x0 5828.838321396:7febc1da8700: freeInstance: 0x0 5828.838323506:7febc1da8700: beginCnfLoad: 0x0 5828.838325636:7febc1da8700: checkCnf: 0x0 5828.838327742:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.838329773:7febc1da8700: activateCnf: 0x0 5828.838331866:7febc1da8700: freeCnf: 0x0 5828.838333885:7febc1da8700: Strgen Module Entry Points 5828.838335591:7febc1da8700: strgen: 0x415190 5828.838337628:7febc1da8700: 5828.838339428:7febc1da8700: Loaded Module: Name='builtin-smtradfile', IFVersion=6, type=strgen module. 5828.838343903:7febc1da8700: Entry points: 5828.838345604:7febc1da8700: queryEtryPt: 0x414ce0 5828.838347719:7febc1da8700: dbgPrintInstInfo: 0x0 5828.838349820:7febc1da8700: freeInstance: 0x0 5828.838351915:7febc1da8700: beginCnfLoad: 0x0 5828.838354018:7febc1da8700: checkCnf: 0x0 5828.838356121:7febc1da8700: activateCnfPrePrivDrop: 0x0 5828.838358158:7febc1da8700: activateCnf: 0x0 5828.838360243:7febc1da8700: freeCnf: 0x0 5828.838362261:7febc1da8700: Strgen Module Entry Points 5828.838363933:7febc1da8700: strgen: 0x414df0 5828.838365967:7febc1da8700: 5828.838367761:7febc1da8700: Loaded Module: Name='builtin-smfwd', IFVersion=6, type=strgen module. 5828.838372237:7febc1da8700: Entry points: 5829.066953242:7febc1da8700: queryEtryPt: 0x415430 5829.066964630:7febc1da8700: dbgPrintInstInfo: 0x0 5829.066967044:7febc1da8700: freeInstance: 0x0 5829.066969219:7febc1da8700: beginCnfLoad: 0x0 5829.066971434:7febc1da8700: checkCnf: 0x0 5829.066973806:7febc1da8700: activateCnfPrePrivDrop: 0x0 5829.066975861:7febc1da8700: activateCnf: 0x0 5829.066977941:7febc1da8700: freeCnf: 0x0 5829.066980280:7febc1da8700: Strgen Module Entry Points 5829.066982142:7febc1da8700: strgen: 0x415540 5829.066984409:7febc1da8700: 5829.066986667:7febc1da8700: Loaded Module: Name='builtin-smtradfwd', IFVersion=6, type=strgen module. 5829.066998466:7febc1da8700: Entry points: 5829.067000291:7febc1da8700: queryEtryPt: 0x415800 5829.067002588:7febc1da8700: dbgPrintInstInfo: 0x0 5829.067004782:7febc1da8700: freeInstance: 0x0 5829.067007002:7febc1da8700: beginCnfLoad: 0x0 5829.067009271:7febc1da8700: checkCnf: 0x0 5829.067011433:7febc1da8700: activateCnfPrePrivDrop: 0x0 5829.067013543:7febc1da8700: activateCnf: 0x0 5829.067015691:7febc1da8700: freeCnf: 0x0 5829.067017787:7febc1da8700: Strgen Module Entry Points 5829.067019575:7febc1da8700: strgen: 0x415910 5829.067021608:7febc1da8700: 5829.067023896:7febc1da8700: Loaded Module: Name='imudp', IFVersion=6, type=input module. 5829.067028511:7febc1da8700: Entry points: 5829.067030257:7febc1da8700: queryEtryPt: 0x7febc19352e0 5829.067032499:7febc1da8700: dbgPrintInstInfo: 0x0 5829.067034693:7febc1da8700: freeInstance: 0x0 5829.067036958:7febc1da8700: beginCnfLoad: 0x7febc1935dc0 5829.067039153:7febc1da8700: checkCnf: 0x7febc19359c0 5829.067041351:7febc1da8700: activateCnfPrePrivDrop: 0x7febc19356a0 5829.067043650:7febc1da8700: activateCnf: 0x7febc1935560 5829.067045813:7febc1da8700: freeCnf: 0x7febc1935590 5829.067048000:7febc1da8700: Input Module Entry Points 5829.067049789:7febc1da8700: runInput: 0x7febc1936430 5829.067052008:7febc1da8700: willRun: 0x7febc1934e80 5829.067054110:7febc1da8700: afterRun: 0x7febc19355b0 5829.067056104:7febc1da8700: 5829.067058087:7febc1da8700: Loaded Module: Name='lmnetstrms', IFVersion=6, type=library module. 5829.067062639:7febc1da8700: Entry points: 5829.067064398:7febc1da8700: queryEtryPt: 0x7febc152e100 5829.067066610:7febc1da8700: dbgPrintInstInfo: 0x0 5829.067068776:7febc1da8700: freeInstance: 0x0 5829.067070982:7febc1da8700: beginCnfLoad: 0x0 5829.067073111:7febc1da8700: checkCnf: 0x0 5829.067075292:7febc1da8700: activateCnfPrePrivDrop: 0x0 5829.067077402:7febc1da8700: activateCnf: 0x0 5829.067079541:7febc1da8700: freeCnf: 0x0 5829.067081637:7febc1da8700: 5829.067083500:7febc1da8700: Loaded Module: Name='lmtcpsrv', IFVersion=6, type=library module. 5829.067088110:7febc1da8700: Entry points: 5829.067093756:7febc1da8700: queryEtryPt: 0x7febc1328c50 5829.067096179:7febc1da8700: dbgPrintInstInfo: 0x0 5829.067098283:7febc1da8700: freeInstance: 0x0 5829.067100473:7febc1da8700: beginCnfLoad: 0x0 5829.067102692:7febc1da8700: checkCnf: 0x0 5829.067104857:7febc1da8700: activateCnfPrePrivDrop: 0x0 5829.067106981:7febc1da8700: activateCnf: 0x0 5829.067109175:7febc1da8700: freeCnf: 0x0 5829.067111301:7febc1da8700: 5829.067113298:7febc1da8700: Loaded Module: Name='imtcp', IFVersion=6, type=input module. 5829.067117804:7febc1da8700: Entry points: 5829.067119575:7febc1da8700: queryEtryPt: 0x7febc1731e20 5829.067121837:7febc1da8700: dbgPrintInstInfo: 0x0 5829.067123995:7febc1da8700: freeInstance: 0x0 5829.067126261:7febc1da8700: beginCnfLoad: 0x7febc17325b0 5829.067128518:7febc1da8700: checkCnf: 0x7febc1732360 5829.067130686:7febc1da8700: activateCnfPrePrivDrop: 0x7febc17320a0 5829.067132950:7febc1da8700: activateCnf: 0x7febc1731840 5829.067135075:7febc1da8700: freeCnf: 0x7febc1732430 5829.067137255:7febc1da8700: Input Module Entry Points 5829.067139077:7febc1da8700: runInput: 0x7febc1732630 5829.067141367:7febc1da8700: willRun: 0x7febc1731850 5829.067143464:7febc1da8700: afterRun: 0x7febc1731870 5829.067288890:7febc1da8700: 5829.067293454:7febc1da8700: Sytem Line Configuration Commands: 5829.067295901:7febc1da8700: Command 'workdirectory': 5829.067298438:7febc1da8700: type : 11 5829.067300739:7febc1da8700: pData: 0x0 5829.067303033:7febc1da8700: Hdlr : 0x41dc20 5829.067305352:7febc1da8700: Owner: 0x0 5829.067307523:7febc1da8700: 5829.067309533:7febc1da8700: Command 'dropmsgswithmaliciousdnsptrrecords': 5829.067311905:7febc1da8700: type : 4 5829.067314156:7febc1da8700: pData: 0x669d30 5829.067316488:7febc1da8700: Hdlr : 0x0 5829.067318735:7febc1da8700: Owner: 0x0 5829.067320877:7febc1da8700: 5829.067322816:7febc1da8700: Command 'defaultnetstreamdriver': 5829.067325096:7febc1da8700: type : 11 5829.067327330:7febc1da8700: pData: 0x669ce8 5829.067329667:7febc1da8700: Hdlr : 0x0 5829.067331870:7febc1da8700: Owner: 0x0 5829.067333997:7febc1da8700: 5829.067335755:7febc1da8700: Command 'defaultnetstreamdrivercafile': 5829.067338092:7febc1da8700: type : 11 5829.067340283:7febc1da8700: pData: 0x669cf0 5829.067342675:7febc1da8700: Hdlr : 0x0 5829.067344889:7febc1da8700: Owner: 0x0 5829.067346994:7febc1da8700: 5829.067348708:7febc1da8700: Command 'defaultnetstreamdriverkeyfile': 5829.067350911:7febc1da8700: type : 11 5829.067353164:7febc1da8700: pData: 0x669cf8 5829.067355454:7febc1da8700: Hdlr : 0x0 5829.067357704:7febc1da8700: Owner: 0x0 5829.067359851:7febc1da8700: 5829.067361555:7febc1da8700: Command 'defaultnetstreamdrivercertfile': 5829.067363756:7febc1da8700: type : 11 5829.067365976:7febc1da8700: pData: 0x669d00 5829.067368272:7febc1da8700: Hdlr : 0x0 5829.067370521:7febc1da8700: Owner: 0x0 5829.067372647:7febc1da8700: 5829.067374371:7febc1da8700: Command 'localhostname': 5829.067376466:7febc1da8700: type : 11 5829.067378677:7febc1da8700: pData: 0x669d18 5829.067381002:7febc1da8700: Hdlr : 0x0 5829.067383214:7febc1da8700: Owner: 0x0 5829.067385331:7febc1da8700: 5829.067387037:7febc1da8700: Command 'optimizeforuniprocessor': 5829.067389151:7febc1da8700: type : 4 5829.067391358:7febc1da8700: pData: 0x666470 5829.067393695:7febc1da8700: Hdlr : 0x0 5829.067395909:7febc1da8700: Owner: 0x0 5829.067398017:7febc1da8700: 5829.067399723:7febc1da8700: Command 'preservefqdn': 5829.067401864:7febc1da8700: type : 4 5829.067404084:7febc1da8700: pData: 0x669d34 5829.067406395:7febc1da8700: Hdlr : 0x0 5829.067408614:7febc1da8700: Owner: 0x0 5829.067410737:7febc1da8700: 5829.067412454:7febc1da8700: Command 'maxmessagesize': 5829.067414538:7febc1da8700: type : 7 5829.067416767:7febc1da8700: pData: 0x666474 5829.067419082:7febc1da8700: Hdlr : 0x0 5829.067421292:7febc1da8700: Owner: 0x0 5829.067423417:7febc1da8700: 5829.067425149:7febc1da8700: Command 'resetconfigvariables': 5829.067427349:7febc1da8700: type : 1 5829.067429533:7febc1da8700: pData: 0x0 5829.067431784:7febc1da8700: Hdlr : 0x41d870 5829.067434062:7febc1da8700: Owner: 0x0 5829.067436202:7febc1da8700: 5829.067438135:7febc1da8700: type : 1 5829.067440540:7febc1da8700: pData: 0x0 5829.067442802:7febc1da8700: Hdlr : 0x41e140 5829.067445118:7febc1da8700: Owner: 0x0 5829.067447274:7febc1da8700: 5829.067449119:7febc1da8700: type : 1 5829.067451380:7febc1da8700: pData: 0x0 5829.067453649:7febc1da8700: Hdlr : 0x422450 5829.067455949:7febc1da8700: Owner: 0x0 5829.067458089:7febc1da8700: 5829.067460010:7febc1da8700: type : 1 5829.067462252:7febc1da8700: pData: 0x0 5829.067464503:7febc1da8700: Hdlr : 0x43c8b0 5829.067466813:7febc1da8700: Owner: 0x0 5829.067468950:7febc1da8700: 5829.067470801:7febc1da8700: type : 1 5829.067473041:7febc1da8700: pData: 0x0 5829.067475293:7febc1da8700: Hdlr : 0x4116b0 5829.067477597:7febc1da8700: Owner: 0x411cb0 5829.067479830:7febc1da8700: 5829.067481597:7febc1da8700: type : 1 5829.067483845:7febc1da8700: pData: 0x0 5829.067486078:7febc1da8700: Hdlr : 0x410370 5829.067488389:7febc1da8700: Owner: 0x4102c0 5829.067490617:7febc1da8700: 5829.067492537:7febc1da8700: type : 1 5829.067494790:7febc1da8700: pData: 0x0 5829.067497021:7febc1da8700: Hdlr : 0x41fc20 5829.067499333:7febc1da8700: Owner: 0x0 5829.067501465:7febc1da8700: 5829.067503301:7febc1da8700: type : 1 5829.067505578:7febc1da8700: pData: 0x0 5829.067507822:7febc1da8700: Hdlr : 0x7febc1935620 5829.067510190:7febc1da8700: Owner: 0x7febc1934eb0 5829.067512418:7febc1da8700: 5829.067514285:7febc1da8700: type : 1 5829.067516677:7febc1da8700: pData: 0x0 5829.067518934:7febc1da8700: Hdlr : 0x7febc17324f0 5829.067521343:7febc1da8700: Owner: 0x7febc17318a0 5829.067523622:7febc1da8700: 5829.067525416:7febc1da8700: Command 'rulesetparser': 5829.067527675:7febc1da8700: type : 11 5829.067530044:7febc1da8700: pData: 0x0 5829.067532332:7febc1da8700: Hdlr : 0x439220 5829.067534694:7febc1da8700: Owner: 0x0 5829.067536911:7febc1da8700: 5829.067538705:7febc1da8700: Command 'rulesetcreatemainqueue': 5829.067541093:7febc1da8700: type : 4 5829.067543297:7febc1da8700: pData: 0x0 5829.067545609:7febc1da8700: Hdlr : 0x439190 5829.067547966:7febc1da8700: Owner: 0x0 5829.067550126:7febc1da8700: 5829.067551886:7febc1da8700: Command 'begin': 5829.067554196:7febc1da8700: type : 11 5829.067556505:7febc1da8700: pData: 0x0 5829.067558758:7febc1da8700: Hdlr : 0x41e4b0 5829.067561095:7febc1da8700: Owner: 0x0 5829.067563286:7febc1da8700: 5829.067565043:7febc1da8700: Command 'end': 5829.067567268:7febc1da8700: type : 11 5829.067569484:7febc1da8700: pData: 0x0 5829.067571743:7febc1da8700: Hdlr : 0x41e340 5829.067574047:7febc1da8700: Owner: 0x0 5829.067576208:7febc1da8700: 5829.067577925:7febc1da8700: Command 'strictscoping': 5829.067580273:7febc1da8700: type : 4 5829.067582579:7febc1da8700: pData: 0x669d74 5829.067584884:7febc1da8700: Hdlr : 0x0 5829.067587141:7febc1da8700: Owner: 0x0 5829.067589313:7febc1da8700: 5829.067591177:7febc1da8700: Command 'controlcharacterescapeprefix': 5829.067593529:7febc1da8700: type : 8 5829.067595736:7febc1da8700: pData: 0x6674a8 5829.067598084:7febc1da8700: Hdlr : 0x0 5829.067600309:7febc1da8700: Owner: 0x0 5829.067602531:7febc1da8700: 5829.067604376:7febc1da8700: Command 'droptrailinglfonreception': 5829.067606683:7febc1da8700: type : 4 5829.067608905:7febc1da8700: pData: 0x6674ac 5829.067611237:7febc1da8700: Hdlr : 0x0 5829.067613521:7febc1da8700: Owner: 0x0 5829.067615626:7febc1da8700: 5829.067617485:7febc1da8700: Command 'escapecontrolcharactersonreceive': 5829.067619747:7febc1da8700: type : 4 5829.067621956:7febc1da8700: pData: 0x6674b0 5829.067624321:7febc1da8700: Hdlr : 0x0 5829.067626633:7febc1da8700: Owner: 0x0 5829.067628762:7febc1da8700: 5829.067630634:7febc1da8700: Command 'escape8bitcharactersonreceive': 5829.067632860:7febc1da8700: type : 4 5829.067635206:7febc1da8700: pData: 0x669dc8 5829.067637611:7febc1da8700: Hdlr : 0x0 5829.067639823:7febc1da8700: Owner: 0x0 5829.067642003:7febc1da8700: 5829.067643696:7febc1da8700: Command 'escapecontrolcharactertab': 5829.067645933:7febc1da8700: type : 4 5829.067648215:7febc1da8700: pData: 0x6674b4 5829.067652058:7febc1da8700: Hdlr : 0x0 5829.067655686:7febc1da8700: Owner: 0x0 5829.067659046:7febc1da8700: 5829.067661748:7febc1da8700: Command 'actionname': 5829.068524618:7febc1da8700: type : 11 5829.068528440:7febc1da8700: pData: 0x66aae8 5829.068530885:7febc1da8700: Hdlr : 0x0 5829.068533228:7febc1da8700: Owner: 0x0 5829.068535476:7febc1da8700: 5829.068537318:7febc1da8700: Command 'actionqueuefilename': 5829.068539748:7febc1da8700: type : 11 5829.068541962:7febc1da8700: pData: 0x66ab10 5829.068544287:7febc1da8700: Hdlr : 0x0 5829.068546495:7febc1da8700: Owner: 0x0 5829.068548673:7febc1da8700: 5829.068550455:7febc1da8700: Command 'actionqueuesize': 5829.068552671:7febc1da8700: type : 6 5829.068554878:7febc1da8700: pData: 0x66aaf4 5829.068557163:7febc1da8700: Hdlr : 0x0 5829.068559376:7febc1da8700: Owner: 0x0 5829.068561488:7febc1da8700: 5829.068563343:7febc1da8700: Command 'actionwriteallmarkmessages': 5829.068565659:7febc1da8700: type : 4 5829.068567862:7febc1da8700: pData: 0x66aac4 5829.068570147:7febc1da8700: Hdlr : 0x0 5829.068572372:7febc1da8700: Owner: 0x0 5829.068574490:7febc1da8700: 5829.068576330:7febc1da8700: Command 'actionqueuedequeuebatchsize': 5829.068578634:7febc1da8700: type : 6 5829.068580822:7febc1da8700: pData: 0x66aaf8 5829.068583125:7febc1da8700: Hdlr : 0x0 5829.068585314:7febc1da8700: Owner: 0x0 5829.068587409:7febc1da8700: 5829.068589161:7febc1da8700: Command 'actionqueuemaxdiskspace': 5829.068591549:7febc1da8700: type : 7 5829.068593770:7febc1da8700: pData: 0x66ab40 5829.068596057:7febc1da8700: Hdlr : 0x0 5829.068598232:7febc1da8700: Owner: 0x0 5829.068600334:7febc1da8700: 5829.068602019:7febc1da8700: Command 'actionqueuehighwatermark': 5829.068604247:7febc1da8700: type : 6 5829.068606436:7febc1da8700: pData: 0x66aafc 5829.068608722:7febc1da8700: Hdlr : 0x0 5829.068610905:7febc1da8700: Owner: 0x0 5829.068613008:7febc1da8700: 5829.068614693:7febc1da8700: Command 'actionqueuelowwatermark': 5829.068616866:7febc1da8700: type : 6 5829.068619060:7febc1da8700: pData: 0x66ab00 5829.068621348:7febc1da8700: Hdlr : 0x0 5829.068623529:7febc1da8700: Owner: 0x0 5829.068625637:7febc1da8700: 5829.068627340:7febc1da8700: Command 'actionqueuediscardmark': 5829.068629508:7febc1da8700: type : 6 5829.068631698:7febc1da8700: pData: 0x66ab04 5829.068633982:7febc1da8700: Hdlr : 0x0 5829.068636159:7febc1da8700: Owner: 0x0 5829.068638325:7febc1da8700: 5829.068640006:7febc1da8700: Command 'actionqueuediscardseverity': 5829.068642239:7febc1da8700: type : 6 5829.068652900:7febc1da8700: pData: 0x66ab08 5829.068656132:7febc1da8700: Hdlr : 0x0 5829.068658414:7febc1da8700: Owner: 0x0 5829.068660540:7febc1da8700: 5829.068662255:7febc1da8700: Command 'actionqueuecheckpointinterval': 5829.068664553:7febc1da8700: type : 6 5829.068666750:7febc1da8700: pData: 0x66ab20 5829.068669109:7febc1da8700: Hdlr : 0x0 5829.068671307:7febc1da8700: Owner: 0x0 5829.068673406:7febc1da8700: 5829.068675091:7febc1da8700: Command 'actionqueuesyncqueuefiles': 5829.068677339:7febc1da8700: type : 4 5829.068679561:7febc1da8700: pData: 0x66ab24 5829.068681849:7febc1da8700: Hdlr : 0x0 5829.068684037:7febc1da8700: Owner: 0x0 5829.068686121:7febc1da8700: 5829.068688032:7febc1da8700: Command 'actionqueuetype': 5829.068690299:7febc1da8700: type : 11 5829.068692471:7febc1da8700: pData: 0x0 5829.068694699:7febc1da8700: Hdlr : 0x43d090 5829.068696952:7febc1da8700: Owner: 0x0 5829.068699059:7febc1da8700: 5829.068700821:7febc1da8700: Command 'actionqueueworkerthreads': 5829.068703118:7febc1da8700: type : 6 5829.068705301:7febc1da8700: pData: 0x66ab0c 5829.068707587:7febc1da8700: Hdlr : 0x0 5829.068709761:7febc1da8700: Owner: 0x0 5829.068711853:7febc1da8700: 5829.068713673:7febc1da8700: Command 'actionqueuetimeoutshutdown': 5829.068715986:7febc1da8700: type : 6 5829.068718165:7febc1da8700: pData: 0x66ab28 5829.068720454:7febc1da8700: Hdlr : 0x0 5829.068722643:7febc1da8700: Owner: 0x0 5829.068724754:7febc1da8700: 5829.068726550:7febc1da8700: Command 'actionqueuetimeoutactioncompletion': 5829.068728931:7febc1da8700: type : 6 5829.068731247:7febc1da8700: pData: 0x66ab2c 5829.068733511:7febc1da8700: Hdlr : 0x0 5829.068735697:7febc1da8700: Owner: 0x0 5829.068737793:7febc1da8700: 5829.068739461:7febc1da8700: Command 'actionqueuetimeoutenqueue': 5829.068741744:7febc1da8700: type : 6 5829.068743923:7febc1da8700: pData: 0x66ab30 5829.068746248:7febc1da8700: Hdlr : 0x0 5829.068752834:7febc1da8700: Owner: 0x0 5829.068755167:7febc1da8700: 5829.068756924:7febc1da8700: Command 'actionqueueworkertimeoutthreadshutdown': 5829.068759252:7febc1da8700: type : 6 5829.068761599:7febc1da8700: pData: 0x66ab34 5829.068763940:7febc1da8700: Hdlr : 0x0 5829.068766209:7febc1da8700: Owner: 0x0 5829.068768313:7febc1da8700: 5829.068770011:7febc1da8700: Command 'actionqueueworkerthreadminimummessages': 5829.068772256:7febc1da8700: type : 6 5829.068774461:7febc1da8700: pData: 0x66ab38 5829.068776765:7febc1da8700: Hdlr : 0x0 5829.068778982:7febc1da8700: Owner: 0x0 5829.068781092:7febc1da8700: 5829.068782783:7febc1da8700: Command 'actionqueuemaxfilesize': 5829.068785012:7febc1da8700: type : 7 5829.068787197:7febc1da8700: pData: 0x66ab18 5829.068789500:7febc1da8700: Hdlr : 0x0 5829.068791697:7febc1da8700: Owner: 0x0 5829.068793803:7febc1da8700: 5829.068795617:7febc1da8700: Command 'actionqueuesaveonshutdown': 5829.068797966:7febc1da8700: type : 4 5829.068800150:7febc1da8700: pData: 0x66ab3c 5829.068802452:7febc1da8700: Hdlr : 0x0 5829.068804660:7febc1da8700: Owner: 0x0 5829.068806763:7febc1da8700: 5829.068808597:7febc1da8700: Command 'actionqueuedequeueslowdown': 5829.068810940:7febc1da8700: type : 6 5829.068813124:7febc1da8700: pData: 0x66ab48 5829.068815430:7febc1da8700: Hdlr : 0x0 5829.068817638:7febc1da8700: Owner: 0x0 5829.068819790:7febc1da8700: 5829.068821763:7febc1da8700: Command 'actionqueuedequeuetimebegin': 5829.068824115:7febc1da8700: type : 6 5829.068826298:7febc1da8700: pData: 0x66ab4c 5829.068828601:7febc1da8700: Hdlr : 0x0 5829.068830828:7febc1da8700: Owner: 0x0 5829.068832932:7febc1da8700: 5829.068834667:7febc1da8700: Command 'actionqueuedequeuetimeend': 5829.068836927:7febc1da8700: type : 6 5829.068839115:7febc1da8700: pData: 0x66ab50 5829.068841440:7febc1da8700: Hdlr : 0x0 5829.068843655:7febc1da8700: Owner: 0x0 5829.068845783:7febc1da8700: 5829.068847464:7febc1da8700: Command 'actionexeconlyeverynthtime': 5829.068849749:7febc1da8700: type : 6 5829.068851932:7febc1da8700: pData: 0x66aacc 5829.068854260:7febc1da8700: Hdlr : 0x0 5829.068856472:7febc1da8700: Owner: 0x0 5829.068858579:7febc1da8700: 5829.068860291:7febc1da8700: Command 'actionexeconlyeverynthtimetimeout': 5829.068862583:7febc1da8700: type : 6 5829.068864780:7febc1da8700: pData: 0x66aad0 5829.068867083:7febc1da8700: Hdlr : 0x0 5829.068869294:7febc1da8700: Owner: 0x0 5829.068871398:7febc1da8700: 5829.068873278:7febc1da8700: Command 'actionexeconlyonceeveryinterval': 5829.068875623:7febc1da8700: type : 6 5829.068877820:7febc1da8700: pData: 0x66aac8 5829.068880133:7febc1da8700: Hdlr : 0x0 5829.068882353:7febc1da8700: Owner: 0x0 5829.068884469:7febc1da8700: 5829.068886171:7febc1da8700: Command 'repeatedmsgcontainsoriginalmsg': 5829.069409680:7febc1da8700: type : 4 5829.069413137:7febc1da8700: pData: 0x66aae0 5829.069415530:7febc1da8700: Hdlr : 0x0 5829.069417808:7febc1da8700: Owner: 0x0 5829.069419955:7febc1da8700: 5829.069421873:7febc1da8700: Command 'actionexeconlywhenpreviousissuspended': 5829.069424264:7febc1da8700: type : 4 5829.069426520:7febc1da8700: pData: 0x66aac0 5829.069428837:7febc1da8700: Hdlr : 0x0 5829.069431067:7febc1da8700: Owner: 0x0 5829.069433259:7febc1da8700: 5829.069435006:7febc1da8700: Command 'actionresumeretrycount': 5829.069437208:7febc1da8700: type : 6 5829.069439438:7febc1da8700: pData: 0x66aadc 5829.069441748:7febc1da8700: Hdlr : 0x0 5829.069443974:7febc1da8700: Owner: 0x0 5829.069446095:7febc1da8700: 5829.069447963:7febc1da8700: Command 'dynafilecachesize': 5829.069450290:7febc1da8700: type : 6 5829.069452497:7febc1da8700: pData: 0x0 5829.069454775:7febc1da8700: Hdlr : 0x412650 5829.069457092:7febc1da8700: Owner: 0x411cb0 5829.069459283:7febc1da8700: 5829.069461024:7febc1da8700: Command 'omfileziplevel': 5829.069463265:7febc1da8700: type : 6 5829.069465468:7febc1da8700: pData: 0x669b08 5829.069467788:7febc1da8700: Hdlr : 0x0 5829.069470012:7febc1da8700: Owner: 0x411cb0 5829.069472216:7febc1da8700: 5829.069473965:7febc1da8700: Command 'omfileflushinterval': 5829.069476288:7febc1da8700: type : 6 5829.069478538:7febc1da8700: pData: 0x669b18 5829.069480866:7febc1da8700: Hdlr : 0x0 5829.069483080:7febc1da8700: Owner: 0x411cb0 5829.069485286:7febc1da8700: 5829.069487077:7febc1da8700: Command 'omfileasyncwriting': 5829.069489402:7febc1da8700: type : 4 5829.069491603:7febc1da8700: pData: 0x669b1c 5829.069493910:7febc1da8700: Hdlr : 0x0 5829.069496130:7febc1da8700: Owner: 0x411cb0 5829.069498334:7febc1da8700: 5829.069500012:7febc1da8700: Command 'omfileflushontxend': 5829.069502406:7febc1da8700: type : 4 5829.069504602:7febc1da8700: pData: 0x669b0c 5829.069506907:7febc1da8700: Hdlr : 0x0 5829.069509126:7febc1da8700: Owner: 0x411cb0 5829.069511327:7febc1da8700: 5829.069513037:7febc1da8700: Command 'omfileiobuffersize': 5829.069515285:7febc1da8700: type : 7 5829.069517490:7febc1da8700: pData: 0x669b10 5829.069519803:7febc1da8700: Hdlr : 0x0 5829.069522032:7febc1da8700: Owner: 0x411cb0 5829.069524252:7febc1da8700: 5829.069525930:7febc1da8700: Command 'dirowner': 5829.069528090:7febc1da8700: type : 2 5829.069530297:7febc1da8700: pData: 0x669af8 5829.069532605:7febc1da8700: Hdlr : 0x0 5829.069534826:7febc1da8700: Owner: 0x411cb0 5829.069537056:7febc1da8700: 5829.069538742:7febc1da8700: Command 'dirgroup': 5829.069540904:7febc1da8700: type : 3 5829.069543108:7febc1da8700: pData: 0x669afc 5829.069545411:7febc1da8700: Hdlr : 0x0 5829.069547657:7febc1da8700: Owner: 0x411cb0 5829.069549863:7febc1da8700: 5829.069551564:7febc1da8700: Command 'fileowner': 5829.069553771:7febc1da8700: type : 2 5829.069555988:7febc1da8700: pData: 0x669af0 5829.069558309:7febc1da8700: Hdlr : 0x0 5829.069560580:7febc1da8700: Owner: 0x411cb0 5829.069562784:7febc1da8700: 5829.069564450:7febc1da8700: Command 'filegroup': 5829.069566653:7febc1da8700: type : 3 5829.069568859:7febc1da8700: pData: 0x669af4 5829.069571188:7febc1da8700: Hdlr : 0x0 5829.069573426:7febc1da8700: Owner: 0x411cb0 5829.069575617:7febc1da8700: 5829.069577290:7febc1da8700: Command 'dircreatemode': 5829.069579500:7febc1da8700: type : 5 5829.069581707:7febc1da8700: pData: 0x669ae8 5829.069584031:7febc1da8700: Hdlr : 0x0 5829.069586248:7febc1da8700: Owner: 0x411cb0 5829.069588448:7febc1da8700: 5829.069590128:7febc1da8700: Command 'filecreatemode': 5829.069592304:7febc1da8700: type : 5 5829.069594519:7febc1da8700: pData: 0x669ae4 5829.069596833:7febc1da8700: Hdlr : 0x0 5829.069599062:7febc1da8700: Owner: 0x411cb0 5829.069601259:7febc1da8700: 5829.069602922:7febc1da8700: Command 'createdirs': 5829.069605159:7febc1da8700: type : 4 5829.069607381:7febc1da8700: pData: 0x669b00 5829.069609688:7febc1da8700: Hdlr : 0x0 5829.069611910:7febc1da8700: Owner: 0x411cb0 5829.069614113:7febc1da8700: 5829.069615791:7febc1da8700: Command 'failonchownfailure': 5829.069618068:7febc1da8700: type : 4 5829.069620273:7febc1da8700: pData: 0x669aec 5829.069622576:7febc1da8700: Hdlr : 0x0 5829.069624802:7febc1da8700: Owner: 0x411cb0 5829.069627006:7febc1da8700: 5829.069628692:7febc1da8700: Command 'omfileforcechown': 5829.069630942:7febc1da8700: type : 14 5829.069633166:7febc1da8700: pData: 0x0 5829.069635415:7febc1da8700: Hdlr : 0x0 5829.069637639:7febc1da8700: Owner: 0x411cb0 5829.069639860:7febc1da8700: 5829.069641751:7febc1da8700: Command 'actionfileenablesync': 5829.069644084:7febc1da8700: type : 4 5829.069646296:7febc1da8700: pData: 0x669b04 5829.069648615:7febc1da8700: Hdlr : 0x0 5829.069650842:7febc1da8700: Owner: 0x411cb0 5829.069653098:7febc1da8700: 5829.069654935:7febc1da8700: Command 'actionfiledefaulttemplate': 5829.069657265:7febc1da8700: type : 11 5829.069659466:7febc1da8700: pData: 0x66a8d0 5829.069661783:7febc1da8700: Hdlr : 0x0 5829.069664020:7febc1da8700: Owner: 0x0 5829.069666179:7febc1da8700: 5829.069668002:7febc1da8700: Command 'actionforwarddefaulttemplate': 5829.069670340:7febc1da8700: type : 11 5829.069672554:7febc1da8700: pData: 0x669a40 5829.069674882:7febc1da8700: Hdlr : 0x0 5829.069677115:7febc1da8700: Owner: 0x0 5829.069679221:7febc1da8700: 5829.069680996:7febc1da8700: Command 'actionsendtcprebindinterval': 5829.069683336:7febc1da8700: type : 6 5829.069685522:7febc1da8700: pData: 0x669a64 5829.069687894:7febc1da8700: Hdlr : 0x0 5829.069690537:7febc1da8700: Owner: 0x0 5829.069693862:7febc1da8700: 5829.069696822:7febc1da8700: Command 'actionsendudprebindinterval': 5829.069700419:7febc1da8700: type : 6 5829.069703539:7febc1da8700: pData: 0x669a60 5829.069706951:7febc1da8700: Hdlr : 0x0 5829.069710065:7febc1da8700: Owner: 0x0 5829.069712738:7febc1da8700: 5829.069715301:7febc1da8700: Command 'actionsendstreamdriver': 5829.069718878:7febc1da8700: type : 11 5829.069722479:7febc1da8700: pData: 0x669a48 5829.069724916:7febc1da8700: Hdlr : 0x0 5829.069727101:7febc1da8700: Owner: 0x0 5829.069729183:7febc1da8700: 5829.069730998:7febc1da8700: Command 'actionsendstreamdrivermode': 5829.069733353:7febc1da8700: type : 6 5829.069735541:7febc1da8700: pData: 0x669a50 5829.069737822:7febc1da8700: Hdlr : 0x0 5829.069740019:7febc1da8700: Owner: 0x0 5829.069742111:7febc1da8700: 5829.069743930:7febc1da8700: Command 'actionsendstreamdriverauthmode': 5829.069746213:7febc1da8700: type : 11 5829.069748405:7febc1da8700: pData: 0x669a58 5829.069750706:7febc1da8700: Hdlr : 0x0 5829.069752898:7febc1da8700: Owner: 0x0 5829.069755027:7febc1da8700: 5829.069756855:7febc1da8700: Command 'actionsendstreamdriverpermittedpeer': 5829.069759183:7febc1da8700: type : 11 5829.069761351:7febc1da8700: pData: 0x0 5829.069763576:7febc1da8700: Hdlr : 0x4103b0 5829.069774109:7febc1da8700: Owner: 0x0 5829.069776493:7febc1da8700: 5829.069778357:7febc1da8700: Command 'actionsendresendlastmsgonreconnect': 5829.069780767:7febc1da8700: type : 4 5829.069782986:7febc1da8700: pData: 0x669a54 5829.070353087:7febc1da8700: Hdlr : 0x0 5829.070356788:7febc1da8700: Owner: 0x0 5829.070359188:7febc1da8700: 5829.070361242:7febc1da8700: Command 'sleep': 5829.070363551:7febc1da8700: type : 14 5829.070365795:7febc1da8700: pData: 0x0 5829.070368072:7febc1da8700: Hdlr : 0x0 5829.070370309:7febc1da8700: Owner: 0x0 5829.070372436:7febc1da8700: 5829.070374357:7febc1da8700: Command 'logrsyslogstatusmessages': 5829.070376655:7febc1da8700: type : 4 5829.070378947:7febc1da8700: pData: 0x26c1174 5829.070381183:7febc1da8700: Hdlr : 0x0 5829.070383416:7febc1da8700: Owner: 0x0 5829.070385535:7febc1da8700: 5829.070387369:7febc1da8700: Command 'errormessagestostderr': 5829.070389675:7febc1da8700: type : 4 5829.070391945:7febc1da8700: pData: 0x26c1178 5829.070394201:7febc1da8700: Hdlr : 0x0 5829.070396400:7febc1da8700: Owner: 0x0 5829.070398517:7febc1da8700: 5829.070400298:7febc1da8700: Command 'abortonuncleanconfig': 5829.070402556:7febc1da8700: type : 4 5829.070404786:7febc1da8700: pData: 0x26c117c 5829.070407020:7febc1da8700: Hdlr : 0x0 5829.070409220:7febc1da8700: Owner: 0x0 5829.070411340:7febc1da8700: 5829.070413049:7febc1da8700: Command 'repeatedmsgreduction': 5829.070415302:7febc1da8700: type : 4 5829.070417530:7febc1da8700: pData: 0x26c1198 5829.070419765:7febc1da8700: Hdlr : 0x0 5829.070421957:7febc1da8700: Owner: 0x0 5829.070424070:7febc1da8700: 5829.070425918:7febc1da8700: Command 'debugprinttemplatelist': 5829.070428148:7febc1da8700: type : 4 5829.070430372:7febc1da8700: pData: 0x26c1168 5829.070432605:7febc1da8700: Hdlr : 0x0 5829.070434801:7febc1da8700: Owner: 0x0 5829.070436962:7febc1da8700: 5829.070438809:7febc1da8700: Command 'debugprintmodulelist': 5829.070441113:7febc1da8700: type : 4 5829.070443355:7febc1da8700: pData: 0x26c116c 5829.070445600:7febc1da8700: Hdlr : 0x0 5829.070447829:7febc1da8700: Owner: 0x0 5829.070449956:7febc1da8700: 5829.070451714:7febc1da8700: Command 'debugprintcfsyslinehandlerlist': 5829.070453984:7febc1da8700: type : 4 5829.070456210:7febc1da8700: pData: 0x26c1170 5829.070458448:7febc1da8700: Hdlr : 0x0 5829.070460669:7febc1da8700: Owner: 0x0 5829.070462780:7febc1da8700: 5829.070464614:7febc1da8700: Command 'privdroptouser': 5829.070466785:7febc1da8700: type : 2 5829.070469015:7febc1da8700: pData: 0x26c1180 5829.070471288:7febc1da8700: Hdlr : 0x0 5829.070473484:7febc1da8700: Owner: 0x0 5829.070475606:7febc1da8700: 5829.070477302:7febc1da8700: Command 'privdroptouserid': 5829.070479522:7febc1da8700: type : 6 5829.070481751:7febc1da8700: pData: 0x26c1180 5829.070484015:7febc1da8700: Hdlr : 0x0 5829.070486219:7febc1da8700: Owner: 0x0 5829.070488340:7febc1da8700: 5829.070490055:7febc1da8700: Command 'privdroptogroup': 5829.070492235:7febc1da8700: type : 3 5829.070494495:7febc1da8700: pData: 0x26c1184 5829.070496741:7febc1da8700: Hdlr : 0x0 5829.070498940:7febc1da8700: Owner: 0x0 5829.070501061:7febc1da8700: 5829.070502764:7febc1da8700: Command 'privdroptogroupid': 5829.070504987:7febc1da8700: type : 3 5829.070507249:7febc1da8700: pData: 0x26c1184 5829.070509482:7febc1da8700: Hdlr : 0x0 5829.070511678:7febc1da8700: Owner: 0x0 5829.070513792:7febc1da8700: 5829.070515492:7febc1da8700: Command 'generateconfiggraph': 5829.070517763:7febc1da8700: type : 11 5829.070519980:7febc1da8700: pData: 0x26c1190 5829.070522219:7febc1da8700: Hdlr : 0x0 5829.070524422:7febc1da8700: Owner: 0x0 5829.070526537:7febc1da8700: 5829.070528230:7febc1da8700: Command 'umask': 5829.070530443:7febc1da8700: type : 5 5829.070532656:7febc1da8700: pData: 0x26c1188 5829.070534892:7febc1da8700: Hdlr : 0x0 5829.070537095:7febc1da8700: Owner: 0x0 5829.070539206:7febc1da8700: 5829.070540908:7febc1da8700: Command 'maxopenfiles': 5829.070543143:7febc1da8700: type : 6 5829.070545318:7febc1da8700: pData: 0x0 5829.070547567:7febc1da8700: Hdlr : 0x41fff0 5829.070549833:7febc1da8700: Owner: 0x0 5829.070551963:7febc1da8700: 5829.070553699:7febc1da8700: Command 'actionresumeinterval': 5829.070555942:7febc1da8700: type : 6 5829.070558140:7febc1da8700: pData: 0x0 5829.070560376:7febc1da8700: Hdlr : 0x41ffe0 5829.070562639:7febc1da8700: Owner: 0x0 5829.070564769:7febc1da8700: 5829.070566465:7febc1da8700: Command 'modload': 5829.070568613:7febc1da8700: type : 1 5829.070570813:7febc1da8700: pData: 0x0 5829.070573051:7febc1da8700: Hdlr : 0x41f810 5829.070575329:7febc1da8700: Owner: 0x0 5829.070577491:7febc1da8700: 5829.070579199:7febc1da8700: Command 'defaultruleset': 5829.070581376:7febc1da8700: type : 11 5829.070583586:7febc1da8700: pData: 0x0 5829.070585835:7febc1da8700: Hdlr : 0x41fe20 5829.070588152:7febc1da8700: Owner: 0x0 5829.070590309:7febc1da8700: 5829.070591995:7febc1da8700: Command 'ruleset': 5829.070594157:7febc1da8700: type : 11 5829.070596366:7febc1da8700: pData: 0x0 5829.070598609:7febc1da8700: Hdlr : 0x41fd60 5829.070600909:7febc1da8700: Owner: 0x0 5829.070603051:7febc1da8700: 5829.070604753:7febc1da8700: Command 'template': 5829.070606907:7febc1da8700: type : 1 5829.070609110:7febc1da8700: pData: 0x0 5829.070611346:7febc1da8700: Hdlr : 0x41f6d0 5829.070613631:7febc1da8700: Owner: 0x0 5829.070615753:7febc1da8700: 5829.070617449:7febc1da8700: Command 'outchannel': 5829.070619670:7febc1da8700: type : 1 5829.070621872:7febc1da8700: pData: 0x1 5829.070624117:7febc1da8700: Hdlr : 0x41f6d0 5829.070626412:7febc1da8700: Owner: 0x0 5829.070628540:7febc1da8700: 5829.070630242:7febc1da8700: Command 'allowedsender': 5829.070632424:7febc1da8700: type : 1 5829.070634623:7febc1da8700: pData: 0x2 5829.070636873:7febc1da8700: Hdlr : 0x41f6d0 5829.070639153:7febc1da8700: Owner: 0x0 5829.070641286:7febc1da8700: 5829.070643002:7febc1da8700: Command 'mainmsgqueuefilename': 5829.070645258:7febc1da8700: type : 11 5829.070647495:7febc1da8700: pData: 0x26c11c0 5829.070649779:7febc1da8700: Hdlr : 0x0 5829.070651988:7febc1da8700: Owner: 0x0 5829.070654110:7febc1da8700: 5829.070655815:7febc1da8700: Command 'mainmsgqueuesize': 5829.070657970:7febc1da8700: type : 6 5829.070660213:7febc1da8700: pData: 0x26c11a0 5829.070662453:7febc1da8700: Hdlr : 0x0 5829.070664650:7febc1da8700: Owner: 0x0 5829.070666769:7febc1da8700: 5829.070668613:7febc1da8700: Command 'mainmsgqueuehighwatermark': 5829.070670842:7febc1da8700: type : 6 5829.070673080:7febc1da8700: pData: 0x26c11a4 5829.070675319:7febc1da8700: Hdlr : 0x0 5829.070677523:7febc1da8700: Owner: 0x0 5829.070679639:7febc1da8700: 5829.070681406:7febc1da8700: Command 'mainmsgqueuelowwatermark': 5829.070683759:7febc1da8700: type : 6 5829.070685977:7febc1da8700: pData: 0x26c11a8 5829.070688212:7febc1da8700: Hdlr : 0x0 5829.070690414:7febc1da8700: Owner: 0x0 5829.070692532:7febc1da8700: 5829.070694364:7febc1da8700: Command 'mainmsgqueuediscardmark': 5829.070696619:7febc1da8700: type : 6 5829.070698838:7febc1da8700: pData: 0x26c11ac 5829.070701074:7febc1da8700: Hdlr : 0x0 5829.070703276:7febc1da8700: Owner: 0x0 5829.070705399:7febc1da8700: 5829.070707235:7febc1da8700: Command 'mainmsgqueuediscardseverity': 5829.070709562:7febc1da8700: type : 10 5829.070711782:7febc1da8700: pData: 0x26c11b0 5829.070714962:7febc1da8700: Hdlr : 0x0 5829.070718628:7febc1da8700: Owner: 0x0 5829.071350602:7febc1da8700: 5829.071353829:7febc1da8700: Command 'mainmsgqueuecheckpointinterval': 5829.071356198:7febc1da8700: type : 6 5829.071358428:7febc1da8700: pData: 0x26c11d0 5829.071360693:7febc1da8700: Hdlr : 0x0 5829.071362991:7febc1da8700: Owner: 0x0 5829.071365152:7febc1da8700: 5829.071367028:7febc1da8700: Command 'mainmsgqueuesyncqueuefiles': 5829.071369271:7febc1da8700: type : 4 5829.071371521:7febc1da8700: pData: 0x26c11d4 5829.071373781:7febc1da8700: Hdlr : 0x0 5829.071376015:7febc1da8700: Owner: 0x0 5829.071378146:7febc1da8700: 5829.071379911:7febc1da8700: Command 'mainmsgqueuetype': 5829.071382051:7febc1da8700: type : 11 5829.071384257:7febc1da8700: pData: 0x0 5829.071386515:7febc1da8700: Hdlr : 0x41fe60 5829.071388807:7febc1da8700: Owner: 0x0 5829.071390946:7febc1da8700: 5829.071392767:7febc1da8700: Command 'mainmsgqueueworkerthreads': 5829.071394980:7febc1da8700: type : 6 5829.071397214:7febc1da8700: pData: 0x26c11b4 5829.071399441:7febc1da8700: Hdlr : 0x0 5829.071401655:7febc1da8700: Owner: 0x0 5829.071403784:7febc1da8700: 5829.071405537:7febc1da8700: Command 'mainmsgqueuetimeoutshutdown': 5829.071407780:7febc1da8700: type : 6 5829.071410000:7febc1da8700: pData: 0x26c11d8 5829.071412229:7febc1da8700: Hdlr : 0x0 5829.071414448:7febc1da8700: Owner: 0x0 5829.071416572:7febc1da8700: 5829.071418299:7febc1da8700: Command 'mainmsgqueuetimeoutactioncompletion': 5829.071420582:7febc1da8700: type : 6 5829.071422797:7febc1da8700: pData: 0x26c11dc 5829.071425023:7febc1da8700: Hdlr : 0x0 5829.071427232:7febc1da8700: Owner: 0x0 5829.071429361:7febc1da8700: 5829.071431048:7febc1da8700: Command 'mainmsgqueuetimeoutenqueue': 5829.071433204:7febc1da8700: type : 6 5829.071435417:7febc1da8700: pData: 0x26c11e0 5829.071437644:7febc1da8700: Hdlr : 0x0 5829.071439853:7febc1da8700: Owner: 0x0 5829.071441998:7febc1da8700: 5829.071443714:7febc1da8700: Command 'mainmsgqueueworkertimeoutthreadshutdown': 5829.071445842:7febc1da8700: type : 6 5829.071448064:7febc1da8700: pData: 0x26c11e4 5829.071450297:7febc1da8700: Hdlr : 0x0 5829.071452524:7febc1da8700: Owner: 0x0 5829.071454653:7febc1da8700: 5829.071456334:7febc1da8700: Command 'mainmsgqueuedequeueslowdown': 5829.071458489:7febc1da8700: type : 6 5829.071460709:7febc1da8700: pData: 0x26c11ec 5829.071462959:7febc1da8700: Hdlr : 0x0 5829.071465169:7febc1da8700: Owner: 0x0 5829.071467295:7febc1da8700: 5829.071468989:7febc1da8700: Command 'mainmsgqueueworkerthreadminimummessages': 5829.071471113:7febc1da8700: type : 6 5829.071473346:7febc1da8700: pData: 0x26c11e8 5829.071475571:7febc1da8700: Hdlr : 0x0 5829.071477780:7febc1da8700: Owner: 0x0 5829.071479910:7febc1da8700: 5829.071481592:7febc1da8700: Command 'mainmsgqueuemaxfilesize': 5829.071483718:7febc1da8700: type : 7 5829.071485935:7febc1da8700: pData: 0x26c11c8 5829.071488157:7febc1da8700: Hdlr : 0x0 5829.071490350:7febc1da8700: Owner: 0x0 5829.071492471:7febc1da8700: 5829.071494177:7febc1da8700: Command 'mainmsgqueuedequeuebatchsize': 5829.071496382:7febc1da8700: type : 7 5829.071498596:7febc1da8700: pData: 0x26c11f8 5829.071500822:7febc1da8700: Hdlr : 0x0 5829.071503031:7febc1da8700: Owner: 0x0 5829.071505154:7febc1da8700: 5829.071506861:7febc1da8700: Command 'mainmsgqueuemaxdiskspace': 5829.071508962:7febc1da8700: type : 7 5829.071511176:7febc1da8700: pData: 0x26c11f0 5829.071513399:7febc1da8700: Hdlr : 0x0 5829.071515594:7febc1da8700: Owner: 0x0 5829.071517734:7febc1da8700: 5829.071519423:7febc1da8700: Command 'mainmsgqueuesaveonshutdown': 5829.071521574:7febc1da8700: type : 4 5829.071523788:7febc1da8700: pData: 0x26c1200 5829.071526014:7febc1da8700: Hdlr : 0x0 5829.071528243:7febc1da8700: Owner: 0x0 5829.071530365:7febc1da8700: 5829.071532052:7febc1da8700: Command 'mainmsgqueuedequeuetimebegin': 5829.071534211:7febc1da8700: type : 6 5829.071536424:7febc1da8700: pData: 0x26c1204 5829.071538668:7febc1da8700: Hdlr : 0x0 5829.071540878:7febc1da8700: Owner: 0x0 5829.071542998:7febc1da8700: 5829.071544861:7febc1da8700: Command 'mainmsgqueuedequeuetimeend': 5829.071547095:7febc1da8700: type : 6 5829.071549348:7febc1da8700: pData: 0x26c1208 5829.071551588:7febc1da8700: Hdlr : 0x0 5829.071553810:7febc1da8700: Owner: 0x0 5829.071555950:7febc1da8700: 5829.071557724:7febc1da8700: Command 'moddir': 5829.071559849:7febc1da8700: type : 11 5829.071562097:7febc1da8700: pData: 0x0 5829.071564356:7febc1da8700: Hdlr : 0x41fd20 5829.071566671:7febc1da8700: Owner: 0x0 5829.071568833:7febc1da8700: 5829.071570737:7febc1da8700: Command 'inputudpserverbindruleset': 5829.071573185:7febc1da8700: type : 11 5829.071575416:7febc1da8700: pData: 0x7febc1b37770 5829.071577751:7febc1da8700: Hdlr : 0x0 5829.071580014:7febc1da8700: Owner: 0x7febc1934eb0 5829.071582249:7febc1da8700: 5829.071584152:7febc1da8700: Command 'udpserverrun': 5829.071586368:7febc1da8700: type : 11 5829.071588566:7febc1da8700: pData: 0x0 5829.071590814:7febc1da8700: Hdlr : 0x7febc1935cb0 5829.071593111:7febc1da8700: Owner: 0x7febc1934eb0 5829.071595347:7febc1da8700: 5829.071597121:7febc1da8700: Command 'udpserveraddress': 5829.071599257:7febc1da8700: type : 11 5829.071602298:7febc1da8700: pData: 0x7febc1b37760 5829.071605931:7febc1da8700: Hdlr : 0x0 5829.071609450:7febc1da8700: Owner: 0x7febc1934eb0 5829.071612630:7febc1da8700: 5829.071615823:7febc1da8700: Command 'imudpschedulingpolicy': 5829.071619173:7febc1da8700: type : 11 5829.071622483:7febc1da8700: pData: 0x7febc1b37768 5829.071626470:7febc1da8700: Hdlr : 0x0 5829.071629188:7febc1da8700: Owner: 0x7febc1934eb0 5829.071631420:7febc1da8700: 5829.071633321:7febc1da8700: Command 'imudpschedulingpriority': 5829.071635500:7febc1da8700: type : 6 5829.071637728:7febc1da8700: pData: 0x7febc1b37778 5829.071640089:7febc1da8700: Hdlr : 0x0 5829.071642335:7febc1da8700: Owner: 0x7febc1934eb0 5829.071644583:7febc1da8700: 5829.071646375:7febc1da8700: Command 'udpservertimerequery': 5829.071648598:7febc1da8700: type : 6 5829.071650828:7febc1da8700: pData: 0x7febc1b3777c 5829.071653155:7febc1da8700: Hdlr : 0x0 5829.071655387:7febc1da8700: Owner: 0x7febc1934eb0 5829.071657632:7febc1da8700: 5829.071659447:7febc1da8700: Command 'inputtcpserverrun': 5829.071661802:7febc1da8700: type : 11 5829.071664010:7febc1da8700: pData: 0x0 5829.071666257:7febc1da8700: Hdlr : 0x7febc1732660 5829.071668573:7febc1da8700: Owner: 0x7febc17318a0 5829.071670794:7febc1da8700: 5829.071672627:7febc1da8700: Command 'inputtcpserverkeepalive': 5829.071674788:7febc1da8700: type : 4 5829.071676996:7febc1da8700: pData: 0x7febc19336ac 5829.071679324:7febc1da8700: Hdlr : 0x0 5829.071681556:7febc1da8700: Owner: 0x7febc17318a0 5829.071683856:7febc1da8700: 5829.071685688:7febc1da8700: Command 'inputtcpmaxsessions': 5829.071687894:7febc1da8700: type : 6 5829.071690102:7febc1da8700: pData: 0x7febc19336a0 5829.071692428:7febc1da8700: Hdlr : 0x0 5829.071694659:7febc1da8700: Owner: 0x7febc17318a0 5829.071696914:7febc1da8700: 5829.071698677:7febc1da8700: Command 'inputtcpmaxlisteners': 5829.071700897:7febc1da8700: type : 6 5829.071703107:7febc1da8700: pData: 0x7febc19336a4 5829.071705433:7febc1da8700: Hdlr : 0x0 5829.072294363:7febc1da8700: Owner: 0x7febc17318a0 5829.072297713:7febc1da8700: 5829.072299793:7febc1da8700: Command 'inputtcpservernotifyonconnectionclose': 5829.072302047:7febc1da8700: type : 4 5829.072304307:7febc1da8700: pData: 0x7febc19336b0 5829.072306693:7febc1da8700: Hdlr : 0x0 5829.072308963:7febc1da8700: Owner: 0x7febc17318a0 5829.072311215:7febc1da8700: 5829.072313042:7febc1da8700: Command 'inputtcpserverstreamdrivermode': 5829.072315185:7febc1da8700: type : 6 5829.072317435:7febc1da8700: pData: 0x7febc19336a8 5829.072319776:7febc1da8700: Hdlr : 0x0 5829.072322026:7febc1da8700: Owner: 0x7febc17318a0 5829.072324278:7febc1da8700: 5829.072326127:7febc1da8700: Command 'inputtcpserverstreamdriverauthmode': 5829.072328433:7febc1da8700: type : 11 5829.072330662:7febc1da8700: pData: 0x7febc19336c0 5829.072332995:7febc1da8700: Hdlr : 0x0 5829.072335244:7febc1da8700: Owner: 0x7febc17318a0 5829.072337485:7febc1da8700: 5829.072339337:7febc1da8700: Command 'inputtcpserverstreamdriverpermittedpeer': 5829.072341577:7febc1da8700: type : 11 5829.072343791:7febc1da8700: pData: 0x0 5829.072346051:7febc1da8700: Hdlr : 0x7febc1732580 5829.072348386:7febc1da8700: Owner: 0x7febc17318a0 5829.072350629:7febc1da8700: 5829.072352469:7febc1da8700: Command 'inputtcpserveraddtlframedelimiter': 5829.072354718:7febc1da8700: type : 6 5829.072356947:7febc1da8700: pData: 0x7febc19336b4 5829.072359284:7febc1da8700: Hdlr : 0x0 5829.072361546:7febc1da8700: Owner: 0x7febc17318a0 5829.072363796:7febc1da8700: 5829.072365558:7febc1da8700: Command 'inputtcpserverdisablelfdelimiter': 5829.072367714:7febc1da8700: type : 4 5829.072369942:7febc1da8700: pData: 0x7febc19336b8 5829.072373440:7febc1da8700: Hdlr : 0x0 5829.072377062:7febc1da8700: Owner: 0x7febc17318a0 5829.072380473:7febc1da8700: 5829.072382406:7febc1da8700: Command 'inputtcpserverinputname': 5829.072384568:7febc1da8700: type : 11 5829.072386824:7febc1da8700: pData: 0x7febc19336c8 5829.072389164:7febc1da8700: Hdlr : 0x0 5829.072391417:7febc1da8700: Owner: 0x7febc17318a0 5829.072393671:7febc1da8700: 5829.072395407:7febc1da8700: Command 'inputtcpserverbindruleset': 5829.072397617:7febc1da8700: type : 11 5829.072399852:7febc1da8700: pData: 0x7febc19336d0 5829.072402186:7febc1da8700: Hdlr : 0x0 5829.072404443:7febc1da8700: Owner: 0x7febc17318a0 5829.072406692:7febc1da8700: 5829.072408461:7febc1da8700: Command 'inputtcpflowcontrol': 5829.072410637:7febc1da8700: type : 4 5829.072412867:7febc1da8700: pData: 0x7febc19336bc 5829.072415203:7febc1da8700: Hdlr : 0x0 5829.072417448:7febc1da8700: Owner: 0x7febc17318a0 5829.072419724:7febc1da8700: 5829.072421364:7febc1da8700: 5829.072423768:7febc1da8700: Main queue size 10000 messages. 5829.072426072:7febc1da8700: Main queue worker threads: 1, wThread shutdown: 60000, Perists every 0 updates. 5829.072428256:7febc1da8700: Main queue timeouts: shutdown: 1500, action completion shutdown: 1000, enq: 2000 5829.072430549:7febc1da8700: Main queue watermarks: high: 8000, low: 2000, discard: 9800, discard-severity: 8 5829.072432689:7febc1da8700: Main queue save on shutdown 1, max disk space allowed 0 5829.072435228:7febc1da8700: Work Directory: ''. 5829.072437286:7febc1da8700: Modules used in this configuration: 5829.072439430:7febc1da8700: builtin-file 5829.072441260:7febc1da8700: builtin-pipe 5829.072443121:7febc1da8700: builtin-shell 5829.072444941:7febc1da8700: builtin-discard 5829.072446741:7febc1da8700: builtin-fwd 5829.072448579:7febc1da8700: builtin-usrmsg 5829.072450494:7febc1da8700: builtin-pmrfc5424 5829.072452292:7febc1da8700: builtin-pmrfc3164 5829.072454183:7febc1da8700: builtin-smfile 5829.072456001:7febc1da8700: builtin-smtradfile 5829.072457804:7febc1da8700: builtin-smfwd 5829.072459557:7febc1da8700: builtin-smtradfwd 5829.072461365:7febc1da8700: imudp 5829.072463032:7febc1da8700: imtcp 5829.072473495:7febc1da8700: Checking pidfile. 5829.072816510:7febc1da8700: Writing pidfile /var/run/rsyslogd.pid. 5829.072939261:7febc1da8700: umask set to 0027. 5829.072943963:7febc1da8700: telling modules to activate config (before dropping privs) 0x26c1150 5829.072948639:7febc1da8700: pre priv drop activating config 0x26c1150 for module imudp 5829.072956822:7febc1da8700: imudp: trying to open port at *:514. 5829.073101855:7febc1da8700: pre priv drop activating config 0x26c1150 for module imtcp 5829.073116664:7febc1da8700: tcpsrv: keep-alive set to 0 5829.073120049:7febc1da8700: imtcp: trying to add port *:514 5829.073140832:7febc1da8700: caller requested object 'nsd_ptcp', not found (iRet -3003) 5829.073180175:7febc1da8700: Requested to load module 'lmnsd_ptcp' 5829.073186264:7febc1da8700: loading module '/usr/lib64/rsyslog/lmnsd_ptcp.so' 5829.073376984:7febc1da8700: source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4 5829.073390590:7febc1da8700: module lmnsd_ptcp of type 2 being loaded. 5829.073393411:7febc1da8700: entry point 'isCompatibleWithFeature' not present in module 5829.073395580:7febc1da8700: entry point 'getModCnfName' not present in module 5829.073397707:7febc1da8700: entry point 'beginCnfLoad' not present in module 5829.073403247:7febc1da8700: source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1 5829.073407098:7febc1da8700: creating tcp listen socket on port 514 5829.073464131:7febc1da8700: Allocating buffer for 200 TCP sessions. 5829.073473644:7febc1da8700: setgroups(0, NULL): 0 5829.073478567:7febc1da8700: setgid(201105): 0 5829.073526725:7febc1da8700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 5829.073530259:7febc1da8700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: 5829.073533081:7febc1da8700: group privileges have been dropped to gid 201105 5829.073537944:7febc1da8700: setuid(900000029): 0 5829.073541117:7febc1da8700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 5829.073543340:7febc1da8700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: 5829.073545588:7febc1da8700: user privileges have been dropped to uid 900000029 5829.073547569:7febc1da8700: telling modules to activate config 0x26c1150 5829.073549900:7febc1da8700: activating config 0x26c1150 for module imudp 5829.073554241:7febc1da8700: activating config 0x26c1150 for module imtcp 5829.073557107:7febc1da8700: Allowed UDP Senders: 5829.073558873:7febc1da8700: No restrictions set. 5829.073561452:7febc1da8700: Allowed TCP Senders: 5829.073563085:7febc1da8700: No restrictions set. 5829.073577537:7febc1da8700: action 1 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073580722:7febc1da8700: Action 0x26da3a0: queue 0x26da4b0 started 5829.073583827:7febc1da8700: action 2 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073586309:7febc1da8700: Action 0x26daac0: queue 0x26dac00 started 5829.073592538:7febc1da8700: action 3 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073595358:7febc1da8700: Action 0x26db210: queue 0x26db350 started 5829.073598380:7febc1da8700: action 4 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073600862:7febc1da8700: Action 0x26db960: queue 0x26dbaa0 started 5829.073607220:7febc1da8700: action 5 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073610048:7febc1da8700: Action 0x26dc0b0: queue 0x26dc1f0 started 5829.073612984:7febc1da8700: action 6 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073615435:7febc1da8700: Action 0x26dc800: queue 0x26dc940 started 5829.073621425:7febc1da8700: action 7 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073624255:7febc1da8700: Action 0x26dd010: queue 0x26dd150 started 5829.073627200:7febc1da8700: action 8 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073629646:7febc1da8700: Action 0x26dd760: queue 0x26dd8a0 started 5829.073635504:7febc1da8700: action 9 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073638309:7febc1da8700: Action 0x26ddeb0: queue 0x26ddff0 started 5829.073641257:7febc1da8700: action 10 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.073643730:7febc1da8700: Action 0x26de600: queue 0x26de740 started 5829.223524842:7febc1da8700: action 11 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.223531624:7febc1da8700: Action 0x26ded50: queue 0x26dee90 started 5829.223535127:7febc1da8700: action 12 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.223537679:7febc1da8700: Action 0x26df4a0: queue 0x26df5e0 started 5829.223540519:7febc1da8700: action 13 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.223542926:7febc1da8700: Action 0x26dfbf0: queue 0x26dfd30 started 5829.223546475:7febc1da8700: action 14 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 5829.223548949:7febc1da8700: Action 0x26cc4a0: queue 0x26cc5b0 started 5829.223564301:7febc1da8700: main Q: is NOT disk-assisted 5829.223567409:7febc1da8700: main Q: type 0, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 9700, light delay 7000, deq batch size 32 starting 5829.223575820:7febc1da8700: main Q:Reg: finalizing construction of worker thread pool 5829.223579902:7febc1da8700: main Q:Reg/w0: finalizing construction of worker instance data 5829.223586380:7febc1da8700: main Q: queue finished initialization 5829.223594375:7febc1da8700: Main processing queue is initialized and running 5829.223599658:7febc1da8700: running module imudp with config 0x26cf1f0 5829.223638245:7febc1da8700: running module imtcp with config 0x26d1be0 5829.223651656:7febc1da8700: configuration 0x26c1150 activated 5829.223654362:7febc1da8700: started. 5829.223664704:7febc1da8700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 5829.223667138:7febc1da8700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: 5829.223670660:7febc1da8700: main Q: entry added, size now log 1, phys 1 entries 5829.223673036:7febc1da8700: main Q:Reg: high activity - starting 1 additional worker thread(s). 5829.223687998:7febc1da8700: main Q:Reg: started with state 0, num workers now 1 5829.223690593:7febc1da8700: main Q: EnqueueMsg advised worker start 5829.223692555:7febc1da8700: Debugging enabled, SIGUSR1 to turn off debugging. 5829.223697325:7febc1da8700: initialization completed, transitioning to regular run mode real 5m0.247s user 0m0.000s sys 0m0.003s -------------- next part -------------- # time /usr/sbin/rsyslogd -c 6 -d 6396.612127297:7fd30d5ef700: rsyslogd 6.3.6 startup, compatibility mode 6, module path '', cwd:/root 6396.612351777:7fd30d5ef700: caller requested object 'net', not found (iRet -3003) 6396.612364638:7fd30d5ef700: Requested to load module 'lmnet' 6396.612367924:7fd30d5ef700: loading module '/usr/lib64/rsyslog/lmnet.so' 6396.612461862:7fd30d5ef700: module lmnet of type 2 being loaded. 6396.612467315:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.612469631:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612471827:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612475113:7fd30d5ef700: source file conf.c requested reference for module 'lmnet', reference count now 1 6396.612500131:7fd30d5ef700: rsyslog runtime initialized, version 6.3.6, current users 1 6396.612531303:7fd30d5ef700: source file syslogd.c requested reference for module 'lmnet', reference count now 2 6396.612542317:7fd30d5ef700: GenerateLocalHostName uses 'oulog001' 6396.612549881:7fd30d5ef700: omfile: using transactional output interface. 6396.612566456:7fd30d5ef700: module builtin-file of type 1 being loaded. 6396.612569889:7fd30d5ef700: module config name is 'omfile' 6396.612572371:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612579624:7fd30d5ef700: module builtin-pipe of type 1 being loaded. 6396.612582701:7fd30d5ef700: module config name is 'ompipe' 6396.612585144:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612588653:7fd30d5ef700: entry point 'beginTransaction' not present in module 6396.612590938:7fd30d5ef700: entry point 'endTransaction' not present in module 6396.612593241:7fd30d5ef700: entry point 'newActInst' not present in module 6396.612596511:7fd30d5ef700: module builtin-shell of type 1 being loaded. 6396.612599349:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612601769:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612605008:7fd30d5ef700: entry point 'doHUP' not present in module 6396.612607269:7fd30d5ef700: entry point 'beginTransaction' not present in module 6396.612609577:7fd30d5ef700: entry point 'endTransaction' not present in module 6396.612611833:7fd30d5ef700: entry point 'newActInst' not present in module 6396.612617463:7fd30d5ef700: module builtin-discard of type 1 being loaded. 6396.612620419:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612622556:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612625540:7fd30d5ef700: entry point 'doHUP' not present in module 6396.612627648:7fd30d5ef700: entry point 'beginTransaction' not present in module 6396.612629733:7fd30d5ef700: entry point 'endTransaction' not present in module 6396.612631727:7fd30d5ef700: entry point 'newActInst' not present in module 6396.612636422:7fd30d5ef700: source file omfwd.c requested reference for module 'lmnet', reference count now 3 6396.612645992:7fd30d5ef700: module builtin-fwd of type 1 being loaded. 6396.612648841:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612651364:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612654650:7fd30d5ef700: entry point 'doHUP' not present in module 6396.612657362:7fd30d5ef700: entry point 'newActInst' not present in module 6396.612660544:7fd30d5ef700: module builtin-usrmsg of type 1 being loaded. 6396.612663542:7fd30d5ef700: module config name is 'omusrmsg' 6396.612665807:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612668924:7fd30d5ef700: entry point 'doHUP' not present in module 6396.612671100:7fd30d5ef700: entry point 'beginTransaction' not present in module 6396.612673215:7fd30d5ef700: entry point 'endTransaction' not present in module 6396.612679877:7fd30d5ef700: rfc5424 parser init called 6396.612682576:7fd30d5ef700: GetParserName addr 0x413e90 6396.612684931:7fd30d5ef700: module builtin-pmrfc5424 of type 3 being loaded. 6396.612687362:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612689425:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612692724:7fd30d5ef700: Parser 'rsyslog.rfc5424' added to list of available parsers. 6396.612696065:7fd30d5ef700: rfc3164 parser init called 6396.612698609:7fd30d5ef700: module builtin-pmrfc3164 of type 3 being loaded. 6396.612700940:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612703139:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612705528:7fd30d5ef700: Parser 'rsyslog.rfc3164' added to list of available parsers. 6396.612708005:7fd30d5ef700: Parser 'rsyslog.rfc5424' added to default parser set. 6396.612710231:7fd30d5ef700: Parser 'rsyslog.rfc3164' added to default parser set. 6396.612712769:7fd30d5ef700: rsyslog standard file format strgen init called, compiled with version 6.3.6 6396.612715372:7fd30d5ef700: module builtin-smfile of type 4 being loaded. 6396.612717651:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.612719691:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612721639:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612725752:7fd30d5ef700: Strgen 'RSYSLOG_FileFormat' added to list of available strgens. 6396.612728418:7fd30d5ef700: traditional file format strgen init called, compiled with version 6.3.6 6396.612730978:7fd30d5ef700: module builtin-smtradfile of type 4 being loaded. 6396.612733067:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.612735242:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612737221:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612739617:7fd30d5ef700: Strgen 'RSYSLOG_TraditionalFileFormat' added to list of available strgens. 6396.612742082:7fd30d5ef700: rsyslog standard (network) forward format strgen init called, compiled with version 6.3.6 6396.612744612:7fd30d5ef700: module builtin-smfwd of type 4 being loaded. 6396.612746979:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.612748912:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.612750834:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.612753236:7fd30d5ef700: Strgen 'RSYSLOG_ForwardFormat' added to list of available strgens. 6396.612755739:7fd30d5ef700: rsyslog traditional (network) forward format strgen init called, compiled with version 6.3.6 6396.612758366:7fd30d5ef700: module builtin-smtradfwd of type 4 being loaded. 6396.612760458:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.613400350:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.613403870:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.613407961:7fd30d5ef700: Strgen 'RSYSLOG_TraditionalForwardFormat' added to list of available strgens. 6396.613410996:7fd30d5ef700: doing legacy config system init 6396.613508457:7fd30d5ef700: template bound to strgen 'RSYSLOG_FileFormat' 6396.613514074:7fd30d5ef700: template bound to strgen 'RSYSLOG_TraditionalFileFormat' 6396.613520887:7fd30d5ef700: template bound to strgen 'RSYSLOG_ForwardFormat' 6396.613523671:7fd30d5ef700: template bound to strgen 'RSYSLOG_TraditionalForwardFormat' 6396.613604661:7fd30d5ef700: cnf:global:cfsysline: $PreserveFQDN on 6396.613611772:7fd30d5ef700: cnf:global:cfsysline: $DirCreateMode 0750 6396.613615358:7fd30d5ef700: cnf:global:cfsysline: $FileCreateMode 0640 6396.613618384:7fd30d5ef700: cnf:global:cfsysline: $UMASK 0027 6396.613621976:7fd30d5ef700: cnf:global:cfsysline: $ModLoad imudp 6396.613627414:7fd30d5ef700: Requested to load module 'imudp' 6396.613631769:7fd30d5ef700: loading module '/usr/lib64/rsyslog/imudp.so' 6396.613705930:7fd30d5ef700: source file imudp.c requested reference for module 'lmnet', reference count now 4 6396.613723169:7fd30d5ef700: module imudp of type 0 being loaded. 6396.613726756:7fd30d5ef700: module config name is 'imudp' 6396.613728999:7fd30d5ef700: module imudp supports rsyslog v6 config interface 6396.613734538:7fd30d5ef700: cnf:global:cfsysline: $UDPServerRun 514 6396.613739237:7fd30d5ef700: doGetWord: get newval '514' (len 3), hdlr 0x7fd30d1e6cb0 6396.613742604:7fd30d5ef700: cnf:global:cfsysline: $UDPServerAddress 127.0.0.1 6396.613747981:7fd30d5ef700: doGetWord: get newval '127.0.0.1' (len 9), hdlr (nil) 6396.613751030:7fd30d5ef700: cnf:global:cfsysline: $ModLoad imtcp 6396.613754089:7fd30d5ef700: Requested to load module 'imtcp' 6396.613756687:7fd30d5ef700: loading module '/usr/lib64/rsyslog/imtcp.so' 6396.613811300:7fd30d5ef700: source file imtcp.c requested reference for module 'lmnet', reference count now 5 6396.613817642:7fd30d5ef700: caller requested object 'netstrm', not found (iRet -3003) 6396.613825185:7fd30d5ef700: Requested to load module 'lmnetstrms' 6396.613828214:7fd30d5ef700: loading module '/usr/lib64/rsyslog/lmnetstrms.so' 6396.613893186:7fd30d5ef700: doing nsselClassInit 6396.613899017:7fd30d5ef700: doing nspollClassInit 6396.613902868:7fd30d5ef700: module lmnetstrms of type 2 being loaded. 6396.613905158:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.613907208:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.613909113:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.613911744:7fd30d5ef700: source file imtcp.c requested reference for module 'lmnetstrms', reference count now 1 6396.613914878:7fd30d5ef700: caller requested object 'tcps_sess', not found (iRet -3003) 6396.613916986:7fd30d5ef700: Requested to load module 'lmtcpsrv' 6396.613919291:7fd30d5ef700: loading module '/usr/lib64/rsyslog/lmtcpsrv.so' 6396.613975983:7fd30d5ef700: source file tcps_sess.c requested reference for module 'lmnetstrms', reference count now 2 6396.613983374:7fd30d5ef700: source file tcpsrv.c requested reference for module 'lmnet', reference count now 6 6396.613986325:7fd30d5ef700: source file tcpsrv.c requested reference for module 'lmnetstrms', reference count now 3 6396.614055607:7fd30d5ef700: module lmtcpsrv of type 2 being loaded. 6396.614059707:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.614061866:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.614063924:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.614067035:7fd30d5ef700: source file imtcp.c requested reference for module 'lmtcpsrv', reference count now 1 6396.614070302:7fd30d5ef700: source file imtcp.c requested reference for module 'lmtcpsrv', reference count now 2 6396.614092360:7fd30d5ef700: module imtcp of type 0 being loaded. 6396.614096222:7fd30d5ef700: module config name is 'imtcp' 6396.614098339:7fd30d5ef700: module imtcp supports rsyslog v6 config interface 6396.614104075:7fd30d5ef700: cnf:global:cfsysline: $InputTCPServerRun 514 6396.614108583:7fd30d5ef700: doGetWord: get newval '514' (len 3), hdlr 0x7fd30cfe3660 6396.614112832:7fd30d5ef700: cnf:global:cfsysline: $template DYNmessages,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" 6396.614124242:7fd30d5ef700: cnf:global:cfsysline: $template DYNsecure,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" 6396.614131974:7fd30d5ef700: cnf:global:cfsysline: $template DYNmaillog,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" 6396.614141758:7fd30d5ef700: cnf:global:cfsysline: $template DYNcron,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" 6396.614318117:7fd30d5ef700: cnf:global:cfsysline: $template DYNspooler,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" 6396.614328483:7fd30d5ef700: cnf:global:cfsysline: $template DYNboot,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" 6396.614339363:7fd30d5ef700: cnf:global:cfsysline: $template DYNtraps,"/renesas/ou_rme/sp/syslog/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" 6396.614347336:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPmessages,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" 6396.614356689:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPsecure,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" 6396.614365986:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPmaillog,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" 6396.614373440:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPcron,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" 6396.614382566:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPspooler,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" 6396.614390259:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPboot,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" 6396.614399349:7fd30d5ef700: cnf:global:cfsysline: $template DYNIPtraps,"/renesas/ou_rme/sp/syslog/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" 6396.614416547:7fd30d5ef700: cnf:global:rule 6396.614419405:7fd30d5ef700: ------ start rule 0x21b20a0: 6396.614421456:7fd30d5ef700: filter:script: 6396.614425626:7fd30d5ef700: var '$syslogseverity' 6396.614432552:7fd30d5ef700: <= 6396.614436790:7fd30d5ef700: string '6' 6396.614444882:7fd30d5ef700: AND 6396.614447642:7fd30d5ef700: var '$fromhost-ip' 6396.614453986:7fd30d5ef700: != 6396.614458736:7fd30d5ef700: string '???' 6396.614467372:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNmessages' 6396.614470409:7fd30d5ef700: ------ end rule 0x21b20a0 6396.614473407:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNmessages 6396.614481178:7fd30d5ef700: tried selector action for builtin-file: 0 6396.614485886:7fd30d5ef700: Module builtin-file processes this action. 6396.614491031:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.614493530:7fd30d5ef700: template: 'DYNmessages' assigned 6396.614499778:7fd30d5ef700: action 1 queue: save on shutdown 1, max disk space allowed 0 6396.614502215:7fd30d5ef700: Action 0x21b2300: queue 0x21b2410 created 6396.614505005:7fd30d5ef700: selector line successfully processed 6396.614510453:7fd30d5ef700: cnf:global:rule 6396.614512457:7fd30d5ef700: ------ start rule 0x21b27c0: 6396.614514224:7fd30d5ef700: filter:script: 6396.614517074:7fd30d5ef700: var '$syslogfacility-text' 6396.614520810:7fd30d5ef700: == 6396.614523565:7fd30d5ef700: string 'authpriv' 6396.614528505:7fd30d5ef700: AND 6396.614530278:7fd30d5ef700: var '$fromhost-ip' 6396.614534030:7fd30d5ef700: != 6396.614536731:7fd30d5ef700: string '???' 6396.614541475:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNsecure' 6396.614544415:7fd30d5ef700: ------ end rule 0x21b27c0 6396.614546453:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNsecure 6396.614550232:7fd30d5ef700: tried selector action for builtin-file: 0 6396.614552218:7fd30d5ef700: Module builtin-file processes this action. 6396.614554744:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.614557145:7fd30d5ef700: template: 'DYNsecure' assigned 6396.614559836:7fd30d5ef700: action 2 queue: save on shutdown 1, max disk space allowed 0 6396.614562081:7fd30d5ef700: Action 0x21b2a20: queue 0x21b2b60 created 6396.614564347:7fd30d5ef700: selector line successfully processed 6396.614568367:7fd30d5ef700: cnf:global:rule 6396.614570313:7fd30d5ef700: ------ start rule 0x21b2f10: 6396.614572223:7fd30d5ef700: filter:script: 6396.614574764:7fd30d5ef700: var '$syslogfacility-text' 6396.614578430:7fd30d5ef700: == 6396.614581146:7fd30d5ef700: string 'mail' 6396.614586147:7fd30d5ef700: AND 6396.614587891:7fd30d5ef700: var '$fromhost-ip' 6396.614591702:7fd30d5ef700: != 6396.614594218:7fd30d5ef700: string '???' 6396.614599017:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNmaillog' 6396.614601956:7fd30d5ef700: ------ end rule 0x21b2f10 6396.614603929:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNmaillog 6396.614610754:7fd30d5ef700: tried selector action for builtin-file: 0 6396.614613370:7fd30d5ef700: Module builtin-file processes this action. 6396.614615701:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.614617848:7fd30d5ef700: template: 'DYNmaillog' assigned 6396.614620387:7fd30d5ef700: action 3 queue: save on shutdown 1, max disk space allowed 0 6396.614622539:7fd30d5ef700: Action 0x21b3170: queue 0x21b32b0 created 6396.614624673:7fd30d5ef700: selector line successfully processed 6396.614628729:7fd30d5ef700: cnf:global:rule 6396.614630819:7fd30d5ef700: ------ start rule 0x21b3660: 6396.614632619:7fd30d5ef700: filter:script: 6396.614635401:7fd30d5ef700: var '$syslogfacility-text' 6396.614639121:7fd30d5ef700: == 6396.614641859:7fd30d5ef700: string 'cron' 6396.614646810:7fd30d5ef700: AND 6396.614648579:7fd30d5ef700: var '$fromhost-ip' 6396.614652339:7fd30d5ef700: != 6396.614655039:7fd30d5ef700: string '???' 6396.614659786:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNcron' 6396.614662760:7fd30d5ef700: ------ end rule 0x21b3660 6396.614664741:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNcron 6396.614668446:7fd30d5ef700: tried selector action for builtin-file: 0 6396.614670427:7fd30d5ef700: Module builtin-file processes this action. 6396.614672905:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.614675150:7fd30d5ef700: template: 'DYNcron' assigned 6396.615410627:7fd30d5ef700: action 4 queue: save on shutdown 1, max disk space allowed 0 6396.615414294:7fd30d5ef700: Action 0x21b38c0: queue 0x21b3a00 created 6396.615417476:7fd30d5ef700: selector line successfully processed 6396.615424974:7fd30d5ef700: cnf:global:rule 6396.615427127:7fd30d5ef700: ------ start rule 0x21b3db0: 6396.615428907:7fd30d5ef700: filter:script: 6396.615431713:7fd30d5ef700: var '$syslogseverity-text' 6396.615435517:7fd30d5ef700: == 6396.615438257:7fd30d5ef700: string 'crit' 6396.615450354:7fd30d5ef700: AND 6396.615452298:7fd30d5ef700: var '$fromhost-ip' 6396.615455902:7fd30d5ef700: != 6396.615458581:7fd30d5ef700: string '???' 6396.615463613:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNspooler' 6396.615466514:7fd30d5ef700: ------ end rule 0x21b3db0 6396.615468807:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNspooler 6396.615477231:7fd30d5ef700: tried selector action for builtin-file: 0 6396.615480012:7fd30d5ef700: Module builtin-file processes this action. 6396.615483109:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.615485809:7fd30d5ef700: template: 'DYNspooler' assigned 6396.615488730:7fd30d5ef700: action 5 queue: save on shutdown 1, max disk space allowed 0 6396.615490933:7fd30d5ef700: Action 0x21b4010: queue 0x21b4150 created 6396.615493168:7fd30d5ef700: selector line successfully processed 6396.615497965:7fd30d5ef700: cnf:global:rule 6396.615500029:7fd30d5ef700: ------ start rule 0x21b4500: 6396.615501808:7fd30d5ef700: filter:script: 6396.615504585:7fd30d5ef700: var '$syslogfacility-text' 6396.615508279:7fd30d5ef700: == 6396.615510989:7fd30d5ef700: string 'local7' 6396.615515945:7fd30d5ef700: AND 6396.615517708:7fd30d5ef700: var '$fromhost-ip' 6396.615521431:7fd30d5ef700: != 6396.615524136:7fd30d5ef700: string '???' 6396.615528821:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNboot' 6396.615531773:7fd30d5ef700: ------ end rule 0x21b4500 6396.615533820:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNboot 6396.615537458:7fd30d5ef700: tried selector action for builtin-file: 0 6396.615539434:7fd30d5ef700: Module builtin-file processes this action. 6396.615541913:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.615544188:7fd30d5ef700: template: 'DYNboot' assigned 6396.615546812:7fd30d5ef700: action 6 queue: save on shutdown 1, max disk space allowed 0 6396.615548977:7fd30d5ef700: Action 0x21b4760: queue 0x21b48a0 created 6396.615551168:7fd30d5ef700: selector line successfully processed 6396.615555938:7fd30d5ef700: cnf:global:rule 6396.615557869:7fd30d5ef700: ------ start rule 0x21b4d10: 6396.615559596:7fd30d5ef700: filter:script: 6396.615562341:7fd30d5ef700: var '$syslogfacility-text' 6396.615566881:7fd30d5ef700: == 6396.615570466:7fd30d5ef700: string 'local6' 6396.615576256:7fd30d5ef700: AND 6396.615579024:7fd30d5ef700: var '$syslogseverity-text' 6396.615583513:7fd30d5ef700: == 6396.615586903:7fd30d5ef700: string 'WARNING' 6396.615592426:7fd30d5ef700: AND 6396.615594207:7fd30d5ef700: var '$fromhost-ip' 6396.615597780:7fd30d5ef700: != 6396.615600450:7fd30d5ef700: string '???' 6396.615605277:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNtraps' 6396.615608261:7fd30d5ef700: ------ end rule 0x21b4d10 6396.615610267:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNtraps 6396.615613946:7fd30d5ef700: tried selector action for builtin-file: 0 6396.615616040:7fd30d5ef700: Module builtin-file processes this action. 6396.615620606:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.615623112:7fd30d5ef700: template: 'DYNtraps' assigned 6396.615625656:7fd30d5ef700: action 7 queue: save on shutdown 1, max disk space allowed 0 6396.615627858:7fd30d5ef700: Action 0x21b4f70: queue 0x21b50b0 created 6396.615629980:7fd30d5ef700: selector line successfully processed 6396.615634062:7fd30d5ef700: cnf:global:rule 6396.615636139:7fd30d5ef700: ------ start rule 0x21b5460: 6396.615637893:7fd30d5ef700: filter:script: 6396.615640683:7fd30d5ef700: var '$syslogseverity' 6396.615644431:7fd30d5ef700: <= 6396.615647176:7fd30d5ef700: string '6' 6396.615652031:7fd30d5ef700: AND 6396.615653792:7fd30d5ef700: var '$fromhost-ip' 6396.615657561:7fd30d5ef700: == 6396.615660261:7fd30d5ef700: string '???' 6396.615665019:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPmessages' 6396.615668003:7fd30d5ef700: ------ end rule 0x21b5460 6396.615670028:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPmessages 6396.615673712:7fd30d5ef700: tried selector action for builtin-file: 0 6396.615675711:7fd30d5ef700: Module builtin-file processes this action. 6396.615678145:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.615680489:7fd30d5ef700: template: 'DYNIPmessages' assigned 6396.615683147:7fd30d5ef700: action 8 queue: save on shutdown 1, max disk space allowed 0 6396.615685304:7fd30d5ef700: Action 0x21b56c0: queue 0x21b5800 created 6396.615687374:7fd30d5ef700: selector line successfully processed 6396.615691215:7fd30d5ef700: cnf:global:rule 6396.615693282:7fd30d5ef700: ------ start rule 0x21b5bb0: 6396.615695054:7fd30d5ef700: filter:script: 6396.615697767:7fd30d5ef700: var '$syslogfacility-text' 6396.615701486:7fd30d5ef700: == 6396.615704218:7fd30d5ef700: string 'authpriv' 6396.615716279:7fd30d5ef700: AND 6396.615718154:7fd30d5ef700: var '$fromhost-ip' 6396.615721781:7fd30d5ef700: == 6396.615724468:7fd30d5ef700: string '???' 6396.615729321:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPsecure' 6396.615732234:7fd30d5ef700: ------ end rule 0x21b5bb0 6396.615734371:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPsecure 6396.615738220:7fd30d5ef700: tried selector action for builtin-file: 0 6396.615740188:7fd30d5ef700: Module builtin-file processes this action. 6396.615742707:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.615745149:7fd30d5ef700: template: 'DYNIPsecure' assigned 6396.615752990:7fd30d5ef700: action 9 queue: save on shutdown 1, max disk space allowed 0 6396.615755786:7fd30d5ef700: Action 0x21b5e10: queue 0x21b5f50 created 6396.615757989:7fd30d5ef700: selector line successfully processed 6396.615762377:7fd30d5ef700: cnf:global:rule 6396.615764297:7fd30d5ef700: ------ start rule 0x21b6300: 6396.615766051:7fd30d5ef700: filter:script: 6396.615768840:7fd30d5ef700: var '$syslogfacility-text' 6396.615772554:7fd30d5ef700: == 6396.615775292:7fd30d5ef700: string 'mail' 6396.615780262:7fd30d5ef700: AND 6396.615782025:7fd30d5ef700: var '$fromhost-ip' 6396.615785802:7fd30d5ef700: == 6396.615788522:7fd30d5ef700: string '???' 6396.615793215:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPmaillog' 6396.615796166:7fd30d5ef700: ------ end rule 0x21b6300 6396.615798224:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPmaillog 6396.615801941:7fd30d5ef700: tried selector action for builtin-file: 0 6396.615803930:7fd30d5ef700: Module builtin-file processes this action. 6396.615806399:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.615815684:7fd30d5ef700: template: 'DYNIPmaillog' assigned 6396.616370732:7fd30d5ef700: action 10 queue: save on shutdown 1, max disk space allowed 0 6396.616373944:7fd30d5ef700: Action 0x21b6560: queue 0x21b66a0 created 6396.616377026:7fd30d5ef700: selector line successfully processed 6396.616383419:7fd30d5ef700: cnf:global:rule 6396.616385541:7fd30d5ef700: ------ start rule 0x21b6a50: 6396.616387326:7fd30d5ef700: filter:script: 6396.616390136:7fd30d5ef700: var '$syslogfacility-text' 6396.616393906:7fd30d5ef700: == 6396.616396645:7fd30d5ef700: string 'cron' 6396.616401746:7fd30d5ef700: AND 6396.616403498:7fd30d5ef700: var '$fromhost-ip' 6396.616407318:7fd30d5ef700: == 6396.616409868:7fd30d5ef700: string '???' 6396.616414799:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPcron' 6396.616417736:7fd30d5ef700: ------ end rule 0x21b6a50 6396.616420022:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPcron 6396.616425226:7fd30d5ef700: tried selector action for builtin-file: 0 6396.616429321:7fd30d5ef700: Module builtin-file processes this action. 6396.616433864:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.616438643:7fd30d5ef700: template: 'DYNIPcron' assigned 6396.616459646:7fd30d5ef700: action 11 queue: save on shutdown 1, max disk space allowed 0 6396.616465686:7fd30d5ef700: Action 0x21b6cb0: queue 0x21b6df0 created 6396.616470072:7fd30d5ef700: selector line successfully processed 6396.616478398:7fd30d5ef700: cnf:global:rule 6396.616482877:7fd30d5ef700: ------ start rule 0x21b71a0: 6396.616484714:7fd30d5ef700: filter:script: 6396.616487570:7fd30d5ef700: var '$syslogseverity-text' 6396.616491407:7fd30d5ef700: == 6396.616494182:7fd30d5ef700: string 'crit' 6396.616499353:7fd30d5ef700: AND 6396.616501125:7fd30d5ef700: var '$fromhost-ip' 6396.616504928:7fd30d5ef700: == 6396.616507647:7fd30d5ef700: string '???' 6396.616512521:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPspooler' 6396.616515490:7fd30d5ef700: ------ end rule 0x21b71a0 6396.616517791:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPspooler 6396.616521998:7fd30d5ef700: tried selector action for builtin-file: 0 6396.616524158:7fd30d5ef700: Module builtin-file processes this action. 6396.616528579:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.616532369:7fd30d5ef700: template: 'DYNIPspooler' assigned 6396.616535523:7fd30d5ef700: action 12 queue: save on shutdown 1, max disk space allowed 0 6396.616537772:7fd30d5ef700: Action 0x21b7400: queue 0x21b7540 created 6396.616540126:7fd30d5ef700: selector line successfully processed 6396.616544345:7fd30d5ef700: cnf:global:rule 6396.616546314:7fd30d5ef700: ------ start rule 0x21b78f0: 6396.616548180:7fd30d5ef700: filter:script: 6396.616550724:7fd30d5ef700: var '$syslogfacility-text' 6396.616554382:7fd30d5ef700: == 6396.616557149:7fd30d5ef700: string 'local7' 6396.616562150:7fd30d5ef700: AND 6396.616563881:7fd30d5ef700: var '$fromhost-ip' 6396.616567706:7fd30d5ef700: == 6396.616570198:7fd30d5ef700: string '???' 6396.616574940:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPboot' 6396.616577802:7fd30d5ef700: ------ end rule 0x21b78f0 6396.616579804:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPboot 6396.616583533:7fd30d5ef700: tried selector action for builtin-file: 0 6396.616585534:7fd30d5ef700: Module builtin-file processes this action. 6396.616588005:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.616590381:7fd30d5ef700: template: 'DYNIPboot' assigned 6396.616592998:7fd30d5ef700: action 13 queue: save on shutdown 1, max disk space allowed 0 6396.616595143:7fd30d5ef700: Action 0x21b7b50: queue 0x21b7c90 created 6396.616597227:7fd30d5ef700: selector line successfully processed 6396.616606421:7fd30d5ef700: cnf:global:rule 6396.616608908:7fd30d5ef700: ------ start rule 0x21a4240: 6396.616610682:7fd30d5ef700: filter:script: 6396.616613448:7fd30d5ef700: var '$syslogfacility-text' 6396.616618031:7fd30d5ef700: == 6396.616621639:7fd30d5ef700: string 'local6' 6396.616628667:7fd30d5ef700: AND 6396.616633346:7fd30d5ef700: var '$syslogseverity-text' 6396.616641699:7fd30d5ef700: == 6396.616648792:7fd30d5ef700: string 'WARNING' 6396.616654920:7fd30d5ef700: AND 6396.616656705:7fd30d5ef700: var '$fromhost-ip' 6396.616660328:7fd30d5ef700: == 6396.616662976:7fd30d5ef700: string '???' 6396.616667837:7fd30d5ef700: aclst 0x21b2040: legacy action line: '?DYNIPtraps' 6396.616670825:7fd30d5ef700: ------ end rule 0x21a4240 6396.616673199:7fd30d5ef700: aclst 0x21b2040: legacy action line:?DYNIPtraps 6396.616677291:7fd30d5ef700: tried selector action for builtin-file: 0 6396.616679563:7fd30d5ef700: Module builtin-file processes this action. 6396.616682149:7fd30d5ef700: template: 'RSYSLOG_FileFormat' assigned 6396.616684718:7fd30d5ef700: template: 'DYNIPtraps' assigned 6396.616687664:7fd30d5ef700: action 14 queue: save on shutdown 1, max disk space allowed 0 6396.616689839:7fd30d5ef700: Action 0x21a44a0: queue 0x21a45b0 created 6396.616692033:7fd30d5ef700: selector line successfully processed 6396.616694766:7fd30d5ef700: telling modules that config load for 0x2199150 is done 6396.616697943:7fd30d5ef700: telling modules to check config 0x2199150 6396.616700507:7fd30d5ef700: module imudp tells us config can be activated 6396.616702602:7fd30d5ef700: module imtcp tells us config can be activated 6396.616704583:7fd30d5ef700: rsyslog finished loading master config 0x2199150 6396.616706436:7fd30d5ef700: configuration object 0x2199150 6396.616708194:7fd30d5ef700: Global Settings: 6396.616710340:7fd30d5ef700: bDebugPrintTemplateList.............: 1 6396.616712136:7fd30d5ef700: bDebugPrintModuleList : 1 6396.616713926:7fd30d5ef700: bDebugPrintCfSysLineHandlerList.....: 1 6396.616715778:7fd30d5ef700: bLogStatusMsgs : 1 6396.616717569:7fd30d5ef700: bErrMsgToStderr.....................: 1 6396.616719451:7fd30d5ef700: drop Msgs with malicious PTR Record : 0 6396.616721390:7fd30d5ef700: All Rulesets: 6396.616723840:7fd30d5ef700: ruleset 0x219bae0: rsyslog ruleset RSYSLOG_DefaultRuleset: 6396.616726228:7fd30d5ef700: rule 0x21b20e0: rsyslog rule: 6396.616728377:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.616731654:7fd30d5ef700: builtin-file: [dynamic] 6396.616734617:7fd30d5ef700: template='DYNmessages' 6396.616737040:7fd30d5ef700: use async writer=0 6396.616739175:7fd30d5ef700: flush on TX end=1 6396.616741368:7fd30d5ef700: flush interval=1 6396.616743570:7fd30d5ef700: file cache size=10 6396.616745733:7fd30d5ef700: create directories: yes 6396.616748068:7fd30d5ef700: file owner -1, group -1 6396.616750457:7fd30d5ef700: directory owner -1, group -1 6396.616753033:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.616755448:7fd30d5ef700: fail if owner/group can not be set: yes 6396.616757725:7fd30d5ef700: Instance data: 0x21b2180 6396.616760163:7fd30d5ef700: RepeatedMsgReduction: 0 6396.616762418:7fd30d5ef700: Resume Interval: 30 6396.616764690:7fd30d5ef700: State: rdy 6396.616766882:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617367004:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617370072:7fd30d5ef700: 6396.617371889:7fd30d5ef700: 6396.617373749:7fd30d5ef700: 6396.617376803:7fd30d5ef700: rule 0x21b2800: rsyslog rule: 6396.617378833:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.617382230:7fd30d5ef700: builtin-file: [dynamic] 6396.617385156:7fd30d5ef700: template='DYNsecure' 6396.617387507:7fd30d5ef700: use async writer=0 6396.617389617:7fd30d5ef700: flush on TX end=1 6396.617391787:7fd30d5ef700: flush interval=1 6396.617393945:7fd30d5ef700: file cache size=10 6396.617396126:7fd30d5ef700: create directories: yes 6396.617398465:7fd30d5ef700: file owner -1, group -1 6396.617400840:7fd30d5ef700: directory owner -1, group -1 6396.617403307:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.617405652:7fd30d5ef700: fail if owner/group can not be set: yes 6396.617407980:7fd30d5ef700: Instance data: 0x21b28a0 6396.617410375:7fd30d5ef700: RepeatedMsgReduction: 0 6396.617417827:7fd30d5ef700: Resume Interval: 30 6396.617420747:7fd30d5ef700: State: rdy 6396.617422927:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617425390:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617427653:7fd30d5ef700: 6396.617429457:7fd30d5ef700: 6396.617431277:7fd30d5ef700: 6396.617433638:7fd30d5ef700: rule 0x21b2f50: rsyslog rule: 6396.617435571:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.617438671:7fd30d5ef700: builtin-file: [dynamic] 6396.617441363:7fd30d5ef700: template='DYNmaillog' 6396.617443711:7fd30d5ef700: use async writer=0 6396.617445914:7fd30d5ef700: flush on TX end=1 6396.617448109:7fd30d5ef700: flush interval=1 6396.617450293:7fd30d5ef700: file cache size=10 6396.617452361:7fd30d5ef700: create directories: yes 6396.617454771:7fd30d5ef700: file owner -1, group -1 6396.617457106:7fd30d5ef700: directory owner -1, group -1 6396.617459520:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.617461766:7fd30d5ef700: fail if owner/group can not be set: yes 6396.617464019:7fd30d5ef700: Instance data: 0x21b2ff0 6396.617466408:7fd30d5ef700: RepeatedMsgReduction: 0 6396.617468636:7fd30d5ef700: Resume Interval: 30 6396.617470790:7fd30d5ef700: State: rdy 6396.617472860:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617475048:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617477234:7fd30d5ef700: 6396.617478966:7fd30d5ef700: 6396.617480763:7fd30d5ef700: 6396.617482901:7fd30d5ef700: rule 0x21b36a0: rsyslog rule: 6396.617484807:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.617487995:7fd30d5ef700: builtin-file: [dynamic] 6396.617490800:7fd30d5ef700: template='DYNcron' 6396.617493003:7fd30d5ef700: use async writer=0 6396.617495143:7fd30d5ef700: flush on TX end=1 6396.617497283:7fd30d5ef700: flush interval=1 6396.617499435:7fd30d5ef700: file cache size=10 6396.617501476:7fd30d5ef700: create directories: yes 6396.617503855:7fd30d5ef700: file owner -1, group -1 6396.617506180:7fd30d5ef700: directory owner -1, group -1 6396.617508563:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.617510825:7fd30d5ef700: fail if owner/group can not be set: yes 6396.617513062:7fd30d5ef700: Instance data: 0x21b3740 6396.617519643:7fd30d5ef700: RepeatedMsgReduction: 0 6396.617521956:7fd30d5ef700: Resume Interval: 30 6396.617524041:7fd30d5ef700: State: rdy 6396.617526333:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617528716:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617530963:7fd30d5ef700: 6396.617532759:7fd30d5ef700: 6396.617534571:7fd30d5ef700: 6396.617536791:7fd30d5ef700: rule 0x21b3df0: rsyslog rule: 6396.617538660:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.617541757:7fd30d5ef700: builtin-file: [dynamic] 6396.617544466:7fd30d5ef700: template='DYNspooler' 6396.617546860:7fd30d5ef700: use async writer=0 6396.617549071:7fd30d5ef700: flush on TX end=1 6396.617551178:7fd30d5ef700: flush interval=1 6396.617553396:7fd30d5ef700: file cache size=10 6396.617555571:7fd30d5ef700: create directories: yes 6396.617557866:7fd30d5ef700: file owner -1, group -1 6396.617560227:7fd30d5ef700: directory owner -1, group -1 6396.617562649:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.617564969:7fd30d5ef700: fail if owner/group can not be set: yes 6396.617567203:7fd30d5ef700: Instance data: 0x21b3e90 6396.617569635:7fd30d5ef700: RepeatedMsgReduction: 0 6396.617571896:7fd30d5ef700: Resume Interval: 30 6396.617574101:7fd30d5ef700: State: rdy 6396.617576187:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617578392:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617580600:7fd30d5ef700: 6396.617582389:7fd30d5ef700: 6396.617584195:7fd30d5ef700: 6396.617586330:7fd30d5ef700: rule 0x21b4540: rsyslog rule: 6396.617588165:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.617591232:7fd30d5ef700: builtin-file: [dynamic] 6396.617593947:7fd30d5ef700: template='DYNboot' 6396.617596231:7fd30d5ef700: use async writer=0 6396.617598433:7fd30d5ef700: flush on TX end=1 6396.617600531:7fd30d5ef700: flush interval=1 6396.617602736:7fd30d5ef700: file cache size=10 6396.617604894:7fd30d5ef700: create directories: yes 6396.617607185:7fd30d5ef700: file owner -1, group -1 6396.617609570:7fd30d5ef700: directory owner -1, group -1 6396.617611982:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.617614308:7fd30d5ef700: fail if owner/group can not be set: yes 6396.617616537:7fd30d5ef700: Instance data: 0x21b45e0 6396.617618971:7fd30d5ef700: RepeatedMsgReduction: 0 6396.617621231:7fd30d5ef700: Resume Interval: 30 6396.617623429:7fd30d5ef700: State: rdy 6396.617625519:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617627697:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617629914:7fd30d5ef700: 6396.617631704:7fd30d5ef700: 6396.617633517:7fd30d5ef700: 6396.617635950:7fd30d5ef700: rule 0x21b4d50: rsyslog rule: 6396.617637804:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.617640862:7fd30d5ef700: builtin-file: [dynamic] 6396.617643593:7fd30d5ef700: template='DYNtraps' 6396.617645924:7fd30d5ef700: use async writer=0 6396.617648155:7fd30d5ef700: flush on TX end=1 6396.617650274:7fd30d5ef700: flush interval=1 6396.617652526:7fd30d5ef700: file cache size=10 6396.617654722:7fd30d5ef700: create directories: yes 6396.617657020:7fd30d5ef700: file owner -1, group -1 6396.617659371:7fd30d5ef700: directory owner -1, group -1 6396.617661840:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.617664156:7fd30d5ef700: fail if owner/group can not be set: yes 6396.617666390:7fd30d5ef700: Instance data: 0x21b4df0 6396.617668847:7fd30d5ef700: RepeatedMsgReduction: 0 6396.617671137:7fd30d5ef700: Resume Interval: 30 6396.617673369:7fd30d5ef700: State: rdy 6396.617675465:7fd30d5ef700: Exec only when previous is suspended: 0 6396.617677654:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.617679889:7fd30d5ef700: 6396.617681683:7fd30d5ef700: 6396.617683507:7fd30d5ef700: 6396.617685719:7fd30d5ef700: rule 0x21b54a0: rsyslog rule: 6396.618415105:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618419971:7fd30d5ef700: builtin-file: [dynamic] 6396.618422904:7fd30d5ef700: template='DYNIPmessages' 6396.618425280:7fd30d5ef700: use async writer=0 6396.618427418:7fd30d5ef700: flush on TX end=1 6396.618429533:7fd30d5ef700: flush interval=1 6396.618431704:7fd30d5ef700: file cache size=10 6396.618433876:7fd30d5ef700: create directories: yes 6396.618436215:7fd30d5ef700: file owner -1, group -1 6396.618438594:7fd30d5ef700: directory owner -1, group -1 6396.618441055:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.618443336:7fd30d5ef700: fail if owner/group can not be set: yes 6396.618445638:7fd30d5ef700: Instance data: 0x21b5540 6396.618448039:7fd30d5ef700: RepeatedMsgReduction: 0 6396.618450284:7fd30d5ef700: Resume Interval: 30 6396.618452464:7fd30d5ef700: State: rdy 6396.618454539:7fd30d5ef700: Exec only when previous is suspended: 0 6396.618456798:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.618459018:7fd30d5ef700: 6396.618460754:7fd30d5ef700: 6396.618462532:7fd30d5ef700: 6396.618465586:7fd30d5ef700: rule 0x21b5bf0: rsyslog rule: 6396.618467589:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618470702:7fd30d5ef700: builtin-file: [dynamic] 6396.618473476:7fd30d5ef700: template='DYNIPsecure' 6396.618475853:7fd30d5ef700: use async writer=0 6396.618478086:7fd30d5ef700: flush on TX end=1 6396.618480287:7fd30d5ef700: flush interval=1 6396.618482512:7fd30d5ef700: file cache size=10 6396.618484595:7fd30d5ef700: create directories: yes 6396.618487042:7fd30d5ef700: file owner -1, group -1 6396.618489410:7fd30d5ef700: directory owner -1, group -1 6396.618491820:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.618494105:7fd30d5ef700: fail if owner/group can not be set: yes 6396.618496368:7fd30d5ef700: Instance data: 0x21b5c90 6396.618498788:7fd30d5ef700: RepeatedMsgReduction: 0 6396.618501049:7fd30d5ef700: Resume Interval: 30 6396.618514488:7fd30d5ef700: State: rdy 6396.618519135:7fd30d5ef700: Exec only when previous is suspended: 0 6396.618522305:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.618525766:7fd30d5ef700: 6396.618528854:7fd30d5ef700: 6396.618532556:7fd30d5ef700: 6396.618535977:7fd30d5ef700: rule 0x21b6340: rsyslog rule: 6396.618537940:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618541088:7fd30d5ef700: builtin-file: [dynamic] 6396.618543867:7fd30d5ef700: template='DYNIPmaillog' 6396.618546240:7fd30d5ef700: use async writer=0 6396.618548352:7fd30d5ef700: flush on TX end=1 6396.618550434:7fd30d5ef700: flush interval=1 6396.618552638:7fd30d5ef700: file cache size=10 6396.618554794:7fd30d5ef700: create directories: yes 6396.618557067:7fd30d5ef700: file owner -1, group -1 6396.618559437:7fd30d5ef700: directory owner -1, group -1 6396.618561867:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.618564123:7fd30d5ef700: fail if owner/group can not be set: yes 6396.618566356:7fd30d5ef700: Instance data: 0x21b63e0 6396.618568785:7fd30d5ef700: RepeatedMsgReduction: 0 6396.618571030:7fd30d5ef700: Resume Interval: 30 6396.618573211:7fd30d5ef700: State: rdy 6396.618575295:7fd30d5ef700: Exec only when previous is suspended: 0 6396.618577495:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.618579721:7fd30d5ef700: 6396.618581486:7fd30d5ef700: 6396.618583278:7fd30d5ef700: 6396.618585783:7fd30d5ef700: rule 0x21b6a90: rsyslog rule: 6396.618587701:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618590780:7fd30d5ef700: builtin-file: [dynamic] 6396.618593482:7fd30d5ef700: template='DYNIPcron' 6396.618595784:7fd30d5ef700: use async writer=0 6396.618597979:7fd30d5ef700: flush on TX end=1 6396.618600069:7fd30d5ef700: flush interval=1 6396.618602240:7fd30d5ef700: file cache size=10 6396.618604409:7fd30d5ef700: create directories: yes 6396.618606657:7fd30d5ef700: file owner -1, group -1 6396.618609004:7fd30d5ef700: directory owner -1, group -1 6396.618611406:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.618613687:7fd30d5ef700: fail if owner/group can not be set: yes 6396.618615934:7fd30d5ef700: Instance data: 0x21b6b30 6396.618618341:7fd30d5ef700: RepeatedMsgReduction: 0 6396.618620581:7fd30d5ef700: Resume Interval: 30 6396.618622738:7fd30d5ef700: State: rdy 6396.618624829:7fd30d5ef700: Exec only when previous is suspended: 0 6396.618627040:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.618629255:7fd30d5ef700: 6396.618630997:7fd30d5ef700: 6396.618632830:7fd30d5ef700: 6396.618634957:7fd30d5ef700: rule 0x21b71e0: rsyslog rule: 6396.618636836:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618642493:7fd30d5ef700: builtin-file: [dynamic] 6396.618647309:7fd30d5ef700: template='DYNIPspooler' 6396.618650942:7fd30d5ef700: use async writer=0 6396.618654725:7fd30d5ef700: flush on TX end=1 6396.618658863:7fd30d5ef700: flush interval=1 6396.618660995:7fd30d5ef700: file cache size=10 6396.618663087:7fd30d5ef700: create directories: yes 6396.618665476:7fd30d5ef700: file owner -1, group -1 6396.618667810:7fd30d5ef700: directory owner -1, group -1 6396.618670209:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.618672496:7fd30d5ef700: fail if owner/group can not be set: yes 6396.618674757:7fd30d5ef700: Instance data: 0x21b7280 6396.618677159:7fd30d5ef700: RepeatedMsgReduction: 0 6396.618679373:7fd30d5ef700: Resume Interval: 30 6396.618681534:7fd30d5ef700: State: rdy 6396.618683607:7fd30d5ef700: Exec only when previous is suspended: 0 6396.618685822:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.618688021:7fd30d5ef700: 6396.618689784:7fd30d5ef700: 6396.618691571:7fd30d5ef700: 6396.618694028:7fd30d5ef700: rule 0x21b7930: rsyslog rule: 6396.618695933:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618698992:7fd30d5ef700: builtin-file: [dynamic] 6396.618701679:7fd30d5ef700: template='DYNIPboot' 6396.618704002:7fd30d5ef700: use async writer=0 6396.618706187:7fd30d5ef700: flush on TX end=1 6396.618708286:7fd30d5ef700: flush interval=1 6396.618710483:7fd30d5ef700: file cache size=10 6396.618719393:7fd30d5ef700: create directories: yes 6396.618721860:7fd30d5ef700: file owner -1, group -1 6396.618724252:7fd30d5ef700: directory owner -1, group -1 6396.618726740:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.618729043:7fd30d5ef700: fail if owner/group can not be set: yes 6396.618731325:7fd30d5ef700: Instance data: 0x21b79d0 6396.618733746:7fd30d5ef700: RepeatedMsgReduction: 0 6396.618735982:7fd30d5ef700: Resume Interval: 30 6396.618738153:7fd30d5ef700: State: rdy 6396.618740210:7fd30d5ef700: Exec only when previous is suspended: 0 6396.618742425:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.618744659:7fd30d5ef700: 6396.618746421:7fd30d5ef700: 6396.618748218:7fd30d5ef700: 6396.618750448:7fd30d5ef700: rule 0x21a4280: rsyslog rule: 6396.618752327:7fd30d5ef700: EXPRESSION-BASED Filter: can currently not be displayed Actions: 6396.618755406:7fd30d5ef700: builtin-file: [dynamic] 6396.618758106:7fd30d5ef700: template='DYNIPtraps' 6396.619381922:7fd30d5ef700: use async writer=0 6396.619385559:7fd30d5ef700: flush on TX end=1 6396.619387961:7fd30d5ef700: flush interval=1 6396.619390242:7fd30d5ef700: file cache size=10 6396.619392394:7fd30d5ef700: create directories: yes 6396.619394735:7fd30d5ef700: file owner -1, group -1 6396.619397111:7fd30d5ef700: directory owner -1, group -1 6396.619399623:7fd30d5ef700: dir create mode 0750, file create mode 0640 6396.619401992:7fd30d5ef700: fail if owner/group can not be set: yes 6396.619404439:7fd30d5ef700: Instance data: 0x21a4320 6396.619406896:7fd30d5ef700: RepeatedMsgReduction: 0 6396.619409144:7fd30d5ef700: Resume Interval: 30 6396.619411362:7fd30d5ef700: State: rdy 6396.619413480:7fd30d5ef700: Exec only when previous is suspended: 0 6396.619415823:7fd30d5ef700: submission mode: fast, but supports partial mark messages 6396.619418026:7fd30d5ef700: 6396.619419796:7fd30d5ef700: 6396.619421664:7fd30d5ef700: 6396.619423575:7fd30d5ef700: End of Rulesets. 6396.619425411:7fd30d5ef700: 6396.619427647:7fd30d5ef700: Template: Name='RSYSLOG_DebugFormat' 6396.619430633:7fd30d5ef700: Entry(219e2e0): type 1, (CONSTANT), value: 'Debug line with all properties: FROMHOST: '' 6396.619435552:7fd30d5ef700: Entry(219e380): type 2, (FIELD), value: '7' 6396.619439971:7fd30d5ef700: Entry(219e4d0): type 1, (CONSTANT), value: '', fromhost-ip: '' 6396.619444224:7fd30d5ef700: Entry(219e570): type 2, (FIELD), value: '8' 6396.619448424:7fd30d5ef700: Entry(219e6a0): type 1, (CONSTANT), value: '', HOSTNAME: '' 6396.619452661:7fd30d5ef700: Entry(219e740): type 2, (FIELD), value: '3' 6396.619456821:7fd30d5ef700: Entry(219e870): type 1, (CONSTANT), value: '', PRI: ' 6396.619461045:7fd30d5ef700: Entry(219e910): type 2, (FIELD), value: '9' 6396.619465526:7fd30d5ef700: Entry(219ea40): type 1, (CONSTANT), value: ', syslogtag '' 6396.619473870:7fd30d5ef700: Entry(219eae0): type 2, (FIELD), value: '4' 6396.619481185:7fd30d5ef700: Entry(219ec10): type 1, (CONSTANT), value: '', programname: '' 6396.619489578:7fd30d5ef700: Entry(219ecb0): type 2, (FIELD), value: '17' 6396.619493950:7fd30d5ef700: Entry(219ede0): type 1, (CONSTANT), value: '', APP-NAME: '' 6396.619498236:7fd30d5ef700: Entry(219ee80): type 2, (FIELD), value: '20' 6396.619502426:7fd30d5ef700: Entry(219efb0): type 1, (CONSTANT), value: '', PROCID: '' 6396.619506561:7fd30d5ef700: Entry(219f050): type 2, (FIELD), value: '21' 6396.619510811:7fd30d5ef700: Entry(219f180): type 1, (CONSTANT), value: '', MSGID: '' 6396.619514885:7fd30d5ef700: Entry(219f220): type 2, (FIELD), value: '22' 6396.619519099:7fd30d5ef700: Entry(219f350): type 1, (CONSTANT), value: '', TIMESTAMP: '' 6396.619523680:7fd30d5ef700: Entry(219f3f0): type 2, (FIELD), value: '2' 6396.619527863:7fd30d5ef700: Entry(219f520): type 1, (CONSTANT), value: '', STRUCTURED-DATA: '' 6396.619532182:7fd30d5ef700: Entry(219f5c0): type 2, (FIELD), value: '19' 6396.619536355:7fd30d5ef700: Entry(219f6f0): type 1, (CONSTANT), value: '', msg: '' 6396.619540879:7fd30d5ef700: Entry(219f790): type 2, (FIELD), value: '1' 6396.619545033:7fd30d5ef700: Entry(219f8c0): type 1, (CONSTANT), value: '' escaped msg: '' 6396.619549740:7fd30d5ef700: Entry(219f960): type 2, (FIELD), value: '1' [drop control-characters] 6396.619555004:7fd30d5ef700: Entry(219fa90): type 1, (CONSTANT), value: '' inputname: ' 6396.619559568:7fd30d5ef700: Entry(219fb30): type 2, (FIELD), value: '6' 6396.619563698:7fd30d5ef700: Entry(219fc60): type 1, (CONSTANT), value: ' rawmsg: '' 6396.619567942:7fd30d5ef700: Entry(219fd00): type 2, (FIELD), value: '5' 6396.619572073:7fd30d5ef700: Entry(219fe30): type 1, (CONSTANT), value: '' ' 6396.619576733:7fd30d5ef700: Template: Name='RSYSLOG_SyslogProtocol23Format' 6396.619579567:7fd30d5ef700: Entry(219ffe0): type 1, (CONSTANT), value: '<' 6396.619583746:7fd30d5ef700: Entry(21a0080): type 2, (FIELD), value: '9' 6396.619587938:7fd30d5ef700: Entry(21a01b0): type 1, (CONSTANT), value: '>1 ' 6396.619592121:7fd30d5ef700: Entry(21a0250): type 2, (FIELD), value: '2' [Format as RFC3339-Date] 6396.619597564:7fd30d5ef700: Entry(21a0380): type 1, (CONSTANT), value: ' ' 6396.619601755:7fd30d5ef700: Entry(21a0420): type 2, (FIELD), value: '3' 6396.619606001:7fd30d5ef700: Entry(21a0550): type 1, (CONSTANT), value: ' ' 6396.619610165:7fd30d5ef700: Entry(21a05f0): type 2, (FIELD), value: '20' 6396.619614366:7fd30d5ef700: Entry(21a0720): type 1, (CONSTANT), value: ' ' 6396.619618457:7fd30d5ef700: Entry(21a07c0): type 2, (FIELD), value: '21' 6396.619622643:7fd30d5ef700: Entry(21a08f0): type 1, (CONSTANT), value: ' ' 6396.619626715:7fd30d5ef700: Entry(21a0990): type 2, (FIELD), value: '22' 6396.619630896:7fd30d5ef700: Entry(21a0ac0): type 1, (CONSTANT), value: ' ' 6396.619634973:7fd30d5ef700: Entry(21a0b60): type 2, (FIELD), value: '19' 6396.619639122:7fd30d5ef700: Entry(21a0c90): type 1, (CONSTANT), value: ' ' 6396.619643277:7fd30d5ef700: Entry(21a0d30): type 2, (FIELD), value: '1' 6396.619647358:7fd30d5ef700: Entry(21a0e60): type 1, (CONSTANT), value: ' ' 6396.619651787:7fd30d5ef700: Template: Name='RSYSLOG_FileFormat' 6396.619654517:7fd30d5ef700: Template: Name='RSYSLOG_TraditionalFileFormat' 6396.619657195:7fd30d5ef700: Template: Name=' WallFmt' 6396.619659987:7fd30d5ef700: Entry(21a10d0): type 1, (CONSTANT), value: ' Message from syslogd@' 6396.619664778:7fd30d5ef700: Entry(21a1170): type 2, (FIELD), value: '3' 6396.619669019:7fd30d5ef700: Entry(21a12c0): type 1, (CONSTANT), value: ' at ' 6396.619673253:7fd30d5ef700: Entry(21a1360): type 2, (FIELD), value: '16' 6396.619677428:7fd30d5ef700: Entry(21a1490): type 1, (CONSTANT), value: ' ... ' 6396.619681884:7fd30d5ef700: Entry(21a1530): type 2, (FIELD), value: '4' 6396.619686053:7fd30d5ef700: Entry(21a15d0): type 2, (FIELD), value: '1' 6396.619691729:7fd30d5ef700: Entry(21a1700): type 1, (CONSTANT), value: ' ' 6396.619700986:7fd30d5ef700: Template: Name='RSYSLOG_ForwardFormat' 6396.619705779:7fd30d5ef700: Template: Name='RSYSLOG_TraditionalForwardFormat' 6396.619710612:7fd30d5ef700: Template: Name=' StdUsrMsgFmt' 6396.619713379:7fd30d5ef700: Entry(21a1970): type 1, (CONSTANT), value: ' ' 6396.619717725:7fd30d5ef700: Entry(21a1a10): type 2, (FIELD), value: '4' 6396.619721952:7fd30d5ef700: Entry(21a1b60): type 2, (FIELD), value: '1' 6396.619726145:7fd30d5ef700: Entry(21a1c00): type 1, (CONSTANT), value: ' ' 6396.619730660:7fd30d5ef700: Template: Name=' StdDBFmt' [SQL-Format (MySQL)] 6396.619734409:7fd30d5ef700: Entry(21a1e80): type 1, (CONSTANT), value: 'insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('' 6396.619739151:7fd30d5ef700: Entry(21a1f20): type 2, (FIELD), value: '1' 6396.619743247:7fd30d5ef700: Entry(21a2070): type 1, (CONSTANT), value: '', ' 6396.619747294:7fd30d5ef700: Entry(21a2110): type 2, (FIELD), value: '12' 6396.619760946:7fd30d5ef700: Entry(21a2240): type 1, (CONSTANT), value: ', '' 6396.619765921:7fd30d5ef700: Entry(21a22e0): type 2, (FIELD), value: '3' 6396.619770298:7fd30d5ef700: Entry(21a2410): type 1, (CONSTANT), value: '', ' 6396.619774343:7fd30d5ef700: Entry(21a24b0): type 2, (FIELD), value: '14' 6396.619778551:7fd30d5ef700: Entry(21a25e0): type 1, (CONSTANT), value: ', '' 6396.620377760:7fd30d5ef700: Entry(21a2680): type 2, (FIELD), value: '2' [Format as MySQL-Date] 6396.620390282:7fd30d5ef700: Entry(21a27b0): type 1, (CONSTANT), value: '', '' 6396.620394557:7fd30d5ef700: Entry(21a2850): type 2, (FIELD), value: '16' [Format as MySQL-Date] 6396.620399981:7fd30d5ef700: Entry(21a2980): type 1, (CONSTANT), value: '', ' 6396.620404092:7fd30d5ef700: Entry(21a2a20): type 2, (FIELD), value: '11' 6396.620408477:7fd30d5ef700: Entry(21a2b50): type 1, (CONSTANT), value: ', '' 6396.620412625:7fd30d5ef700: Entry(21a2bf0): type 2, (FIELD), value: '4' 6396.620416827:7fd30d5ef700: Entry(21a2d20): type 1, (CONSTANT), value: '')' 6396.620421076:7fd30d5ef700: Template: Name=' StdPgSQLFmt' [SQL-Format (standard SQL)] 6396.620424885:7fd30d5ef700: Entry(21a2fa0): type 1, (CONSTANT), value: 'insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('' 6396.620429777:7fd30d5ef700: Entry(21a3040): type 2, (FIELD), value: '1' 6396.620434065:7fd30d5ef700: Entry(21a3190): type 1, (CONSTANT), value: '', ' 6396.620438327:7fd30d5ef700: Entry(21a3230): type 2, (FIELD), value: '12' 6396.620445603:7fd30d5ef700: Entry(21a3360): type 1, (CONSTANT), value: ', '' 6396.620452078:7fd30d5ef700: Entry(21a3400): type 2, (FIELD), value: '3' 6396.620458793:7fd30d5ef700: Entry(21a3530): type 1, (CONSTANT), value: '', ' 6396.620465120:7fd30d5ef700: Entry(21a35d0): type 2, (FIELD), value: '14' 6396.620472245:7fd30d5ef700: Entry(21a3700): type 1, (CONSTANT), value: ', '' 6396.620476387:7fd30d5ef700: Entry(21a37a0): type 2, (FIELD), value: '2' [Format as PgSQL-Date] 6396.620481764:7fd30d5ef700: Entry(21a38d0): type 1, (CONSTANT), value: '', '' 6396.620492322:7fd30d5ef700: Entry(21a3970): type 2, (FIELD), value: '16' [Format as PgSQL-Date] 6396.620497738:7fd30d5ef700: Entry(21a3aa0): type 1, (CONSTANT), value: '', ' 6396.620501925:7fd30d5ef700: Entry(21a3b40): type 2, (FIELD), value: '11' 6396.620506342:7fd30d5ef700: Entry(21a3c70): type 1, (CONSTANT), value: ', '' 6396.620510537:7fd30d5ef700: Entry(21a3d10): type 2, (FIELD), value: '4' 6396.620514789:7fd30d5ef700: Entry(21a3e40): type 1, (CONSTANT), value: '')' 6396.620519128:7fd30d5ef700: Template: Name='RSYSLOG_omudpspoofDfltSourceTpl' 6396.620521987:7fd30d5ef700: Entry(21a3f60): type 2, (FIELD), value: '8' 6396.620526244:7fd30d5ef700: Template: Name='DYNmessages' 6396.620529004:7fd30d5ef700: Entry(21a9dc0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.620533528:7fd30d5ef700: Entry(21a9e60): type 2, (FIELD), value: '7' 6396.620537680:7fd30d5ef700: Entry(21a9fb0): type 1, (CONSTANT), value: '/' 6396.620541949:7fd30d5ef700: Entry(21aa050): type 2, (FIELD), value: '7' 6396.620546269:7fd30d5ef700: Entry(21aa180): type 1, (CONSTANT), value: '_' 6396.620550502:7fd30d5ef700: Entry(21aa220): type 2, (FIELD), value: '151' 6396.620554856:7fd30d5ef700: Entry(21aa350): type 1, (CONSTANT), value: '.' 6396.620559123:7fd30d5ef700: Entry(21aa3f0): type 2, (FIELD), value: '152' 6396.620563428:7fd30d5ef700: Entry(21aa520): type 1, (CONSTANT), value: '_messages' 6396.620567647:7fd30d5ef700: Template: Name='DYNsecure' 6396.620570393:7fd30d5ef700: Entry(21aa710): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.620574803:7fd30d5ef700: Entry(21aa7b0): type 2, (FIELD), value: '7' 6396.620579148:7fd30d5ef700: Entry(21aa900): type 1, (CONSTANT), value: '/' 6396.620583341:7fd30d5ef700: Entry(21aa9a0): type 2, (FIELD), value: '7' 6396.620587576:7fd30d5ef700: Entry(21aaad0): type 1, (CONSTANT), value: '_' 6396.620591811:7fd30d5ef700: Entry(21aab70): type 2, (FIELD), value: '151' 6396.620596103:7fd30d5ef700: Entry(21aaca0): type 1, (CONSTANT), value: '.' 6396.620600309:7fd30d5ef700: Entry(21aad40): type 2, (FIELD), value: '152' 6396.620604601:7fd30d5ef700: Entry(21aae70): type 1, (CONSTANT), value: '_secure' 6396.620608779:7fd30d5ef700: Template: Name='DYNmaillog' 6396.620611657:7fd30d5ef700: Entry(21ab060): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.620616094:7fd30d5ef700: Entry(21ab100): type 2, (FIELD), value: '7' 6396.620620365:7fd30d5ef700: Entry(21ab250): type 1, (CONSTANT), value: '/' 6396.620624543:7fd30d5ef700: Entry(21ab2f0): type 2, (FIELD), value: '7' 6396.620628825:7fd30d5ef700: Entry(21ab420): type 1, (CONSTANT), value: '_' 6396.620633031:7fd30d5ef700: Entry(21ab4c0): type 2, (FIELD), value: '151' 6396.620637289:7fd30d5ef700: Entry(21ab5f0): type 1, (CONSTANT), value: '.' 6396.620641500:7fd30d5ef700: Entry(21ab690): type 2, (FIELD), value: '152' 6396.620645819:7fd30d5ef700: Entry(21ab7c0): type 1, (CONSTANT), value: '_maillog' 6396.620652770:7fd30d5ef700: Template: Name='DYNcron' 6396.620657476:7fd30d5ef700: Entry(21ab9b0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.620664863:7fd30d5ef700: Entry(21aba50): type 2, (FIELD), value: '7' 6396.620672179:7fd30d5ef700: Entry(21abba0): type 1, (CONSTANT), value: '/' 6396.620676514:7fd30d5ef700: Entry(21abc40): type 2, (FIELD), value: '7' 6396.620680721:7fd30d5ef700: Entry(21abd70): type 1, (CONSTANT), value: '_' 6396.620684868:7fd30d5ef700: Entry(21abe10): type 2, (FIELD), value: '151' 6396.620689098:7fd30d5ef700: Entry(21abf40): type 1, (CONSTANT), value: '.' 6396.620693198:7fd30d5ef700: Entry(21abfe0): type 2, (FIELD), value: '152' 6396.620697484:7fd30d5ef700: Entry(21ac110): type 1, (CONSTANT), value: '_cron' 6396.620701569:7fd30d5ef700: Template: Name='DYNspooler' 6396.620704303:7fd30d5ef700: Entry(21ac300): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.620708743:7fd30d5ef700: Entry(21ac3a0): type 2, (FIELD), value: '7' 6396.620713023:7fd30d5ef700: Entry(21ac4f0): type 1, (CONSTANT), value: '/' 6396.620717123:7fd30d5ef700: Entry(21ac590): type 2, (FIELD), value: '7' 6396.620721268:7fd30d5ef700: Entry(21ac6c0): type 1, (CONSTANT), value: '_' 6396.620725423:7fd30d5ef700: Entry(21ac760): type 2, (FIELD), value: '151' 6396.620729593:7fd30d5ef700: Entry(21ac890): type 1, (CONSTANT), value: '.' 6396.620733698:7fd30d5ef700: Entry(21ac930): type 2, (FIELD), value: '152' 6396.620737936:7fd30d5ef700: Entry(21aca60): type 1, (CONSTANT), value: '_spooler' 6396.620742031:7fd30d5ef700: Template: Name='DYNboot' 6396.620744791:7fd30d5ef700: Entry(21acc50): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.620749226:7fd30d5ef700: Entry(21accf0): type 2, (FIELD), value: '7' 6396.620753393:7fd30d5ef700: Entry(21ace40): type 1, (CONSTANT), value: '/' 6396.620757499:7fd30d5ef700: Entry(21acee0): type 2, (FIELD), value: '7' 6396.620761745:7fd30d5ef700: Entry(21ad010): type 1, (CONSTANT), value: '_' 6396.620765876:7fd30d5ef700: Entry(21ad0b0): type 2, (FIELD), value: '151' 6396.620770086:7fd30d5ef700: Entry(21ad1e0): type 1, (CONSTANT), value: '.' 6396.620774214:7fd30d5ef700: Entry(21ad280): type 2, (FIELD), value: '152' 6396.620778414:7fd30d5ef700: Entry(21ad3b0): type 1, (CONSTANT), value: '_boot.log' 6396.620792397:7fd30d5ef700: Template: Name='DYNtraps' 6396.621365745:7fd30d5ef700: Entry(21ad5a0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621371462:7fd30d5ef700: Entry(21ad640): type 2, (FIELD), value: '7' 6396.621375993:7fd30d5ef700: Entry(21ad790): type 1, (CONSTANT), value: '/' 6396.621380386:7fd30d5ef700: Entry(21ad830): type 2, (FIELD), value: '7' 6396.621384663:7fd30d5ef700: Entry(21ad960): type 1, (CONSTANT), value: '_' 6396.621388941:7fd30d5ef700: Entry(21ada00): type 2, (FIELD), value: '151' 6396.621399921:7fd30d5ef700: Entry(21adb30): type 1, (CONSTANT), value: '.' 6396.621404236:7fd30d5ef700: Entry(21adbd0): type 2, (FIELD), value: '152' 6396.621408500:7fd30d5ef700: Entry(21add00): type 1, (CONSTANT), value: '_traps' 6396.621412797:7fd30d5ef700: Template: Name='DYNIPmessages' 6396.621415462:7fd30d5ef700: Entry(21adf00): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621419911:7fd30d5ef700: Entry(21adfa0): type 2, (FIELD), value: '8' 6396.621427286:7fd30d5ef700: Entry(21ae0f0): type 1, (CONSTANT), value: '/' 6396.621434085:7fd30d5ef700: Entry(21ae190): type 2, (FIELD), value: '8' 6396.621441395:7fd30d5ef700: Entry(21ae2c0): type 1, (CONSTANT), value: '_' 6396.621448569:7fd30d5ef700: Entry(21ae360): type 2, (FIELD), value: '151' 6396.621455126:7fd30d5ef700: Entry(21ae490): type 1, (CONSTANT), value: '.' 6396.621459311:7fd30d5ef700: Entry(21ae530): type 2, (FIELD), value: '152' 6396.621463733:7fd30d5ef700: Entry(21ae660): type 1, (CONSTANT), value: '_messages' 6396.621467938:7fd30d5ef700: Template: Name='DYNIPsecure' 6396.621470764:7fd30d5ef700: Entry(21ae850): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621475099:7fd30d5ef700: Entry(21ae8f0): type 2, (FIELD), value: '8' 6396.621479295:7fd30d5ef700: Entry(21aea40): type 1, (CONSTANT), value: '/' 6396.621483412:7fd30d5ef700: Entry(21aeae0): type 2, (FIELD), value: '8' 6396.621487637:7fd30d5ef700: Entry(21aec10): type 1, (CONSTANT), value: '_' 6396.621491862:7fd30d5ef700: Entry(21aecb0): type 2, (FIELD), value: '151' 6396.621496049:7fd30d5ef700: Entry(21aede0): type 1, (CONSTANT), value: '.' 6396.621500289:7fd30d5ef700: Entry(21aee80): type 2, (FIELD), value: '152' 6396.621504469:7fd30d5ef700: Entry(21aefb0): type 1, (CONSTANT), value: '_secure' 6396.621508656:7fd30d5ef700: Template: Name='DYNIPmaillog' 6396.621511363:7fd30d5ef700: Entry(21af1a0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621515775:7fd30d5ef700: Entry(21af240): type 2, (FIELD), value: '8' 6396.621520014:7fd30d5ef700: Entry(21af390): type 1, (CONSTANT), value: '/' 6396.621524192:7fd30d5ef700: Entry(21af430): type 2, (FIELD), value: '8' 6396.621528463:7fd30d5ef700: Entry(21af560): type 1, (CONSTANT), value: '_' 6396.621532688:7fd30d5ef700: Entry(21af600): type 2, (FIELD), value: '151' 6396.621536912:7fd30d5ef700: Entry(21af730): type 1, (CONSTANT), value: '.' 6396.621544269:7fd30d5ef700: Entry(21af7d0): type 2, (FIELD), value: '152' 6396.621551178:7fd30d5ef700: Entry(21af900): type 1, (CONSTANT), value: '_maillog' 6396.621558472:7fd30d5ef700: Template: Name='DYNIPcron' 6396.621561385:7fd30d5ef700: Entry(21afaf0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621565879:7fd30d5ef700: Entry(21afb90): type 2, (FIELD), value: '8' 6396.621570140:7fd30d5ef700: Entry(21afce0): type 1, (CONSTANT), value: '/' 6396.621574391:7fd30d5ef700: Entry(21afd80): type 2, (FIELD), value: '8' 6396.621578562:7fd30d5ef700: Entry(21afeb0): type 1, (CONSTANT), value: '_' 6396.621582823:7fd30d5ef700: Entry(21aff50): type 2, (FIELD), value: '151' 6396.621587052:7fd30d5ef700: Entry(21b0080): type 1, (CONSTANT), value: '.' 6396.621591301:7fd30d5ef700: Entry(21b0120): type 2, (FIELD), value: '152' 6396.621595596:7fd30d5ef700: Entry(21b0250): type 1, (CONSTANT), value: '_cron' 6396.621599726:7fd30d5ef700: Template: Name='DYNIPspooler' 6396.621602448:7fd30d5ef700: Entry(21b0440): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621606927:7fd30d5ef700: Entry(21b04e0): type 2, (FIELD), value: '8' 6396.621611158:7fd30d5ef700: Entry(21b0630): type 1, (CONSTANT), value: '/' 6396.621615327:7fd30d5ef700: Entry(21b06d0): type 2, (FIELD), value: '8' 6396.621619531:7fd30d5ef700: Entry(21b0800): type 1, (CONSTANT), value: '_' 6396.621623756:7fd30d5ef700: Entry(21b08a0): type 2, (FIELD), value: '151' 6396.621627930:7fd30d5ef700: Entry(21b09d0): type 1, (CONSTANT), value: '.' 6396.621632191:7fd30d5ef700: Entry(21b0a70): type 2, (FIELD), value: '152' 6396.621636355:7fd30d5ef700: Entry(21b0ba0): type 1, (CONSTANT), value: '_spooler' 6396.621640532:7fd30d5ef700: Template: Name='DYNIPboot' 6396.621643228:7fd30d5ef700: Entry(21b0d90): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621647606:7fd30d5ef700: Entry(21b0e30): type 2, (FIELD), value: '8' 6396.621651790:7fd30d5ef700: Entry(21b0f80): type 1, (CONSTANT), value: '/' 6396.621655997:7fd30d5ef700: Entry(21b1020): type 2, (FIELD), value: '8' 6396.621660217:7fd30d5ef700: Entry(21b1150): type 1, (CONSTANT), value: '_' 6396.621664477:7fd30d5ef700: Entry(21b11f0): type 2, (FIELD), value: '151' 6396.621668797:7fd30d5ef700: Entry(21b1320): type 1, (CONSTANT), value: '.' 6396.621673059:7fd30d5ef700: Entry(21b13c0): type 2, (FIELD), value: '152' 6396.621677263:7fd30d5ef700: Entry(21b14f0): type 1, (CONSTANT), value: '_boot.log' 6396.621681529:7fd30d5ef700: Template: Name='DYNIPtraps' 6396.621684225:7fd30d5ef700: Entry(21b16e0): type 1, (CONSTANT), value: '/renesas/ou_rme/sp/syslog/' 6396.621688596:7fd30d5ef700: Entry(21b1780): type 2, (FIELD), value: '8' 6396.621692818:7fd30d5ef700: Entry(21b18d0): type 1, (CONSTANT), value: '/' 6396.621696933:7fd30d5ef700: Entry(21b1970): type 2, (FIELD), value: '8' 6396.621701111:7fd30d5ef700: Entry(21b1aa0): type 1, (CONSTANT), value: '_' 6396.621705360:7fd30d5ef700: Entry(21b1b40): type 2, (FIELD), value: '151' 6396.621709540:7fd30d5ef700: Entry(21b1c70): type 1, (CONSTANT), value: '.' 6396.621713764:7fd30d5ef700: Entry(21b1d10): type 2, (FIELD), value: '152' 6396.621717997:7fd30d5ef700: Entry(21b1e40): type 1, (CONSTANT), value: '_traps' 6396.621722972:7fd30d5ef700: Loaded Module: Name='lmnet', IFVersion=6, type=library module. 6396.621728078:7fd30d5ef700: Entry points: 6396.621729969:7fd30d5ef700: queryEtryPt: 0x7fd30d3ea790 6396.621732259:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.621734458:7fd30d5ef700: freeInstance: 0x0 6396.621736635:7fd30d5ef700: beginCnfLoad: 0x0 6396.621738813:7fd30d5ef700: checkCnf: 0x0 6396.621741004:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.621743231:7fd30d5ef700: activateCnf: 0x0 6396.621745355:7fd30d5ef700: freeCnf: 0x0 6396.621747461:7fd30d5ef700: 6396.621749491:7fd30d5ef700: Loaded Module: Name='builtin-file', IFVersion=6, type=output module. 6396.621754517:7fd30d5ef700: Entry points: 6396.621756220:7fd30d5ef700: queryEtryPt: 0x411440 6396.621758385:7fd30d5ef700: dbgPrintInstInfo: 0x411320 6396.621760548:7fd30d5ef700: freeInstance: 0x411e20 6396.621762723:7fd30d5ef700: beginCnfLoad: 0x0 6396.621764856:7fd30d5ef700: checkCnf: 0x0 6396.621766990:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622378653:7fd30d5ef700: activateCnf: 0x0 6396.622381991:7fd30d5ef700: freeCnf: 0x0 6396.622384275:7fd30d5ef700: Output Module Entry Points: 6396.622386165:7fd30d5ef700: doAction: 0x412a60 6396.622388344:7fd30d5ef700: parseSelectorAct: 0x412e40 6396.622390465:7fd30d5ef700: newActInst: 0x411ea0 6396.622392626:7fd30d5ef700: tryResume: 0x4112d0 6396.622394740:7fd30d5ef700: doHUP: 0x411da0 6396.622396895:7fd30d5ef700: newScope: 0x411c20 6396.622398999:7fd30d5ef700: restoreScope: 0x411240 6396.622401107:7fd30d5ef700: BeginTransaction: 0x4112e0 6396.622403274:7fd30d5ef700: EndTransaction: 0x4112f0 6396.622405391:7fd30d5ef700: 6396.622407519:7fd30d5ef700: Loaded Module: Name='builtin-pipe', IFVersion=6, type=output module. 6396.622412551:7fd30d5ef700: Entry points: 6396.622414352:7fd30d5ef700: queryEtryPt: 0x4134a0 6396.622416537:7fd30d5ef700: dbgPrintInstInfo: 0x4136c0 6396.622418682:7fd30d5ef700: freeInstance: 0x413730 6396.622420906:7fd30d5ef700: beginCnfLoad: 0x0 6396.622423050:7fd30d5ef700: checkCnf: 0x0 6396.622425260:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622427463:7fd30d5ef700: activateCnf: 0x0 6396.622429683:7fd30d5ef700: freeCnf: 0x0 6396.622431754:7fd30d5ef700: Output Module Entry Points: 6396.622433762:7fd30d5ef700: doAction: 0x413a30 6396.622435912:7fd30d5ef700: parseSelectorAct: 0x413760 6396.622438502:7fd30d5ef700: newActInst: (nil) 6396.622442490:7fd30d5ef700: tryResume: 0x4133c0 6396.622446217:7fd30d5ef700: doHUP: 0x413700 6396.622449782:7fd30d5ef700: newScope: 0x413390 6396.622454077:7fd30d5ef700: restoreScope: 0x4133a0 6396.622457672:7fd30d5ef700: BeginTransaction: (nil) 6396.622470898:7fd30d5ef700: EndTransaction: (nil) 6396.622473223:7fd30d5ef700: 6396.622475110:7fd30d5ef700: Loaded Module: Name='builtin-shell', IFVersion=6, type=output module. 6396.622480035:7fd30d5ef700: Entry points: 6396.622481851:7fd30d5ef700: queryEtryPt: 0x40e7c0 6396.622484092:7fd30d5ef700: dbgPrintInstInfo: 0x40eae0 6396.622486229:7fd30d5ef700: freeInstance: 0x40e9a0 6396.622488342:7fd30d5ef700: beginCnfLoad: 0x0 6396.622490561:7fd30d5ef700: checkCnf: 0x0 6396.622492719:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622494815:7fd30d5ef700: activateCnf: 0x0 6396.622496909:7fd30d5ef700: freeCnf: 0x0 6396.622498968:7fd30d5ef700: Output Module Entry Points: 6396.622500853:7fd30d5ef700: doAction: 0x40eb00 6396.622503023:7fd30d5ef700: parseSelectorAct: 0x40e9c0 6396.622505138:7fd30d5ef700: newActInst: (nil) 6396.622507347:7fd30d5ef700: tryResume: 0x40e6e0 6396.622509445:7fd30d5ef700: doHUP: (nil) 6396.622511610:7fd30d5ef700: newScope: 0x40e6b0 6396.622513730:7fd30d5ef700: restoreScope: 0x40e6c0 6396.622515844:7fd30d5ef700: BeginTransaction: (nil) 6396.622518030:7fd30d5ef700: EndTransaction: (nil) 6396.622520156:7fd30d5ef700: 6396.622522168:7fd30d5ef700: Loaded Module: Name='builtin-discard', IFVersion=6, type=output module. 6396.622526939:7fd30d5ef700: Entry points: 6396.622528835:7fd30d5ef700: queryEtryPt: 0x413ba0 6396.622531002:7fd30d5ef700: dbgPrintInstInfo: 0x413ac0 6396.622533155:7fd30d5ef700: freeInstance: 0x413e50 6396.622535285:7fd30d5ef700: beginCnfLoad: 0x0 6396.622537467:7fd30d5ef700: checkCnf: 0x0 6396.622539601:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622541691:7fd30d5ef700: activateCnf: 0x0 6396.622543804:7fd30d5ef700: freeCnf: 0x0 6396.622545868:7fd30d5ef700: Output Module Entry Points: 6396.622547837:7fd30d5ef700: doAction: 0x413d80 6396.622549955:7fd30d5ef700: parseSelectorAct: 0x413da0 6396.622552068:7fd30d5ef700: newActInst: (nil) 6396.622554286:7fd30d5ef700: tryResume: 0x413ae0 6396.622556390:7fd30d5ef700: doHUP: (nil) 6396.622558568:7fd30d5ef700: newScope: 0x413aa0 6396.622560678:7fd30d5ef700: restoreScope: 0x413ab0 6396.622562792:7fd30d5ef700: BeginTransaction: (nil) 6396.622564992:7fd30d5ef700: EndTransaction: (nil) 6396.622567114:7fd30d5ef700: 6396.622569092:7fd30d5ef700: Loaded Module: Name='builtin-fwd', IFVersion=6, type=output module. 6396.622573803:7fd30d5ef700: Entry points: 6396.622575593:7fd30d5ef700: queryEtryPt: 0x40fdb0 6396.622577749:7fd30d5ef700: dbgPrintInstInfo: 0x410100 6396.622579886:7fd30d5ef700: freeInstance: 0x410410 6396.622582013:7fd30d5ef700: beginCnfLoad: 0x0 6396.622584183:7fd30d5ef700: checkCnf: 0x0 6396.622586298:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622588380:7fd30d5ef700: activateCnf: 0x0 6396.622590488:7fd30d5ef700: freeCnf: 0x0 6396.622592558:7fd30d5ef700: Output Module Entry Points: 6396.622594433:7fd30d5ef700: doAction: 0x410fc0 6396.622596538:7fd30d5ef700: parseSelectorAct: 0x410490 6396.622598653:7fd30d5ef700: newActInst: (nil) 6396.622600866:7fd30d5ef700: tryResume: 0x410e30 6396.622602970:7fd30d5ef700: doHUP: (nil) 6396.622605151:7fd30d5ef700: newScope: 0x40f9b0 6396.622607271:7fd30d5ef700: restoreScope: 0x40fa60 6396.622609385:7fd30d5ef700: BeginTransaction: 0x4100e0 6396.622611509:7fd30d5ef700: EndTransaction: 0x4100a0 6396.622613571:7fd30d5ef700: 6396.622615523:7fd30d5ef700: Loaded Module: Name='builtin-usrmsg', IFVersion=6, type=output module. 6396.622620203:7fd30d5ef700: Entry points: 6396.622621933:7fd30d5ef700: queryEtryPt: 0x40eca0 6396.622624089:7fd30d5ef700: dbgPrintInstInfo: 0x40eec0 6396.622626226:7fd30d5ef700: freeInstance: 0x40ef00 6396.622628352:7fd30d5ef700: beginCnfLoad: 0x0 6396.622630535:7fd30d5ef700: checkCnf: 0x0 6396.622632661:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622634738:7fd30d5ef700: activateCnf: 0x0 6396.622636845:7fd30d5ef700: freeCnf: 0x0 6396.622638905:7fd30d5ef700: Output Module Entry Points: 6396.622640832:7fd30d5ef700: doAction: 0x40f550 6396.622642954:7fd30d5ef700: parseSelectorAct: 0x40f590 6396.622645099:7fd30d5ef700: newActInst: 0x40ef20 6396.622647240:7fd30d5ef700: tryResume: 0x40ebc0 6396.622649408:7fd30d5ef700: doHUP: (nil) 6396.622651598:7fd30d5ef700: newScope: 0x40eb90 6396.622653692:7fd30d5ef700: restoreScope: 0x40eba0 6396.622655790:7fd30d5ef700: BeginTransaction: (nil) 6396.622658338:7fd30d5ef700: EndTransaction: (nil) 6396.622662052:7fd30d5ef700: 6396.622665618:7fd30d5ef700: Loaded Module: Name='builtin-pmrfc5424', IFVersion=6, type=parser module. 6396.622673756:7fd30d5ef700: Entry points: 6396.622677443:7fd30d5ef700: queryEtryPt: 0x414090 6396.622680920:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.622683057:7fd30d5ef700: freeInstance: 0x0 6396.622685181:7fd30d5ef700: beginCnfLoad: 0x0 6396.622687337:7fd30d5ef700: checkCnf: 0x0 6396.622689455:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.622691509:7fd30d5ef700: activateCnf: 0x0 6396.622693606:7fd30d5ef700: freeCnf: 0x0 6396.622695780:7fd30d5ef700: Parser Module Entry Points 6396.623357020:7fd30d5ef700: parse: 0x4141c0 6396.623360403:7fd30d5ef700: 6396.623362623:7fd30d5ef700: Loaded Module: Name='builtin-pmrfc3164', IFVersion=6, type=parser module. 6396.623367710:7fd30d5ef700: Entry points: 6396.623369531:7fd30d5ef700: queryEtryPt: 0x414730 6396.623371760:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623373924:7fd30d5ef700: freeInstance: 0x0 6396.623376079:7fd30d5ef700: beginCnfLoad: 0x0 6396.623378234:7fd30d5ef700: checkCnf: 0x0 6396.623380383:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623382554:7fd30d5ef700: activateCnf: 0x0 6396.623384740:7fd30d5ef700: freeCnf: 0x0 6396.623386820:7fd30d5ef700: Parser Module Entry Points 6396.623388692:7fd30d5ef700: parse: 0x414860 6396.623390751:7fd30d5ef700: 6396.623392743:7fd30d5ef700: Loaded Module: Name='builtin-smfile', IFVersion=6, type=strgen module. 6396.623397503:7fd30d5ef700: Entry points: 6396.623399223:7fd30d5ef700: queryEtryPt: 0x415080 6396.623401378:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623403505:7fd30d5ef700: freeInstance: 0x0 6396.623405632:7fd30d5ef700: beginCnfLoad: 0x0 6396.623407772:7fd30d5ef700: checkCnf: 0x0 6396.623409905:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623411980:7fd30d5ef700: activateCnf: 0x0 6396.623414088:7fd30d5ef700: freeCnf: 0x0 6396.623416170:7fd30d5ef700: Strgen Module Entry Points 6396.623418069:7fd30d5ef700: strgen: 0x415190 6396.623420059:7fd30d5ef700: 6396.623421983:7fd30d5ef700: Loaded Module: Name='builtin-smtradfile', IFVersion=6, type=strgen module. 6396.623426704:7fd30d5ef700: Entry points: 6396.623428463:7fd30d5ef700: queryEtryPt: 0x414ce0 6396.623430602:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623432714:7fd30d5ef700: freeInstance: 0x0 6396.623434833:7fd30d5ef700: beginCnfLoad: 0x0 6396.623436958:7fd30d5ef700: checkCnf: 0x0 6396.623439069:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623441125:7fd30d5ef700: activateCnf: 0x0 6396.623443223:7fd30d5ef700: freeCnf: 0x0 6396.623445278:7fd30d5ef700: Strgen Module Entry Points 6396.623447150:7fd30d5ef700: strgen: 0x414df0 6396.623449143:7fd30d5ef700: 6396.623451087:7fd30d5ef700: Loaded Module: Name='builtin-smfwd', IFVersion=6, type=strgen module. 6396.623455808:7fd30d5ef700: Entry points: 6396.623457520:7fd30d5ef700: queryEtryPt: 0x415430 6396.623459657:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623461768:7fd30d5ef700: freeInstance: 0x0 6396.623463867:7fd30d5ef700: beginCnfLoad: 0x0 6396.623467216:7fd30d5ef700: checkCnf: 0x0 6396.623470979:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623483944:7fd30d5ef700: activateCnf: 0x0 6396.623488669:7fd30d5ef700: freeCnf: 0x0 6396.623491814:7fd30d5ef700: Strgen Module Entry Points 6396.623493663:7fd30d5ef700: strgen: 0x415540 6396.623495677:7fd30d5ef700: 6396.623497738:7fd30d5ef700: Loaded Module: Name='builtin-smtradfwd', IFVersion=6, type=strgen module. 6396.623502484:7fd30d5ef700: Entry points: 6396.623504185:7fd30d5ef700: queryEtryPt: 0x415800 6396.623506318:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623508446:7fd30d5ef700: freeInstance: 0x0 6396.623510569:7fd30d5ef700: beginCnfLoad: 0x0 6396.623512697:7fd30d5ef700: checkCnf: 0x0 6396.623514815:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623516860:7fd30d5ef700: activateCnf: 0x0 6396.623518956:7fd30d5ef700: freeCnf: 0x0 6396.623520989:7fd30d5ef700: Strgen Module Entry Points 6396.623522945:7fd30d5ef700: strgen: 0x415910 6396.623524969:7fd30d5ef700: 6396.623527030:7fd30d5ef700: Loaded Module: Name='imudp', IFVersion=6, type=input module. 6396.623531792:7fd30d5ef700: Entry points: 6396.623533508:7fd30d5ef700: queryEtryPt: 0x7fd30d1e62e0 6396.623535630:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623537761:7fd30d5ef700: freeInstance: 0x0 6396.623539946:7fd30d5ef700: beginCnfLoad: 0x7fd30d1e6dc0 6396.623542119:7fd30d5ef700: checkCnf: 0x7fd30d1e69c0 6396.623544263:7fd30d5ef700: activateCnfPrePrivDrop: 0x7fd30d1e66a0 6396.623546465:7fd30d5ef700: activateCnf: 0x7fd30d1e6560 6396.623548572:7fd30d5ef700: freeCnf: 0x7fd30d1e6590 6396.623550699:7fd30d5ef700: Input Module Entry Points 6396.623552664:7fd30d5ef700: runInput: 0x7fd30d1e7430 6396.623554789:7fd30d5ef700: willRun: 0x7fd30d1e5e80 6396.623557027:7fd30d5ef700: afterRun: 0x7fd30d1e65b0 6396.623559076:7fd30d5ef700: 6396.623561118:7fd30d5ef700: Loaded Module: Name='lmnetstrms', IFVersion=6, type=library module. 6396.623565866:7fd30d5ef700: Entry points: 6396.623567542:7fd30d5ef700: queryEtryPt: 0x7fd30cddf100 6396.623569698:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623571834:7fd30d5ef700: freeInstance: 0x0 6396.623574028:7fd30d5ef700: beginCnfLoad: 0x0 6396.623576116:7fd30d5ef700: checkCnf: 0x0 6396.623578247:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623580362:7fd30d5ef700: activateCnf: 0x0 6396.623582455:7fd30d5ef700: freeCnf: 0x0 6396.623584501:7fd30d5ef700: 6396.623586585:7fd30d5ef700: Loaded Module: Name='lmtcpsrv', IFVersion=6, type=library module. 6396.623591293:7fd30d5ef700: Entry points: 6396.623593199:7fd30d5ef700: queryEtryPt: 0x7fd30cbd9c50 6396.623595316:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623597462:7fd30d5ef700: freeInstance: 0x0 6396.623599648:7fd30d5ef700: beginCnfLoad: 0x0 6396.623601735:7fd30d5ef700: checkCnf: 0x0 6396.623603850:7fd30d5ef700: activateCnfPrePrivDrop: 0x0 6396.623605894:7fd30d5ef700: activateCnf: 0x0 6396.623608014:7fd30d5ef700: freeCnf: 0x0 6396.623610056:7fd30d5ef700: 6396.623612106:7fd30d5ef700: Loaded Module: Name='imtcp', IFVersion=6, type=input module. 6396.623616834:7fd30d5ef700: Entry points: 6396.623618541:7fd30d5ef700: queryEtryPt: 0x7fd30cfe2e20 6396.623620666:7fd30d5ef700: dbgPrintInstInfo: 0x0 6396.623622786:7fd30d5ef700: freeInstance: 0x0 6396.623624952:7fd30d5ef700: beginCnfLoad: 0x7fd30cfe35b0 6396.623627089:7fd30d5ef700: checkCnf: 0x7fd30cfe3360 6396.623629215:7fd30d5ef700: activateCnfPrePrivDrop: 0x7fd30cfe30a0 6396.623631385:7fd30d5ef700: activateCnf: 0x7fd30cfe2840 6396.623633467:7fd30d5ef700: freeCnf: 0x7fd30cfe3430 6396.623635570:7fd30d5ef700: Input Module Entry Points 6396.623637572:7fd30d5ef700: runInput: 0x7fd30cfe3630 6396.623639703:7fd30d5ef700: willRun: 0x7fd30cfe2850 6396.623641804:7fd30d5ef700: afterRun: 0x7fd30cfe2870 6396.623643855:7fd30d5ef700: 6396.623645982:7fd30d5ef700: Sytem Line Configuration Commands: 6396.623648169:7fd30d5ef700: Command 'workdirectory': 6396.623650539:7fd30d5ef700: type : 11 6396.623652956:7fd30d5ef700: pData: 0x0 6396.623655355:7fd30d5ef700: Hdlr : 0x41dc20 6396.623657802:7fd30d5ef700: Owner: 0x0 6396.623660094:7fd30d5ef700: 6396.623662113:7fd30d5ef700: Command 'dropmsgswithmaliciousdnsptrrecords': 6396.623664550:7fd30d5ef700: type : 4 6396.623666936:7fd30d5ef700: pData: 0x669d30 6396.623669420:7fd30d5ef700: Hdlr : 0x0 6396.623671775:7fd30d5ef700: Owner: 0x0 6396.623674046:7fd30d5ef700: 6396.623675965:7fd30d5ef700: Command 'defaultnetstreamdriver': 6396.624366849:7fd30d5ef700: type : 11 6396.624370261:7fd30d5ef700: pData: 0x669ce8 6396.624372699:7fd30d5ef700: Hdlr : 0x0 6396.624375166:7fd30d5ef700: Owner: 0x0 6396.624377478:7fd30d5ef700: 6396.624379421:7fd30d5ef700: Command 'defaultnetstreamdrivercafile': 6396.624381774:7fd30d5ef700: type : 11 6396.624384174:7fd30d5ef700: pData: 0x669cf0 6396.624386641:7fd30d5ef700: Hdlr : 0x0 6396.624389006:7fd30d5ef700: Owner: 0x0 6396.624391284:7fd30d5ef700: 6396.624393170:7fd30d5ef700: Command 'defaultnetstreamdriverkeyfile': 6396.624395396:7fd30d5ef700: type : 11 6396.624397773:7fd30d5ef700: pData: 0x669cf8 6396.624400230:7fd30d5ef700: Hdlr : 0x0 6396.624402587:7fd30d5ef700: Owner: 0x0 6396.624404861:7fd30d5ef700: 6396.624406640:7fd30d5ef700: Command 'defaultnetstreamdrivercertfile': 6396.624408836:7fd30d5ef700: type : 11 6396.624411192:7fd30d5ef700: pData: 0x669d00 6396.624413635:7fd30d5ef700: Hdlr : 0x0 6396.624416010:7fd30d5ef700: Owner: 0x0 6396.624418277:7fd30d5ef700: 6396.624420076:7fd30d5ef700: Command 'localhostname': 6396.624423856:7fd30d5ef700: type : 11 6396.624428228:7fd30d5ef700: pData: 0x669d18 6396.624432008:7fd30d5ef700: Hdlr : 0x0 6396.624436368:7fd30d5ef700: Owner: 0x0 6396.624439715:7fd30d5ef700: 6396.624442807:7fd30d5ef700: Command 'optimizeforuniprocessor': 6396.624446750:7fd30d5ef700: type : 4 6396.624451080:7fd30d5ef700: pData: 0x666470 6396.624453674:7fd30d5ef700: Hdlr : 0x0 6396.624456015:7fd30d5ef700: Owner: 0x0 6396.624458279:7fd30d5ef700: 6396.624460155:7fd30d5ef700: Command 'preservefqdn': 6396.624462424:7fd30d5ef700: type : 4 6396.624464827:7fd30d5ef700: pData: 0x669d34 6396.624467270:7fd30d5ef700: Hdlr : 0x0 6396.624469610:7fd30d5ef700: Owner: 0x0 6396.624471864:7fd30d5ef700: 6396.624473753:7fd30d5ef700: Command 'maxmessagesize': 6396.624475969:7fd30d5ef700: type : 7 6396.624478342:7fd30d5ef700: pData: 0x666474 6396.624480777:7fd30d5ef700: Hdlr : 0x0 6396.624483111:7fd30d5ef700: Owner: 0x0 6396.624485367:7fd30d5ef700: 6396.624487331:7fd30d5ef700: Command 'resetconfigvariables': 6396.624489738:7fd30d5ef700: type : 1 6396.624492064:7fd30d5ef700: pData: 0x0 6396.624494433:7fd30d5ef700: Hdlr : 0x41d870 6396.624496849:7fd30d5ef700: Owner: 0x0 6396.624499125:7fd30d5ef700: 6396.624500972:7fd30d5ef700: type : 1 6396.624503306:7fd30d5ef700: pData: 0x0 6396.624505678:7fd30d5ef700: Hdlr : 0x41e140 6396.624508090:7fd30d5ef700: Owner: 0x0 6396.624510351:7fd30d5ef700: 6396.624512189:7fd30d5ef700: type : 1 6396.624514512:7fd30d5ef700: pData: 0x0 6396.624516890:7fd30d5ef700: Hdlr : 0x422450 6396.624519304:7fd30d5ef700: Owner: 0x0 6396.624521556:7fd30d5ef700: 6396.624523467:7fd30d5ef700: type : 1 6396.624525692:7fd30d5ef700: pData: 0x0 6396.624528064:7fd30d5ef700: Hdlr : 0x43c8b0 6396.624530499:7fd30d5ef700: Owner: 0x0 6396.624532755:7fd30d5ef700: 6396.624534589:7fd30d5ef700: type : 1 6396.624536890:7fd30d5ef700: pData: 0x0 6396.624539268:7fd30d5ef700: Hdlr : 0x4116b0 6396.624541719:7fd30d5ef700: Owner: 0x411cb0 6396.624544085:7fd30d5ef700: 6396.624545855:7fd30d5ef700: type : 1 6396.624548162:7fd30d5ef700: pData: 0x0 6396.624550510:7fd30d5ef700: Hdlr : 0x410370 6396.624555392:7fd30d5ef700: Owner: 0x4102c0 6396.624559576:7fd30d5ef700: 6396.624563123:7fd30d5ef700: type : 1 6396.624567130:7fd30d5ef700: pData: 0x0 6396.624571243:7fd30d5ef700: Hdlr : 0x41fc20 6396.624573767:7fd30d5ef700: Owner: 0x0 6396.624575994:7fd30d5ef700: 6396.624577976:7fd30d5ef700: type : 1 6396.624580229:7fd30d5ef700: pData: 0x0 6396.624582575:7fd30d5ef700: Hdlr : 0x7fd30d1e6620 6396.624585036:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.624587364:7fd30d5ef700: 6396.624589161:7fd30d5ef700: type : 1 6396.624591460:7fd30d5ef700: pData: 0x0 6396.624593814:7fd30d5ef700: Hdlr : 0x7fd30cfe34f0 6396.624596271:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.624598595:7fd30d5ef700: 6396.624600384:7fd30d5ef700: Command 'rulesetparser': 6396.624602534:7fd30d5ef700: type : 11 6396.624604862:7fd30d5ef700: pData: 0x0 6396.624607216:7fd30d5ef700: Hdlr : 0x439220 6396.624609606:7fd30d5ef700: Owner: 0x0 6396.624611855:7fd30d5ef700: 6396.624613747:7fd30d5ef700: Command 'rulesetcreatemainqueue': 6396.624615995:7fd30d5ef700: type : 4 6396.624618296:7fd30d5ef700: pData: 0x0 6396.624620639:7fd30d5ef700: Hdlr : 0x439190 6396.624623036:7fd30d5ef700: Owner: 0x0 6396.624625290:7fd30d5ef700: 6396.624627045:7fd30d5ef700: Command 'begin': 6396.624629212:7fd30d5ef700: type : 11 6396.624631520:7fd30d5ef700: pData: 0x0 6396.624633847:7fd30d5ef700: Hdlr : 0x41e4b0 6396.624636229:7fd30d5ef700: Owner: 0x0 6396.624638473:7fd30d5ef700: 6396.624640301:7fd30d5ef700: Command 'end': 6396.624642566:7fd30d5ef700: type : 11 6396.624644869:7fd30d5ef700: pData: 0x0 6396.624647205:7fd30d5ef700: Hdlr : 0x41e340 6396.624649594:7fd30d5ef700: Owner: 0x0 6396.624651837:7fd30d5ef700: 6396.624653594:7fd30d5ef700: Command 'strictscoping': 6396.624655714:7fd30d5ef700: type : 4 6396.624658024:7fd30d5ef700: pData: 0x669d74 6396.624660415:7fd30d5ef700: Hdlr : 0x0 6396.624662710:7fd30d5ef700: Owner: 0x0 6396.624664940:7fd30d5ef700: 6396.624666841:7fd30d5ef700: Command 'controlcharacterescapeprefix': 6396.624669263:7fd30d5ef700: type : 8 6396.624671556:7fd30d5ef700: pData: 0x6674a8 6396.624673958:7fd30d5ef700: Hdlr : 0x0 6396.624676269:7fd30d5ef700: Owner: 0x0 6396.624678516:7fd30d5ef700: 6396.624680314:7fd30d5ef700: Command 'droptrailinglfonreception': 6396.624682560:7fd30d5ef700: type : 4 6396.624684851:7fd30d5ef700: pData: 0x6674ac 6396.624687234:7fd30d5ef700: Hdlr : 0x0 6396.624689595:7fd30d5ef700: Owner: 0x0 6396.624691810:7fd30d5ef700: 6396.624693737:7fd30d5ef700: Command 'escapecontrolcharactersonreceive': 6396.624695960:7fd30d5ef700: type : 4 6396.624698250:7fd30d5ef700: pData: 0x6674b0 6396.624700705:7fd30d5ef700: Hdlr : 0x0 6396.624703005:7fd30d5ef700: Owner: 0x0 6396.624705236:7fd30d5ef700: 6396.624707119:7fd30d5ef700: Command 'escape8bitcharactersonreceive': 6396.624709313:7fd30d5ef700: type : 4 6396.624711669:7fd30d5ef700: pData: 0x669dc8 6396.624714074:7fd30d5ef700: Hdlr : 0x0 6396.624716384:7fd30d5ef700: Owner: 0x0 6396.624718627:7fd30d5ef700: 6396.624720549:7fd30d5ef700: Command 'escapecontrolcharactertab': 6396.624722921:7fd30d5ef700: type : 4 6396.624725235:7fd30d5ef700: pData: 0x6674b4 6396.624727627:7fd30d5ef700: Hdlr : 0x0 6396.624729930:7fd30d5ef700: Owner: 0x0 6396.624732156:7fd30d5ef700: 6396.624733935:7fd30d5ef700: Command 'actionname': 6396.624736119:7fd30d5ef700: type : 11 6396.624738493:7fd30d5ef700: pData: 0x66aae8 6396.624740893:7fd30d5ef700: Hdlr : 0x0 6396.624743191:7fd30d5ef700: Owner: 0x0 6396.624745423:7fd30d5ef700: 6396.624747388:7fd30d5ef700: Command 'actionqueuefilename': 6396.624749655:7fd30d5ef700: type : 11 6396.624751965:7fd30d5ef700: pData: 0x66ab10 6396.624754370:7fd30d5ef700: Hdlr : 0x0 6396.624756674:7fd30d5ef700: Owner: 0x0 6396.624758944:7fd30d5ef700: 6396.624760771:7fd30d5ef700: Command 'actionqueuesize': 6396.624762855:7fd30d5ef700: type : 6 6396.624765157:7fd30d5ef700: pData: 0x66aaf4 6396.624767557:7fd30d5ef700: Hdlr : 0x0 6396.624769860:7fd30d5ef700: Owner: 0x0 6396.625293385:7fd30d5ef700: 6396.625296599:7fd30d5ef700: Command 'actionwriteallmarkmessages': 6396.625298968:7fd30d5ef700: type : 4 6396.625301431:7fd30d5ef700: pData: 0x66aac4 6396.625303967:7fd30d5ef700: Hdlr : 0x0 6396.625306368:7fd30d5ef700: Owner: 0x0 6396.625308636:7fd30d5ef700: 6396.625310504:7fd30d5ef700: Command 'actionqueuedequeuebatchsize': 6396.625312715:7fd30d5ef700: type : 6 6396.625315066:7fd30d5ef700: pData: 0x66aaf8 6396.625317517:7fd30d5ef700: Hdlr : 0x0 6396.625319880:7fd30d5ef700: Owner: 0x0 6396.625322131:7fd30d5ef700: 6396.625323914:7fd30d5ef700: Command 'actionqueuemaxdiskspace': 6396.625326077:7fd30d5ef700: type : 7 6396.625328445:7fd30d5ef700: pData: 0x66ab40 6396.625330884:7fd30d5ef700: Hdlr : 0x0 6396.625333222:7fd30d5ef700: Owner: 0x0 6396.625335484:7fd30d5ef700: 6396.625337387:7fd30d5ef700: Command 'actionqueuehighwatermark': 6396.625339619:7fd30d5ef700: type : 6 6396.625341988:7fd30d5ef700: pData: 0x66aafc 6396.625344429:7fd30d5ef700: Hdlr : 0x0 6396.625346778:7fd30d5ef700: Owner: 0x0 6396.625349036:7fd30d5ef700: 6396.625350823:7fd30d5ef700: Command 'actionqueuelowwatermark': 6396.625353012:7fd30d5ef700: type : 6 6396.625355374:7fd30d5ef700: pData: 0x66ab00 6396.625357819:7fd30d5ef700: Hdlr : 0x0 6396.625360169:7fd30d5ef700: Owner: 0x0 6396.625362440:7fd30d5ef700: 6396.625364230:7fd30d5ef700: Command 'actionqueuediscardmark': 6396.625366368:7fd30d5ef700: type : 6 6396.625368719:7fd30d5ef700: pData: 0x66ab04 6396.625371152:7fd30d5ef700: Hdlr : 0x0 6396.625373486:7fd30d5ef700: Owner: 0x0 6396.625375753:7fd30d5ef700: 6396.625377501:7fd30d5ef700: Command 'actionqueuediscardseverity': 6396.625379687:7fd30d5ef700: type : 6 6396.625382042:7fd30d5ef700: pData: 0x66ab08 6396.625390203:7fd30d5ef700: Hdlr : 0x0 6396.625392719:7fd30d5ef700: Owner: 0x0 6396.625395038:7fd30d5ef700: 6396.625396823:7fd30d5ef700: Command 'actionqueuecheckpointinterval': 6396.625398985:7fd30d5ef700: type : 6 6396.625401358:7fd30d5ef700: pData: 0x66ab20 6396.625403846:7fd30d5ef700: Hdlr : 0x0 6396.625406225:7fd30d5ef700: Owner: 0x0 6396.625408523:7fd30d5ef700: 6396.625410425:7fd30d5ef700: Command 'actionqueuesyncqueuefiles': 6396.625412760:7fd30d5ef700: type : 4 6396.625415113:7fd30d5ef700: pData: 0x66ab24 6396.625417586:7fd30d5ef700: Hdlr : 0x0 6396.625419960:7fd30d5ef700: Owner: 0x0 6396.625422245:7fd30d5ef700: 6396.625424089:7fd30d5ef700: Command 'actionqueuetype': 6396.625426312:7fd30d5ef700: type : 11 6396.625428669:7fd30d5ef700: pData: 0x0 6396.625431090:7fd30d5ef700: Hdlr : 0x43d090 6396.625433550:7fd30d5ef700: Owner: 0x0 6396.625435856:7fd30d5ef700: 6396.625437630:7fd30d5ef700: Command 'actionqueueworkerthreads': 6396.625439800:7fd30d5ef700: type : 6 6396.625442175:7fd30d5ef700: pData: 0x66ab0c 6396.625444645:7fd30d5ef700: Hdlr : 0x0 6396.625447023:7fd30d5ef700: Owner: 0x0 6396.625449318:7fd30d5ef700: 6396.625451092:7fd30d5ef700: Command 'actionqueuetimeoutshutdown': 6396.625453290:7fd30d5ef700: type : 6 6396.625455661:7fd30d5ef700: pData: 0x66ab28 6396.625458129:7fd30d5ef700: Hdlr : 0x0 6396.625460522:7fd30d5ef700: Owner: 0x0 6396.625462840:7fd30d5ef700: 6396.625464902:7fd30d5ef700: Command 'actionqueuetimeoutactioncompletion': 6396.625469354:7fd30d5ef700: type : 6 6396.625473262:7fd30d5ef700: pData: 0x66ab2c 6396.625477219:7fd30d5ef700: Hdlr : 0x0 6396.625481172:7fd30d5ef700: Owner: 0x0 6396.625485256:7fd30d5ef700: 6396.625489244:7fd30d5ef700: Command 'actionqueuetimeoutenqueue': 6396.625491568:7fd30d5ef700: type : 6 6396.625493893:7fd30d5ef700: pData: 0x66ab30 6396.625496356:7fd30d5ef700: Hdlr : 0x0 6396.625498700:7fd30d5ef700: Owner: 0x0 6396.625500956:7fd30d5ef700: 6396.625502765:7fd30d5ef700: Command 'actionqueueworkertimeoutthreadshutdown': 6396.625504951:7fd30d5ef700: type : 6 6396.625507313:7fd30d5ef700: pData: 0x66ab34 6396.625509747:7fd30d5ef700: Hdlr : 0x0 6396.625512111:7fd30d5ef700: Owner: 0x0 6396.625514365:7fd30d5ef700: 6396.625516138:7fd30d5ef700: Command 'actionqueueworkerthreadminimummessages': 6396.625518320:7fd30d5ef700: type : 6 6396.625520680:7fd30d5ef700: pData: 0x66ab38 6396.625523092:7fd30d5ef700: Hdlr : 0x0 6396.625525423:7fd30d5ef700: Owner: 0x0 6396.625527669:7fd30d5ef700: 6396.625529412:7fd30d5ef700: Command 'actionqueuemaxfilesize': 6396.625531558:7fd30d5ef700: type : 7 6396.625533886:7fd30d5ef700: pData: 0x66ab18 6396.625536299:7fd30d5ef700: Hdlr : 0x0 6396.625538621:7fd30d5ef700: Owner: 0x0 6396.625540846:7fd30d5ef700: 6396.625542601:7fd30d5ef700: Command 'actionqueuesaveonshutdown': 6396.625544793:7fd30d5ef700: type : 4 6396.625547128:7fd30d5ef700: pData: 0x66ab3c 6396.625549551:7fd30d5ef700: Hdlr : 0x0 6396.625551879:7fd30d5ef700: Owner: 0x0 6396.625554118:7fd30d5ef700: 6396.625555879:7fd30d5ef700: Command 'actionqueuedequeueslowdown': 6396.625558059:7fd30d5ef700: type : 6 6396.625560387:7fd30d5ef700: pData: 0x66ab48 6396.625562802:7fd30d5ef700: Hdlr : 0x0 6396.625565137:7fd30d5ef700: Owner: 0x0 6396.625567400:7fd30d5ef700: 6396.625569150:7fd30d5ef700: Command 'actionqueuedequeuetimebegin': 6396.625571337:7fd30d5ef700: type : 6 6396.625573662:7fd30d5ef700: pData: 0x66ab4c 6396.625576077:7fd30d5ef700: Hdlr : 0x0 6396.625578460:7fd30d5ef700: Owner: 0x0 6396.625580701:7fd30d5ef700: 6396.625582459:7fd30d5ef700: Command 'actionqueuedequeuetimeend': 6396.625584621:7fd30d5ef700: type : 6 6396.625586943:7fd30d5ef700: pData: 0x66ab50 6396.625589406:7fd30d5ef700: Hdlr : 0x0 6396.625591741:7fd30d5ef700: Owner: 0x0 6396.625593981:7fd30d5ef700: 6396.625595716:7fd30d5ef700: Command 'actionexeconlyeverynthtime': 6396.625597900:7fd30d5ef700: type : 6 6396.625600226:7fd30d5ef700: pData: 0x66aacc 6396.625602666:7fd30d5ef700: Hdlr : 0x0 6396.625605002:7fd30d5ef700: Owner: 0x0 6396.625607241:7fd30d5ef700: 6396.625609006:7fd30d5ef700: Command 'actionexeconlyeverynthtimetimeout': 6396.625611189:7fd30d5ef700: type : 6 6396.625613557:7fd30d5ef700: pData: 0x66aad0 6396.625615988:7fd30d5ef700: Hdlr : 0x0 6396.625618325:7fd30d5ef700: Owner: 0x0 6396.625620572:7fd30d5ef700: 6396.625622350:7fd30d5ef700: Command 'actionexeconlyonceeveryinterval': 6396.625624531:7fd30d5ef700: type : 6 6396.625626855:7fd30d5ef700: pData: 0x66aac8 6396.625629269:7fd30d5ef700: Hdlr : 0x0 6396.625631595:7fd30d5ef700: Owner: 0x0 6396.625633832:7fd30d5ef700: 6396.625635584:7fd30d5ef700: Command 'repeatedmsgcontainsoriginalmsg': 6396.625637752:7fd30d5ef700: type : 4 6396.625640077:7fd30d5ef700: pData: 0x66aae0 6396.625642492:7fd30d5ef700: Hdlr : 0x0 6396.625644824:7fd30d5ef700: Owner: 0x0 6396.625647064:7fd30d5ef700: 6396.625648845:7fd30d5ef700: Command 'actionexeconlywhenpreviousissuspended': 6396.625651019:7fd30d5ef700: type : 4 6396.625653343:7fd30d5ef700: pData: 0x66aac0 6396.625655755:7fd30d5ef700: Hdlr : 0x0 6396.625658080:7fd30d5ef700: Owner: 0x0 6396.625660345:7fd30d5ef700: 6396.625662087:7fd30d5ef700: Command 'actionresumeretrycount': 6396.625664205:7fd30d5ef700: type : 6 6396.625666530:7fd30d5ef700: pData: 0x66aadc 6396.625668943:7fd30d5ef700: Hdlr : 0x0 6396.626210039:7fd30d5ef700: Owner: 0x0 6396.626213208:7fd30d5ef700: 6396.626215188:7fd30d5ef700: Command 'dynafilecachesize': 6396.626217407:7fd30d5ef700: type : 6 6396.626227343:7fd30d5ef700: pData: 0x0 6396.626229808:7fd30d5ef700: Hdlr : 0x412650 6396.626232189:7fd30d5ef700: Owner: 0x411cb0 6396.626234589:7fd30d5ef700: 6396.626236497:7fd30d5ef700: Command 'omfileziplevel': 6396.626238797:7fd30d5ef700: type : 6 6396.626241142:7fd30d5ef700: pData: 0x669b08 6396.626243639:7fd30d5ef700: Hdlr : 0x0 6396.626246021:7fd30d5ef700: Owner: 0x411cb0 6396.626248362:7fd30d5ef700: 6396.626250184:7fd30d5ef700: Command 'omfileflushinterval': 6396.626252360:7fd30d5ef700: type : 6 6396.626254728:7fd30d5ef700: pData: 0x669b18 6396.626257193:7fd30d5ef700: Hdlr : 0x0 6396.626259552:7fd30d5ef700: Owner: 0x411cb0 6396.626261914:7fd30d5ef700: 6396.626263736:7fd30d5ef700: Command 'omfileasyncwriting': 6396.626265945:7fd30d5ef700: type : 4 6396.626268306:7fd30d5ef700: pData: 0x669b1c 6396.626270757:7fd30d5ef700: Hdlr : 0x0 6396.626273118:7fd30d5ef700: Owner: 0x411cb0 6396.626275470:7fd30d5ef700: 6396.626277235:7fd30d5ef700: Command 'omfileflushontxend': 6396.626279441:7fd30d5ef700: type : 4 6396.626281803:7fd30d5ef700: pData: 0x669b0c 6396.626284262:7fd30d5ef700: Hdlr : 0x0 6396.626286633:7fd30d5ef700: Owner: 0x411cb0 6396.626288997:7fd30d5ef700: 6396.626290749:7fd30d5ef700: Command 'omfileiobuffersize': 6396.626292917:7fd30d5ef700: type : 7 6396.626295267:7fd30d5ef700: pData: 0x669b10 6396.626297717:7fd30d5ef700: Hdlr : 0x0 6396.626300076:7fd30d5ef700: Owner: 0x411cb0 6396.626302460:7fd30d5ef700: 6396.626304196:7fd30d5ef700: Command 'dirowner': 6396.626306285:7fd30d5ef700: type : 2 6396.626308646:7fd30d5ef700: pData: 0x669af8 6396.626311097:7fd30d5ef700: Hdlr : 0x0 6396.626313454:7fd30d5ef700: Owner: 0x411cb0 6396.626315831:7fd30d5ef700: 6396.626317565:7fd30d5ef700: Command 'dirgroup': 6396.626319654:7fd30d5ef700: type : 3 6396.626322015:7fd30d5ef700: pData: 0x669afc 6396.626324464:7fd30d5ef700: Hdlr : 0x0 6396.626326848:7fd30d5ef700: Owner: 0x411cb0 6396.626329202:7fd30d5ef700: 6396.626330922:7fd30d5ef700: Command 'fileowner': 6396.626333050:7fd30d5ef700: type : 2 6396.626335403:7fd30d5ef700: pData: 0x669af0 6396.626337854:7fd30d5ef700: Hdlr : 0x0 6396.626340235:7fd30d5ef700: Owner: 0x411cb0 6396.626342587:7fd30d5ef700: 6396.626344307:7fd30d5ef700: Command 'filegroup': 6396.626346429:7fd30d5ef700: type : 3 6396.626348779:7fd30d5ef700: pData: 0x669af4 6396.626351256:7fd30d5ef700: Hdlr : 0x0 6396.626353623:7fd30d5ef700: Owner: 0x411cb0 6396.626355955:7fd30d5ef700: 6396.626357678:7fd30d5ef700: Command 'dircreatemode': 6396.626359795:7fd30d5ef700: type : 5 6396.626362141:7fd30d5ef700: pData: 0x669ae8 6396.626364615:7fd30d5ef700: Hdlr : 0x0 6396.626366963:7fd30d5ef700: Owner: 0x411cb0 6396.626369304:7fd30d5ef700: 6396.626371030:7fd30d5ef700: Command 'filecreatemode': 6396.626373119:7fd30d5ef700: type : 5 6396.626375483:7fd30d5ef700: pData: 0x669ae4 6396.626377928:7fd30d5ef700: Hdlr : 0x0 6396.626380291:7fd30d5ef700: Owner: 0x411cb0 6396.626382644:7fd30d5ef700: 6396.626384369:7fd30d5ef700: Command 'createdirs': 6396.626386512:7fd30d5ef700: type : 4 6396.626388882:7fd30d5ef700: pData: 0x669b00 6396.626391342:7fd30d5ef700: Hdlr : 0x0 6396.626393700:7fd30d5ef700: Owner: 0x411cb0 6396.626396041:7fd30d5ef700: 6396.626397799:7fd30d5ef700: Command 'failonchownfailure': 6396.626400022:7fd30d5ef700: type : 4 6396.626402458:7fd30d5ef700: pData: 0x669aec 6396.626404906:7fd30d5ef700: Hdlr : 0x0 6396.626407252:7fd30d5ef700: Owner: 0x411cb0 6396.626409585:7fd30d5ef700: 6396.626411329:7fd30d5ef700: Command 'omfileforcechown': 6396.626413468:7fd30d5ef700: type : 14 6396.626415813:7fd30d5ef700: pData: 0x0 6396.626418178:7fd30d5ef700: Hdlr : 0x0 6396.626420936:7fd30d5ef700: Owner: 0x411cb0 6396.626425455:7fd30d5ef700: 6396.626428785:7fd30d5ef700: Command 'actionfileenablesync': 6396.626432282:7fd30d5ef700: type : 4 6396.626436274:7fd30d5ef700: pData: 0x669b04 6396.626439851:7fd30d5ef700: Hdlr : 0x0 6396.626443157:7fd30d5ef700: Owner: 0x411cb0 6396.626447094:7fd30d5ef700: 6396.626450853:7fd30d5ef700: Command 'actionfiledefaulttemplate': 6396.626453278:7fd30d5ef700: type : 11 6396.626455628:7fd30d5ef700: pData: 0x66a8d0 6396.626457972:7fd30d5ef700: Hdlr : 0x0 6396.626460317:7fd30d5ef700: Owner: 0x0 6396.626462582:7fd30d5ef700: 6396.626464453:7fd30d5ef700: Command 'actionforwarddefaulttemplate': 6396.626466695:7fd30d5ef700: type : 11 6396.626469048:7fd30d5ef700: pData: 0x669a40 6396.626471471:7fd30d5ef700: Hdlr : 0x0 6396.626473838:7fd30d5ef700: Owner: 0x0 6396.626476080:7fd30d5ef700: 6396.626477966:7fd30d5ef700: Command 'actionsendtcprebindinterval': 6396.626480351:7fd30d5ef700: type : 6 6396.626482704:7fd30d5ef700: pData: 0x669a64 6396.626485158:7fd30d5ef700: Hdlr : 0x0 6396.626487492:7fd30d5ef700: Owner: 0x0 6396.626489714:7fd30d5ef700: 6396.626491545:7fd30d5ef700: Command 'actionsendudprebindinterval': 6396.626493739:7fd30d5ef700: type : 6 6396.626496100:7fd30d5ef700: pData: 0x669a60 6396.626498519:7fd30d5ef700: Hdlr : 0x0 6396.626500851:7fd30d5ef700: Owner: 0x0 6396.626503087:7fd30d5ef700: 6396.626504924:7fd30d5ef700: Command 'actionsendstreamdriver': 6396.626507091:7fd30d5ef700: type : 11 6396.626509436:7fd30d5ef700: pData: 0x669a48 6396.626511856:7fd30d5ef700: Hdlr : 0x0 6396.626514176:7fd30d5ef700: Owner: 0x0 6396.626516405:7fd30d5ef700: 6396.626518255:7fd30d5ef700: Command 'actionsendstreamdrivermode': 6396.626520608:7fd30d5ef700: type : 6 6396.626522920:7fd30d5ef700: pData: 0x669a50 6396.626525341:7fd30d5ef700: Hdlr : 0x0 6396.626527670:7fd30d5ef700: Owner: 0x0 6396.626529907:7fd30d5ef700: 6396.626531842:7fd30d5ef700: Command 'actionsendstreamdriverauthmode': 6396.626533986:7fd30d5ef700: type : 11 6396.626536324:7fd30d5ef700: pData: 0x669a58 6396.626538742:7fd30d5ef700: Hdlr : 0x0 6396.626541092:7fd30d5ef700: Owner: 0x0 6396.626543393:7fd30d5ef700: 6396.626545436:7fd30d5ef700: Command 'actionsendstreamdriverpermittedpeer': 6396.626547801:7fd30d5ef700: type : 11 6396.626550118:7fd30d5ef700: pData: 0x0 6396.626552510:7fd30d5ef700: Hdlr : 0x4103b0 6396.626555002:7fd30d5ef700: Owner: 0x0 6396.626557257:7fd30d5ef700: 6396.626559283:7fd30d5ef700: Command 'actionsendresendlastmsgonreconnect': 6396.626563856:7fd30d5ef700: type : 4 6396.626568244:7fd30d5ef700: pData: 0x669a54 6396.626572153:7fd30d5ef700: Hdlr : 0x0 6396.626576501:7fd30d5ef700: Owner: 0x0 6396.626579940:7fd30d5ef700: 6396.626581825:7fd30d5ef700: Command 'sleep': 6396.626583933:7fd30d5ef700: type : 14 6396.626586298:7fd30d5ef700: pData: 0x0 6396.626588702:7fd30d5ef700: Hdlr : 0x0 6396.626591058:7fd30d5ef700: Owner: 0x0 6396.626593325:7fd30d5ef700: 6396.626595275:7fd30d5ef700: Command 'logrsyslogstatusmessages': 6396.626597551:7fd30d5ef700: type : 4 6396.626599919:7fd30d5ef700: pData: 0x2199174 6396.626602321:7fd30d5ef700: Hdlr : 0x0 6396.626604650:7fd30d5ef700: Owner: 0x0 6396.626606907:7fd30d5ef700: 6396.626608737:7fd30d5ef700: Command 'errormessagestostderr': 6396.626610962:7fd30d5ef700: type : 4 6396.627276908:7fd30d5ef700: pData: 0x2199178 6396.627280326:7fd30d5ef700: Hdlr : 0x0 6396.627282629:7fd30d5ef700: Owner: 0x0 6396.627284953:7fd30d5ef700: 6396.627286956:7fd30d5ef700: Command 'abortonuncleanconfig': 6396.627289418:7fd30d5ef700: type : 4 6396.627291752:7fd30d5ef700: pData: 0x219917c 6396.627294121:7fd30d5ef700: Hdlr : 0x0 6396.627296444:7fd30d5ef700: Owner: 0x0 6396.627298682:7fd30d5ef700: 6396.627300545:7fd30d5ef700: Command 'repeatedmsgreduction': 6396.627309901:7fd30d5ef700: type : 4 6396.627312359:7fd30d5ef700: pData: 0x2199198 6396.627314776:7fd30d5ef700: Hdlr : 0x0 6396.627317149:7fd30d5ef700: Owner: 0x0 6396.627319441:7fd30d5ef700: 6396.627321590:7fd30d5ef700: Command 'debugprinttemplatelist': 6396.627323783:7fd30d5ef700: type : 4 6396.627326156:7fd30d5ef700: pData: 0x2199168 6396.627328550:7fd30d5ef700: Hdlr : 0x0 6396.627330896:7fd30d5ef700: Owner: 0x0 6396.627333208:7fd30d5ef700: 6396.627335133:7fd30d5ef700: Command 'debugprintmodulelist': 6396.627337401:7fd30d5ef700: type : 4 6396.627339778:7fd30d5ef700: pData: 0x219916c 6396.627342175:7fd30d5ef700: Hdlr : 0x0 6396.627344585:7fd30d5ef700: Owner: 0x0 6396.627346877:7fd30d5ef700: 6396.627348742:7fd30d5ef700: Command 'debugprintcfsyslinehandlerlist': 6396.627350995:7fd30d5ef700: type : 4 6396.627353384:7fd30d5ef700: pData: 0x2199170 6396.627355798:7fd30d5ef700: Hdlr : 0x0 6396.627358188:7fd30d5ef700: Owner: 0x0 6396.627360454:7fd30d5ef700: 6396.627362329:7fd30d5ef700: Command 'privdroptouser': 6396.627364446:7fd30d5ef700: type : 2 6396.627366820:7fd30d5ef700: pData: 0x2199180 6396.627369241:7fd30d5ef700: Hdlr : 0x0 6396.627371592:7fd30d5ef700: Owner: 0x0 6396.627373859:7fd30d5ef700: 6396.627375627:7fd30d5ef700: Command 'privdroptouserid': 6396.627377822:7fd30d5ef700: type : 6 6396.627380202:7fd30d5ef700: pData: 0x2199180 6396.627382636:7fd30d5ef700: Hdlr : 0x0 6396.627384992:7fd30d5ef700: Owner: 0x0 6396.627387268:7fd30d5ef700: 6396.627389050:7fd30d5ef700: Command 'privdroptogroup': 6396.627391174:7fd30d5ef700: type : 3 6396.627393571:7fd30d5ef700: pData: 0x2199184 6396.627395972:7fd30d5ef700: Hdlr : 0x0 6396.627398326:7fd30d5ef700: Owner: 0x0 6396.627400601:7fd30d5ef700: 6396.627402378:7fd30d5ef700: Command 'privdroptogroupid': 6396.627404537:7fd30d5ef700: type : 3 6396.627406957:7fd30d5ef700: pData: 0x2199184 6396.627409358:7fd30d5ef700: Hdlr : 0x0 6396.627411708:7fd30d5ef700: Owner: 0x0 6396.627413988:7fd30d5ef700: 6396.627415765:7fd30d5ef700: Command 'generateconfiggraph': 6396.627418002:7fd30d5ef700: type : 11 6396.627420390:7fd30d5ef700: pData: 0x2199190 6396.627422789:7fd30d5ef700: Hdlr : 0x0 6396.627425132:7fd30d5ef700: Owner: 0x0 6396.627427413:7fd30d5ef700: 6396.627429183:7fd30d5ef700: Command 'umask': 6396.627431320:7fd30d5ef700: type : 5 6396.627433697:7fd30d5ef700: pData: 0x2199188 6396.627436095:7fd30d5ef700: Hdlr : 0x0 6396.627438450:7fd30d5ef700: Owner: 0x0 6396.627440728:7fd30d5ef700: 6396.627442521:7fd30d5ef700: Command 'maxopenfiles': 6396.627444705:7fd30d5ef700: type : 6 6396.627447080:7fd30d5ef700: pData: 0x0 6396.627449488:7fd30d5ef700: Hdlr : 0x41fff0 6396.627451923:7fd30d5ef700: Owner: 0x0 6396.627454202:7fd30d5ef700: 6396.627455992:7fd30d5ef700: Command 'actionresumeinterval': 6396.627458189:7fd30d5ef700: type : 6 6396.627460550:7fd30d5ef700: pData: 0x0 6396.627462942:7fd30d5ef700: Hdlr : 0x41ffe0 6396.627466493:7fd30d5ef700: Owner: 0x0 6396.627470497:7fd30d5ef700: 6396.627473753:7fd30d5ef700: Command 'modload': 6396.627477582:7fd30d5ef700: type : 1 6396.627481131:7fd30d5ef700: pData: 0x0 6396.627485221:7fd30d5ef700: Hdlr : 0x41f810 6396.627489558:7fd30d5ef700: Owner: 0x0 6396.627491790:7fd30d5ef700: 6396.627493691:7fd30d5ef700: Command 'defaultruleset': 6396.627495787:7fd30d5ef700: type : 11 6396.627498134:7fd30d5ef700: pData: 0x0 6396.627500487:7fd30d5ef700: Hdlr : 0x41fe20 6396.627502910:7fd30d5ef700: Owner: 0x0 6396.627505206:7fd30d5ef700: 6396.627506951:7fd30d5ef700: Command 'ruleset': 6396.627509046:7fd30d5ef700: type : 11 6396.627511399:7fd30d5ef700: pData: 0x0 6396.627513761:7fd30d5ef700: Hdlr : 0x41fd60 6396.627516204:7fd30d5ef700: Owner: 0x0 6396.627518462:7fd30d5ef700: 6396.627520202:7fd30d5ef700: Command 'template': 6396.627522287:7fd30d5ef700: type : 1 6396.627524690:7fd30d5ef700: pData: 0x0 6396.627527132:7fd30d5ef700: Hdlr : 0x41f6d0 6396.627529519:7fd30d5ef700: Owner: 0x0 6396.627531770:7fd30d5ef700: 6396.627533621:7fd30d5ef700: Command 'outchannel': 6396.627535884:7fd30d5ef700: type : 1 6396.627538212:7fd30d5ef700: pData: 0x1 6396.627540567:7fd30d5ef700: Hdlr : 0x41f6d0 6396.627542978:7fd30d5ef700: Owner: 0x0 6396.627545228:7fd30d5ef700: 6396.627547069:7fd30d5ef700: Command 'allowedsender': 6396.627549280:7fd30d5ef700: type : 1 6396.627551606:7fd30d5ef700: pData: 0x2 6396.627553981:7fd30d5ef700: Hdlr : 0x41f6d0 6396.627556369:7fd30d5ef700: Owner: 0x0 6396.627558631:7fd30d5ef700: 6396.627560494:7fd30d5ef700: Command 'mainmsgqueuefilename': 6396.627562800:7fd30d5ef700: type : 11 6396.627565204:7fd30d5ef700: pData: 0x21991c0 6396.627567578:7fd30d5ef700: Hdlr : 0x0 6396.627569891:7fd30d5ef700: Owner: 0x0 6396.627572138:7fd30d5ef700: 6396.627574013:7fd30d5ef700: Command 'mainmsgqueuesize': 6396.627576199:7fd30d5ef700: type : 6 6396.627578597:7fd30d5ef700: pData: 0x21991a0 6396.627580968:7fd30d5ef700: Hdlr : 0x0 6396.627583274:7fd30d5ef700: Owner: 0x0 6396.627585521:7fd30d5ef700: 6396.627587528:7fd30d5ef700: Command 'mainmsgqueuehighwatermark': 6396.627589802:7fd30d5ef700: type : 6 6396.627592196:7fd30d5ef700: pData: 0x21991a4 6396.627594561:7fd30d5ef700: Hdlr : 0x0 6396.627596934:7fd30d5ef700: Owner: 0x0 6396.627599150:7fd30d5ef700: 6396.627600976:7fd30d5ef700: Command 'mainmsgqueuelowwatermark': 6396.627603260:7fd30d5ef700: type : 6 6396.627605625:7fd30d5ef700: pData: 0x21991a8 6396.627607980:7fd30d5ef700: Hdlr : 0x0 6396.627610299:7fd30d5ef700: Owner: 0x0 6396.627612520:7fd30d5ef700: 6396.627614416:7fd30d5ef700: Command 'mainmsgqueuediscardmark': 6396.627616633:7fd30d5ef700: type : 6 6396.627618988:7fd30d5ef700: pData: 0x21991ac 6396.627621368:7fd30d5ef700: Hdlr : 0x0 6396.627623683:7fd30d5ef700: Owner: 0x0 6396.627625917:7fd30d5ef700: 6396.627627884:7fd30d5ef700: Command 'mainmsgqueuediscardseverity': 6396.627630164:7fd30d5ef700: type : 10 6396.627632502:7fd30d5ef700: pData: 0x21991b0 6396.627634849:7fd30d5ef700: Hdlr : 0x0 6396.627637171:7fd30d5ef700: Owner: 0x0 6396.627639427:7fd30d5ef700: 6396.627641218:7fd30d5ef700: Command 'mainmsgqueuecheckpointinterval': 6396.627643346:7fd30d5ef700: type : 6 6396.627645680:7fd30d5ef700: pData: 0x21991d0 6396.627648021:7fd30d5ef700: Hdlr : 0x0 6396.627650361:7fd30d5ef700: Owner: 0x0 6396.627652586:7fd30d5ef700: 6396.627654327:7fd30d5ef700: Command 'mainmsgqueuesyncqueuefiles': 6396.627656498:7fd30d5ef700: type : 4 6396.627658833:7fd30d5ef700: pData: 0x21991d4 6396.627661208:7fd30d5ef700: Hdlr : 0x0 6396.627663532:7fd30d5ef700: Owner: 0x0 6396.627665762:7fd30d5ef700: 6396.627667517:7fd30d5ef700: Command 'mainmsgqueuetype': 6396.627669629:7fd30d5ef700: type : 11 6396.627671945:7fd30d5ef700: pData: 0x0 6396.628222614:7fd30d5ef700: Hdlr : 0x41fe60 6396.628226933:7fd30d5ef700: Owner: 0x0 6396.628229210:7fd30d5ef700: 6396.628231228:7fd30d5ef700: Command 'mainmsgqueueworkerthreads': 6396.628233497:7fd30d5ef700: type : 6 6396.628235932:7fd30d5ef700: pData: 0x21991b4 6396.628238304:7fd30d5ef700: Hdlr : 0x0 6396.628240649:7fd30d5ef700: Owner: 0x0 6396.628242894:7fd30d5ef700: 6396.628244667:7fd30d5ef700: Command 'mainmsgqueuetimeoutshutdown': 6396.628246944:7fd30d5ef700: type : 6 6396.628249319:7fd30d5ef700: pData: 0x21991d8 6396.628251641:7fd30d5ef700: Hdlr : 0x0 6396.628253977:7fd30d5ef700: Owner: 0x0 6396.628256205:7fd30d5ef700: 6396.628258253:7fd30d5ef700: Command 'mainmsgqueuetimeoutactioncompletion': 6396.628260569:7fd30d5ef700: type : 6 6396.628262937:7fd30d5ef700: pData: 0x21991dc 6396.628265283:7fd30d5ef700: Hdlr : 0x0 6396.628267612:7fd30d5ef700: Owner: 0x0 6396.628269852:7fd30d5ef700: 6396.628271700:7fd30d5ef700: Command 'mainmsgqueuetimeoutenqueue': 6396.628273979:7fd30d5ef700: type : 6 6396.628276326:7fd30d5ef700: pData: 0x21991e0 6396.628278674:7fd30d5ef700: Hdlr : 0x0 6396.628280999:7fd30d5ef700: Owner: 0x0 6396.628283285:7fd30d5ef700: 6396.628285070:7fd30d5ef700: Command 'mainmsgqueueworkertimeoutthreadshutdown': 6396.628287251:7fd30d5ef700: type : 6 6396.628289612:7fd30d5ef700: pData: 0x21991e4 6396.628291960:7fd30d5ef700: Hdlr : 0x0 6396.628294307:7fd30d5ef700: Owner: 0x0 6396.628296542:7fd30d5ef700: 6396.628298292:7fd30d5ef700: Command 'mainmsgqueuedequeueslowdown': 6396.628300490:7fd30d5ef700: type : 6 6396.628302834:7fd30d5ef700: pData: 0x21991ec 6396.628305229:7fd30d5ef700: Hdlr : 0x0 6396.628307548:7fd30d5ef700: Owner: 0x0 6396.628309776:7fd30d5ef700: 6396.628311537:7fd30d5ef700: Command 'mainmsgqueueworkerthreadminimummessages': 6396.628313704:7fd30d5ef700: type : 6 6396.628316085:7fd30d5ef700: pData: 0x21991e8 6396.628318427:7fd30d5ef700: Hdlr : 0x0 6396.628320753:7fd30d5ef700: Owner: 0x0 6396.628322989:7fd30d5ef700: 6396.628324756:7fd30d5ef700: Command 'mainmsgqueuemaxfilesize': 6396.628326907:7fd30d5ef700: type : 7 6396.628329258:7fd30d5ef700: pData: 0x21991c8 6396.628331604:7fd30d5ef700: Hdlr : 0x0 6396.628333916:7fd30d5ef700: Owner: 0x0 6396.628336150:7fd30d5ef700: 6396.628337912:7fd30d5ef700: Command 'mainmsgqueuedequeuebatchsize': 6396.628340133:7fd30d5ef700: type : 7 6396.628342479:7fd30d5ef700: pData: 0x21991f8 6396.628344824:7fd30d5ef700: Hdlr : 0x0 6396.628347148:7fd30d5ef700: Owner: 0x0 6396.628349383:7fd30d5ef700: 6396.628351154:7fd30d5ef700: Command 'mainmsgqueuemaxdiskspace': 6396.628353278:7fd30d5ef700: type : 7 6396.628355625:7fd30d5ef700: pData: 0x21991f0 6396.628357965:7fd30d5ef700: Hdlr : 0x0 6396.628360280:7fd30d5ef700: Owner: 0x0 6396.628362538:7fd30d5ef700: 6396.628364293:7fd30d5ef700: Command 'mainmsgqueuesaveonshutdown': 6396.628366483:7fd30d5ef700: type : 4 6396.628368832:7fd30d5ef700: pData: 0x2199200 6396.628371174:7fd30d5ef700: Hdlr : 0x0 6396.628373517:7fd30d5ef700: Owner: 0x0 6396.628375753:7fd30d5ef700: 6396.628377509:7fd30d5ef700: Command 'mainmsgqueuedequeuetimebegin': 6396.628379700:7fd30d5ef700: type : 6 6396.628382047:7fd30d5ef700: pData: 0x2199204 6396.628384417:7fd30d5ef700: Hdlr : 0x0 6396.628386741:7fd30d5ef700: Owner: 0x0 6396.628388973:7fd30d5ef700: 6396.628390853:7fd30d5ef700: Command 'mainmsgqueuedequeuetimeend': 6396.628393124:7fd30d5ef700: type : 6 6396.628395488:7fd30d5ef700: pData: 0x2199208 6396.628397831:7fd30d5ef700: Hdlr : 0x0 6396.628400157:7fd30d5ef700: Owner: 0x0 6396.628402392:7fd30d5ef700: 6396.628404197:7fd30d5ef700: Command 'moddir': 6396.628411638:7fd30d5ef700: type : 11 6396.628414780:7fd30d5ef700: pData: 0x0 6396.628417190:7fd30d5ef700: Hdlr : 0x41fd20 6396.628419597:7fd30d5ef700: Owner: 0x0 6396.628421859:7fd30d5ef700: 6396.628423799:7fd30d5ef700: Command 'inputudpserverbindruleset': 6396.628426152:7fd30d5ef700: type : 11 6396.628428485:7fd30d5ef700: pData: 0x7fd30d3e8770 6396.628430944:7fd30d5ef700: Hdlr : 0x0 6396.628433318:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.628435668:7fd30d5ef700: 6396.628437567:7fd30d5ef700: Command 'udpserverrun': 6396.628439855:7fd30d5ef700: type : 11 6396.628442162:7fd30d5ef700: pData: 0x0 6396.628444520:7fd30d5ef700: Hdlr : 0x7fd30d1e6cb0 6396.628446918:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.628449274:7fd30d5ef700: 6396.628451187:7fd30d5ef700: Command 'udpserveraddress': 6396.628453402:7fd30d5ef700: type : 11 6396.628455724:7fd30d5ef700: pData: 0x7fd30d3e8760 6396.628458146:7fd30d5ef700: Hdlr : 0x0 6396.628460478:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.628462853:7fd30d5ef700: 6396.628464796:7fd30d5ef700: Command 'imudpschedulingpolicy': 6396.628467077:7fd30d5ef700: type : 11 6396.628469409:7fd30d5ef700: pData: 0x7fd30d3e8768 6396.628471847:7fd30d5ef700: Hdlr : 0x0 6396.628474202:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.628476546:7fd30d5ef700: 6396.628478454:7fd30d5ef700: Command 'imudpschedulingpriority': 6396.628480689:7fd30d5ef700: type : 6 6396.628483003:7fd30d5ef700: pData: 0x7fd30d3e8778 6396.628485437:7fd30d5ef700: Hdlr : 0x0 6396.628487766:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.628490107:7fd30d5ef700: 6396.628492062:7fd30d5ef700: Command 'udpservertimerequery': 6396.628494497:7fd30d5ef700: type : 6 6396.628496822:7fd30d5ef700: pData: 0x7fd30d3e877c 6396.628499239:7fd30d5ef700: Hdlr : 0x0 6396.628501550:7fd30d5ef700: Owner: 0x7fd30d1e5eb0 6396.628503886:7fd30d5ef700: 6396.628505795:7fd30d5ef700: Command 'inputtcpserverrun': 6396.628509246:7fd30d5ef700: type : 11 6396.628513306:7fd30d5ef700: pData: 0x0 6396.628516909:7fd30d5ef700: Hdlr : 0x7fd30cfe3660 6396.628520648:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.628524450:7fd30d5ef700: 6396.628527229:7fd30d5ef700: Command 'inputtcpserverkeepalive': 6396.628530542:7fd30d5ef700: type : 4 6396.628534510:7fd30d5ef700: pData: 0x7fd30d1e46ac 6396.628538752:7fd30d5ef700: Hdlr : 0x0 6396.628541170:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.628543554:7fd30d5ef700: 6396.628545379:7fd30d5ef700: Command 'inputtcpmaxsessions': 6396.628547641:7fd30d5ef700: type : 6 6396.628549979:7fd30d5ef700: pData: 0x7fd30d1e46a0 6396.628552421:7fd30d5ef700: Hdlr : 0x0 6396.628554773:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.628557167:7fd30d5ef700: 6396.628558948:7fd30d5ef700: Command 'inputtcpmaxlisteners': 6396.628561145:7fd30d5ef700: type : 6 6396.628563463:7fd30d5ef700: pData: 0x7fd30d1e46a4 6396.628565884:7fd30d5ef700: Hdlr : 0x0 6396.628568237:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.628570560:7fd30d5ef700: 6396.628572403:7fd30d5ef700: Command 'inputtcpservernotifyonconnectionclose': 6396.628574610:7fd30d5ef700: type : 4 6396.628576921:7fd30d5ef700: pData: 0x7fd30d1e46b0 6396.628579385:7fd30d5ef700: Hdlr : 0x0 6396.628581724:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.628584047:7fd30d5ef700: 6396.628585908:7fd30d5ef700: Command 'inputtcpserverstreamdrivermode': 6396.628588076:7fd30d5ef700: type : 6 6396.628590415:7fd30d5ef700: pData: 0x7fd30d1e46a8 6396.628592830:7fd30d5ef700: Hdlr : 0x0 6396.628595149:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.628597484:7fd30d5ef700: 6396.628599374:7fd30d5ef700: Command 'inputtcpserverstreamdriverauthmode': 6396.911130332:7fd30d5ef700: type : 11 6396.911136765:7fd30d5ef700: pData: 0x7fd30d1e46c0 6396.911139354:7fd30d5ef700: Hdlr : 0x0 6396.911141901:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911183544:7fd30d5ef700: 6396.911186762:7fd30d5ef700: Command 'inputtcpserverstreamdriverpermittedpeer': 6396.911189161:7fd30d5ef700: type : 11 6396.911191595:7fd30d5ef700: pData: 0x0 6396.911193997:7fd30d5ef700: Hdlr : 0x7fd30cfe3580 6396.911196478:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911198896:7fd30d5ef700: 6396.911200980:7fd30d5ef700: Command 'inputtcpserveraddtlframedelimiter': 6396.911203304:7fd30d5ef700: type : 6 6396.911205680:7fd30d5ef700: pData: 0x7fd30d1e46b4 6396.911208151:7fd30d5ef700: Hdlr : 0x0 6396.911210545:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911212927:7fd30d5ef700: 6396.911214950:7fd30d5ef700: Command 'inputtcpserverdisablelfdelimiter': 6396.911217328:7fd30d5ef700: type : 4 6396.911219953:7fd30d5ef700: pData: 0x7fd30d1e46b8 6396.911224314:7fd30d5ef700: Hdlr : 0x0 6396.911228131:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911231809:7fd30d5ef700: 6396.911234947:7fd30d5ef700: Command 'inputtcpserverinputname': 6396.911238376:7fd30d5ef700: type : 11 6396.911242260:7fd30d5ef700: pData: 0x7fd30d1e46c8 6396.911246967:7fd30d5ef700: Hdlr : 0x0 6396.911250231:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911252630:7fd30d5ef700: 6396.911254651:7fd30d5ef700: Command 'inputtcpserverbindruleset': 6396.911257043:7fd30d5ef700: type : 11 6396.911259387:7fd30d5ef700: pData: 0x7fd30d1e46d0 6396.911261832:7fd30d5ef700: Hdlr : 0x0 6396.911264190:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911266560:7fd30d5ef700: 6396.911268468:7fd30d5ef700: Command 'inputtcpflowcontrol': 6396.911270840:7fd30d5ef700: type : 4 6396.911273183:7fd30d5ef700: pData: 0x7fd30d1e46bc 6396.911275632:7fd30d5ef700: Hdlr : 0x0 6396.911278017:7fd30d5ef700: Owner: 0x7fd30cfe28a0 6396.911280379:7fd30d5ef700: 6396.911282158:7fd30d5ef700: 6396.911285173:7fd30d5ef700: Main queue size 10000 messages. 6396.911287691:7fd30d5ef700: Main queue worker threads: 1, wThread shutdown: 60000, Perists every 0 updates. 6396.911289966:7fd30d5ef700: Main queue timeouts: shutdown: 1500, action completion shutdown: 1000, enq: 2000 6396.911292275:7fd30d5ef700: Main queue watermarks: high: 8000, low: 2000, discard: 9800, discard-severity: 8 6396.911294487:7fd30d5ef700: Main queue save on shutdown 1, max disk space allowed 0 6396.911296822:7fd30d5ef700: Work Directory: ''. 6396.911298955:7fd30d5ef700: Modules used in this configuration: 6396.911301440:7fd30d5ef700: builtin-file 6396.911303484:7fd30d5ef700: builtin-pipe 6396.911305556:7fd30d5ef700: builtin-shell 6396.911307507:7fd30d5ef700: builtin-discard 6396.911309392:7fd30d5ef700: builtin-fwd 6396.911311271:7fd30d5ef700: builtin-usrmsg 6396.911313257:7fd30d5ef700: builtin-pmrfc5424 6396.911322466:7fd30d5ef700: builtin-pmrfc3164 6396.911324807:7fd30d5ef700: builtin-smfile 6396.911326676:7fd30d5ef700: builtin-smtradfile 6396.911328512:7fd30d5ef700: builtin-smfwd 6396.911330380:7fd30d5ef700: builtin-smtradfwd 6396.911332436:7fd30d5ef700: imudp 6396.911334385:7fd30d5ef700: imtcp 6396.911351439:7fd30d5ef700: Checking pidfile. 6396.911721655:7fd30d5ef700: Writing pidfile /var/run/rsyslogd.pid. 6396.911960040:7fd30d5ef700: umask set to 0027. 6396.911966326:7fd30d5ef700: telling modules to activate config (before dropping privs) 0x2199150 6396.911971133:7fd30d5ef700: pre priv drop activating config 0x2199150 for module imudp 6396.911980317:7fd30d5ef700: imudp: trying to open port at *:514. 6396.912199537:7fd30d5ef700: pre priv drop activating config 0x2199150 for module imtcp 6396.912216809:7fd30d5ef700: tcpsrv: keep-alive set to 0 6396.912222651:7fd30d5ef700: imtcp: trying to add port *:514 6396.912251481:7fd30d5ef700: caller requested object 'nsd_ptcp', not found (iRet -3003) 6396.912266273:7fd30d5ef700: Requested to load module 'lmnsd_ptcp' 6396.912272378:7fd30d5ef700: loading module '/usr/lib64/rsyslog/lmnsd_ptcp.so' 6396.912480558:7fd30d5ef700: source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4 6396.912495387:7fd30d5ef700: module lmnsd_ptcp of type 2 being loaded. 6396.912498208:7fd30d5ef700: entry point 'isCompatibleWithFeature' not present in module 6396.912500438:7fd30d5ef700: entry point 'getModCnfName' not present in module 6396.912502605:7fd30d5ef700: entry point 'beginCnfLoad' not present in module 6396.912509489:7fd30d5ef700: source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1 6396.912514500:7fd30d5ef700: creating tcp listen socket on port 514 6396.912580303:7fd30d5ef700: Allocating buffer for 200 TCP sessions. 6396.912589032:7fd30d5ef700: telling modules to activate config 0x2199150 6396.912591795:7fd30d5ef700: activating config 0x2199150 for module imudp 6396.912596164:7fd30d5ef700: activating config 0x2199150 for module imtcp 6396.912599169:7fd30d5ef700: Allowed UDP Senders: 6396.912601099:7fd30d5ef700: No restrictions set. 6396.912603770:7fd30d5ef700: Allowed TCP Senders: 6396.912605606:7fd30d5ef700: No restrictions set. 6396.912621054:7fd30d5ef700: action 1 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912625044:7fd30d5ef700: Action 0x21b2300: queue 0x21b2410 started 6396.912628379:7fd30d5ef700: action 2 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912631009:7fd30d5ef700: Action 0x21b2a20: queue 0x21b2b60 started 6396.912638048:7fd30d5ef700: action 3 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912641771:7fd30d5ef700: Action 0x21b3170: queue 0x21b32b0 started 6396.912644880:7fd30d5ef700: action 4 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912647421:7fd30d5ef700: Action 0x21b38c0: queue 0x21b3a00 started 6396.912654470:7fd30d5ef700: action 5 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912658188:7fd30d5ef700: Action 0x21b4010: queue 0x21b4150 started 6396.912661437:7fd30d5ef700: action 6 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912664129:7fd30d5ef700: Action 0x21b4760: queue 0x21b48a0 started 6396.912670883:7fd30d5ef700: action 7 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912674577:7fd30d5ef700: Action 0x21b4f70: queue 0x21b50b0 started 6396.912677719:7fd30d5ef700: action 8 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912680387:7fd30d5ef700: Action 0x21b56c0: queue 0x21b5800 started 6396.912687196:7fd30d5ef700: action 9 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912690878:7fd30d5ef700: Action 0x21b5e10: queue 0x21b5f50 started 6396.912694039:7fd30d5ef700: action 10 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912696655:7fd30d5ef700: Action 0x21b6560: queue 0x21b66a0 started 6396.912700073:7fd30d5ef700: action 11 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912702663:7fd30d5ef700: Action 0x21b6cb0: queue 0x21b6df0 started 6396.912710859:7fd30d5ef700: action 12 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.912714572:7fd30d5ef700: Action 0x21b7400: queue 0x21b7540 started 6396.913435823:7fd30d5ef700: action 13 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.913440223:7fd30d5ef700: Action 0x21b7b50: queue 0x21b7c90 started 6396.913443828:7fd30d5ef700: action 14 queue: type 3, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 970, light delay 700, deq batch size 16 starting 6396.913446503:7fd30d5ef700: Action 0x21a44a0: queue 0x21a45b0 started 6396.913459695:7fd30d5ef700: main Q: is NOT disk-assisted 6396.913463207:7fd30d5ef700: main Q: type 0, enq-only 0, disk assisted 0, maxFileSz 1048576, lqsize 0, pqsize 0, child 0, full delay 9700, light delay 7000, deq batch size 32 starting 6396.913470697:7fd30d5ef700: main Q:Reg: finalizing construction of worker thread pool 6396.913473820:7fd30d5ef700: main Q:Reg/w0: finalizing construction of worker instance data 6396.913478337:7fd30d5ef700: main Q: queue finished initialization 6396.913483604:7fd30d5ef700: Main processing queue is initialized and running 6396.913486877:7fd30d5ef700: running module imudp with config 0x21a7150 6396.913519930:7fd30d5ef700: running module imtcp with config 0x21a9b40 6396.913537210:7fd30d5ef700: configuration 0x2199150 activated 6396.913540223:7fd30d5ef700: started. 6396.913694195:7fd30d5ef700: MsgSetTAG in: len 9, pszBuf: rsyslogd: 6396.913699610:7fd30d5ef700: MsgSetTAG exit: pMsg->iLenTAG 9, pMsg->TAG.szBuf: rsyslogd: 6396.913703425:7fd30d5ef700: main Q: entry added, size now log 1, phys 1 entries 6396.913705917:7fd30d5ef700: main Q:Reg: high activity - starting 1 additional worker thread(s). 6396.913723420:7fd30d5ef700: main Q:Reg: started with state 0, num workers now 1 6396.913726697:7fd30d5ef700: main Q: EnqueueMsg advised worker start 6396.913728804:7fd30d5ef700: Debugging enabled, SIGUSR1 to turn off debugging. real 0m0.303s user 0m0.001s sys 0m0.002s [root at oulog001 ~]# 6396.914208056:7fd30d5ef700: initialization completed, transitioning to regular run mode From rgerhards at hq.adiscon.com Fri Feb 3 09:41:24 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 09:41:24 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728184F@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 9:24 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi, > > I have attached debug info both when PrivDropTo is enabled and > disabled. > Only difference I can see is the 5 minutes it takes for the > PrivDropTo_enabled run to timeout (motherproccess dies and > childproccess > thereby gets owned by init)... Ah, it looks like you use auto-backgrounding (which is the default due to historical reasons). You can disable that via -n. I don't know if the init script expects auto-backgrounding or not... Rainer > > Hopefully someone can see something more...:-) ! > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/3 Rainer Gerhards > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > Sent: Friday, February 03, 2012 8:38 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > > > Hi, > > > > > > forgot to mention, that when i run: > > > # /usr/sbin/rsyslogd -c 6 > > > it does the same thing... (hang+timeout+live > > What do you mean with "hang"? I could see no indication of any > slowed-down > > processing inside the debug log. It may also be useful if you shared > the > > debug log publically, in case someone else has an idea. > > > > rainer > > > > > init/PrivDropToUser-owned-child-proccess) again only when > PrivDropTo is > > > enabled in /etc/rsyslog.conf... otherwise working perfectly... > > > Would this possibly be solved in yesterdays release: 6.3.7-devel ? > > > > > > Thanks in advance :-) ! > > > ~maymann > > > > > > 2012/2/3 Michael Maymann > > > > > > > Hi, > > > > > > > > David: unfortunately this was not the case...: > > > > # cat /etc/sysconfig/selinux > > > > # This file controls the state of SELinux on the system. > > > > # SELINUX= can take one of these three values: > > > > # enforcing - SELinux security policy is enforced. > > > > # permissive - SELinux prints warnings instead of > enforcing. > > > > # disabled - SELinux is fully disabled. > > > > SELINUX=disabled > > > > # SELINUXTYPE= type of policy in use. Possible values are: > > > > # targeted - Only targeted network daemons are protected. > > > > # strict - Full SELinux protection. > > > > SELINUXTYPE=targeted > > > > > > > > What else could cause this problem ? > > > > > > > > > > > > > > > > Thanks in advance :-) ! > > > > ~maymann > > > > > > > > 2012/2/2 Michael Maymann > > > > > > > >> Hi, > > > >> > > > >> David: Thanks for your reply - sounds possible... I will try > this > > > first > > > >> thing tomorrow morning and report back with findings... > > > >> > > > >> Br. > > > >> ~maymann > > > >> > > > >> 2012/2/2 > > > >> > > > >> On Thu, 2 Feb 2012, Michael Maymann wrote: > > > >>> > > > >>> Hi Rainer, > > > >>>> > > > >>>> I really have my doubts it has something to do with my startup > > > script: > > > >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default > > > >>>> 2. It works perfectly when PrivDropTo is not used in > rsyslog.conf. > > > >>>> > > > >>>> I'm running on RHEL6.1_x64. > > > >>>> Do you have a working /etc/init.d/rsyslog what you can share/I > can > > > >>>> test...? > > > >>>> > > > >>> > > > >>> > > > >>> my guess is that this is a SELINUX related problem. > > > >>> > > > >>> what happens if you try to start rsyslog manually (not by > running > > > the > > > >>> startup script, but just running 'rsyslogd -c 6' " > > > >>> > > > >>> David Lang > > > >>> > > > >>> > > > >>> > > > >>>> Thanks in advance :-) ! > > > >>>> ~maymann > > > >>>> > > > >>>> 2012/2/2 Michael Maymann > > > >>>> > > > >>>> Hi, > > > >>>>> > > > >>>>> Rainer: Sorry... forgot to mention that it doesn't say > anything > > > about > > > >>>>> failing in the logs... and it actually doesn't fail... it > works > > > and > > > >>>>> after > > > >>>>> the timeout+failed notice only the proccess owned by > > > >>>>> PrivDropToUser-USER is > > > >>>>> present, but now owned by the init-proccess (mother proccess > > > dies): > > > >>>>> > > > >>>>> # service rsyslog start > > > >>>>> Starting system logger: > > > [FAILED] > > > >>>>> > > > >>>>> BEFORE failed status: > > > >>>>> root 9126 9125 0 11:07 pts/1 00:00:00 > > > /usr/sbin/rsyslogd -c 6 > > > >>>>> 9131 9126 0 11:07 ? 00:00:00 > > > >>>>> /usr/sbin/rsyslogd -c 6 > > > >>>>> > > > >>>>> AFTER failed status root-owned proccess is killed and > > > >>>>> PrivDropToUser-USER > > > >>>>> owned proccess is therefore gets owned by init: > > > >>>>> 9131 1 0 11:07 ? 00:00:00 > > > >>>>> /usr/sbin/rsyslogd -c 6 > > > >>>>> > > > >>>>> Anyone who can help with this...?: > > > >>>>> here is the debug output when starting running the init- > script: > > > >>>>> #/etc/init.d/rsyslog start > > > >>>>> + . /etc/init.d/functions > > > >>>>> ++ TEXTDOMAIN=initscripts > > > >>>>> ++ umask 022 > > > >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin > > > >>>>> ++ export PATH > > > >>>>> ++ '[' -z '' ']' > > > >>>>> ++ COLUMNS=80 > > > >>>>> ++ '[' -z '' ']' > > > >>>>> +++ /sbin/consoletype > > > >>>>> ++ CONSOLETYPE=pty > > > >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' > > > >>>>> ++ . /etc/profile.d/lang.sh > > > >>>>> ++ unset LANGSH_SOURCED > > > >>>>> ++ '[' -z '' ']' > > > >>>>> ++ '[' -f /etc/sysconfig/init ']' > > > >>>>> ++ . /etc/sysconfig/init > > > >>>>> +++ BOOTUP=color > > > >>>>> +++ RES_COL=60 > > > >>>>> +++ MOVE_TO_COL='echo -en \033[60G' > > > >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' > > > >>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' > > > >>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' > > > >>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' > > > >>>>> +++ PROMPT=yes > > > >>>>> +++ AUTOSWAP=no > > > >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' > > > >>>>> +++ SINGLE=/sbin/sushell > > > >>>>> ++ '[' pty = serial ']' > > > >>>>> ++ > > > >>>>> > __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** > > > >>>>> \.rpmorig\|\.rpmsave\)$/d' > > > >>>>> + RETVAL=0 > > > >>>>> + PIDFILE=/var/run/syslogd.pid > > > >>>>> + prog=rsyslogd > > > >>>>> + exec=/usr/sbin/rsyslogd > > > >>>>> + lockfile=/var/lock/subsys/**rsyslogd > > > >>>>> + case "$1" in > > > >>>>> + start > > > >>>>> + '[' -x /usr/sbin/rsyslogd ']' > > > >>>>> + '[' -f /etc/sysconfig/rsyslog ']' > > > >>>>> + . /etc/sysconfig/rsyslog > > > >>>>> ++ SYSLOGD_OPTIONS='-c 6' > > > >>>>> + umask 077 > > > >>>>> + echo -n 'Starting system logger: ' > > > >>>>> Starting system logger: + daemon -- > pidfile=/var/run/syslogd.pid > > > >>>>> /usr/sbin/rsyslogd -c 6 > > > >>>>> + local gotbase= force= nicelevel corelimit > > > >>>>> + local pid base= user= nice= bg= pid_file= > > > >>>>> + local cgroup= > > > >>>>> + nicelevel=0 > > > >>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' > > > >>>>> -pidfile=/var/run/syslogd.pid ']' > > > >>>>> + case $1 in > > > >>>>> + pid_file=/var/run/syslogd.pid > > > >>>>> + shift > > > >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' > > > >>>>> + '[' -z '' ']' > > > >>>>> + base=rsyslogd > > > >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid > > > >>>>> + local base=rsyslogd > > > >>>>> + local pid_file=/var/run/syslogd.pid > > > >>>>> + pid= > > > >>>>> + '[' -f /var/run/syslogd.pid ']' > > > >>>>> + return 3 > > > >>>>> + '[' -n '' -a -z '' ']' > > > >>>>> + corelimit='ulimit -S -c 0' > > > >>>>> + '[' -n '' ']' > > > >>>>> + '[' -n '' ']' > > > >>>>> + '[' color = verbose -a -z '' ']' > > > >>>>> + '[' -z '' ']' > > > >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; > > > /usr/sbin/rsyslogd -c > > > >>>>> 6' > > > >>>>> ... > > > >>>>> (hangs here for a long time) > > > >>>>> ... > > > >>>>> + '[' 1 -eq 0 ']' > > > >>>>> + failure 'rsyslogd startup' > > > >>>>> + local rc=1 > > > >>>>> + '[' color '!=' verbose -a -z '' ']' > > > >>>>> + echo_failure > > > >>>>> + '[' color = color ']' > > > >>>>> + echo -en '\033[60G' > > > >>>>> + > echo > > > -n '[' > > > >>>>> [+ '[' color = color ']' > > > >>>>> + echo -en '\033[0;31m' > > > >>>>> + echo -n FAILED > > > >>>>> FAILED+ '[' color = color ']' > > > >>>>> + echo -en '\033[0;39m' > > > >>>>> + echo -n ']' > > > >>>>> ]+ echo -ne '\r' > > > >>>>> + return 1 > > > >>>>> + '[' -x /usr/bin/plymouth ']' > > > >>>>> + /usr/bin/plymouth --details > > > >>>>> + return 1 > > > >>>>> + RETVAL=1 > > > >>>>> + echo > > > >>>>> > > > >>>>> + '[' 1 -eq 0 ']' > > > >>>>> + return 1 > > > >>>>> + exit 1 > > > >>>>> > > > >>>>> I have tried to give 777-access to /var/run and > /var/lock/subsys > > > - but > > > >>>>> same thing happens... > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> Thanks in advance :-) ! > > > >>>>> > > > >>>>> Br. > > > >>>>> ~maymann > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> 2012/2/2 Rainer Gerhards > > > >>>>> > > > >>>>> I can only help you with that part if you point me to why > > > exactly the > > > >>>>>> script > > > >>>>>> claims what it does. So you may want to try find someone who > can > > > do > > > >>>>>> that. > > > >>>>>> I > > > >>>>>> know this is probably a trivial question, but I don't know > > > anything ;) > > > >>>>>> > > > >>>>>> Sry, rainer > > > >>>>>> > > > >>>>>> -----Original Message----- > > > >>>>>>> From: rsyslog-bounces at lists.adiscon.**com > > bounces at lists.adiscon.com>[mailto: > > > >>>>>>> rsyslog- > > > >>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM > > > >>>>>>> To: rsyslog-users > > > >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user > > > >>>>>>> > > > >>>>>>> Here is my startup script... only thing changed is the path > to > > > the > > > >>>>>>> new > > > >>>>>>> 6.3.6-rsyslog-devel binary. > > > >>>>>>> The startup-scripts works also perfectly when i comment out > the > > > >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but > > > failes if i > > > >>>>>>> have > > > >>>>>>> both or one of the entries...: > > > >>>>>>> #!/bin/bash > > > >>>>>>> # > > > >>>>>>> # rsyslog Starts rsyslogd/rklogd. > > > >>>>>>> # > > > >>>>>>> # > > > >>>>>>> # chkconfig: 2345 12 88 > > > >>>>>>> # description: Syslog is the facility by which many daemons > use > > > to > > > >>>>>>> log > > > >>>>>>> \ > > > >>>>>>> # messages to various system log files. It is a good idea > to > > > always > > > >>>>>>> \ > > > >>>>>>> # run rsyslog. > > > >>>>>>> ### BEGIN INIT INFO > > > >>>>>>> # Provides: $syslog > > > >>>>>>> # Required-Start: $local_fs > > > >>>>>>> # Required-Stop: $local_fs > > > >>>>>>> # Default-Start: 2 3 4 5 > > > >>>>>>> # Default-Stop: 0 1 6 > > > >>>>>>> # Short-Description: Enhanced system logging and kernel > message > > > >>>>>>> trapping > > > >>>>>>> daemons > > > >>>>>>> # Description: Rsyslog is an enhanced multi-threaded > syslogd > > > >>>>>>> supporting, > > > >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, > > > permitted > > > >>>>>>> # sender lists, filtering on any message part, > and > > > fine > > > >>>>>>> # grain output format control. > > > >>>>>>> ### END INIT INFO > > > >>>>>>> > > > >>>>>>> # Source function library. > > > >>>>>>> . /etc/init.d/functions > > > >>>>>>> > > > >>>>>>> RETVAL=0 > > > >>>>>>> PIDFILE=/var/run/syslogd.pid > > > >>>>>>> > > > >>>>>>> prog=rsyslogd > > > >>>>>>> #exec=/sbin/rsyslogd > > > >>>>>>> exec=/usr/sbin/rsyslogd > > > >>>>>>> lockfile=/var/lock/subsys/$**prog > > > >>>>>>> > > > >>>>>>> start() { > > > >>>>>>> [ -x $exec ] || exit 5 > > > >>>>>>> > > > >>>>>>> # Source config > > > >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then > > > >>>>>>> . /etc/sysconfig/rsyslog > > > >>>>>>> fi > > > >>>>>>> umask 077 > > > >>>>>>> > > > >>>>>>> echo -n $"Starting system logger: " > > > >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS > > > >>>>>>> RETVAL=$? > > > >>>>>>> echo > > > >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile > > > >>>>>>> return $RETVAL > > > >>>>>>> } > > > >>>>>>> stop() { > > > >>>>>>> echo -n $"Shutting down system logger: " > > > >>>>>>> killproc $prog > > > >>>>>>> RETVAL=$? > > > >>>>>>> echo > > > >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile > > > >>>>>>> return $RETVAL > > > >>>>>>> } > > > >>>>>>> reload() { > > > >>>>>>> RETVAL=1 > > > >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) > > > >>>>>>> echo -n "Reloading system logger..." > > > >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > > > >>>>>>> kill -HUP "$syslog"; > > > >>>>>>> RETVAL=$? > > > >>>>>>> fi > > > >>>>>>> if [ $RETVAL -ne 0 ]; then > > > >>>>>>> failure > > > >>>>>>> else > > > >>>>>>> success > > > >>>>>>> fi > > > >>>>>>> echo > > > >>>>>>> return $RETVAL > > > >>>>>>> } > > > >>>>>>> rhstatus() { > > > >>>>>>> status -p "${PIDFILE}" $prog > > > >>>>>>> } > > > >>>>>>> restart() { > > > >>>>>>> stop > > > >>>>>>> start > > > >>>>>>> } > > > >>>>>>> > > > >>>>>>> case "$1" in > > > >>>>>>> start) > > > >>>>>>> start > > > >>>>>>> ;; > > > >>>>>>> stop) > > > >>>>>>> stop > > > >>>>>>> ;; > > > >>>>>>> restart) > > > >>>>>>> restart > > > >>>>>>> ;; > > > >>>>>>> reload|force-reload) > > > >>>>>>> reload > > > >>>>>>> ;; > > > >>>>>>> status) > > > >>>>>>> rhstatus > > > >>>>>>> ;; > > > >>>>>>> condrestart|try-restart) > > > >>>>>>> rhstatus >/dev/null 2>&1 || exit 0 > > > >>>>>>> restart > > > >>>>>>> ;; > > > >>>>>>> *) > > > >>>>>>> echo $"Usage: $0 > > > >>>>>>> {start|stop|restart|**condrestart|try- > restart|**reload|force- > > > >>>>>>> reload|status}" > > > >>>>>>> exit 2 > > > >>>>>>> esac > > > >>>>>>> > > > >>>>>>> exit $? > > > >>>>>>> > > > >>>>>>> 2012/2/2 Rainer Gerhards > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>> > > > >>>>>>>> -----Original Message----- > > > >>>>>>>>> From: rsyslog-bounces at lists.adiscon.**com > > bounces at lists.adiscon.com>[mailto: > > > >>>>>>>>> rsyslog- > > > >>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM > > > >>>>>>>>> To: rsyslog-users > > > >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user > > > >>>>>>>>> > > > >>>>>>>>> Hi, > > > >>>>>>>>> > > > >>>>>>>>> David: thanks - got it working with permission dropping, > by > > > far my > > > >>>>>>>>> prefered > > > >>>>>>>>> configuration... just didn't know of it...:-) ! > > > >>>>>>>>> Rainer: please let us know if the debug info of the > > > "permission > > > >>>>>>>>> dropping: > > > >>>>>>>>> hang+timeout" I send you can solve anything... anyway it > > > works now > > > >>>>>>>>> > > > >>>>>>>> - > > > >>>>>>> > > > >>>>>>>> but > > > >>>>>>>>> not optimal if other people have to service my setup...:- > ) ! > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>>>> I have reviewed the debug log and I see nothing > unexpected. > > > From the > > > >>>>>>>> timestamps I also see that there is no hang whatsoever. So > it > > > looks > > > >>>>>>>> > > > >>>>>>> like > > > >>>>>>> > > > >>>>>>>> there is some problem with the startup script, which I > don't > > > know. I > > > >>>>>>>> suggest > > > >>>>>>>> to ask what the FAILED status is caused by. We can then > look > > > why > > > >>>>>>>> this > > > >>>>>>>> happens. > > > >>>>>>>> > > > >>>>>>>> Sorry I have no better answer... > > > >>>>>>>> Rainer > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>>> Thanks in advance :-) ! > > > >>>>>>>>> ~maymann > > > >>>>>>>>> > > > >>>>>>>>> 2012/2/1 > > > >>>>>>>>> > > > >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: > > > >>>>>>>>>> > > > >>>>>>>>>> Hi, > > > >>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is > > > working > > > >>>>>>>>>>> > > > >>>>>>>>>> fine > > > >>>>>>> > > > >>>>>>>> running > > > >>>>>>>>> > > > >>>>>>>>>> as root. > > > >>>>>>>>>>> I would like to run it as non-root user as my logfiles > are > > > >>>>>>>>>>> > > > >>>>>>>>>> located > > > >>>>>>> > > > >>>>>>>> on NFS > > > >>>>>>>>> > > > >>>>>>>>>> (and root export of NFS is generally not a good idea !). > > > >>>>>>>>>>> > > > >>>>>>>>>>> Here is my rsyslog.conf: > > > >>>>>>>>>>> #LOAD MODULES > > > >>>>>>>>>>> $ModLoad imudp > > > >>>>>>>>>>> $UDPServerRun 514 > > > >>>>>>>>>>> $UDPServerAddress 127.0.0.1 > > > >>>>>>>>>>> $ModLoad imtcp > > > >>>>>>>>>>> $InputTCPServerRun 514 > > > >>>>>>>>>>> #SET DESTINATION FOR LOGS > > > >>>>>>>>>>> $template > > > >>>>>>>>>>> > > > DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > > >>>>>>>>>>> $MONTH%_messages" > > > >>>>>>>>>>> $template > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>> > DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > >>>>>>> **$MONTH%_secure" > > > >>>>>>> > > > >>>>>>>> $template > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>> > DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > >>>>>>> **$MONTH%_maillo > > > >>>>>>> > > > >>>>>>>> g" > > > >>>>>>>>> > > > >>>>>>>>>> $template > > > >>>>>>>>>>> > > > >>>>>>>>>> > > > DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>>>>> ** > > > >>>>>>>>> > > > >>>>>>>>>> cron" > > > >>>>>>>>>>> $template > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>> > DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > >>>>>>> **$MONTH%_spoole > > > >>>>>>> > > > >>>>>>>> r" > > > >>>>>>>>> > > > >>>>>>>>>> $template > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>> > > > DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>>> **boot.log" > > > >>>>>>> > > > >>>>>>>> $template > > > >>>>>>>>>>> > > > >>>>>>>>>> > > > DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > > >>>>>>>>> _** > > > >>>>>>>>> > > > >>>>>>>>>> traps" > > > >>>>>>>>>>> #SET LOGGING CONDITIONS > > > >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages > > > >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure > > > >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog > > > >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron > > > >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler > > > >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot > > > >>>>>>>>>>> if $syslogfacility-text == 'local6' and > $syslogseverity- > > > text == > > > >>>>>>>>>>> > > > >>>>>>>>>> 'WARNING' > > > >>>>>>>>> > > > >>>>>>>>>> then ?DYNtraps > > > >>>>>>>>>>> > > > >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a > non- > > > root > > > >>>>>>>>>>> > > > >>>>>>>>>> user: > > > >>>>>>> > > > >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: > > > [origin > > > >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x- > > > info=" > > > >>>>>>>>>>> http://www.rsyslog.com"] start > > > >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 > rsyslogd: > > > bind: > > > >>>>>>>>>>> > > > >>>>>>>>>> Permission > > > >>>>>>>>> > > > >>>>>>>>>> denied > > > >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 > rsyslogd: > > > bind: > > > >>>>>>>>>>> > > > >>>>>>>>>> Permission > > > >>>>>>>>> > > > >>>>>>>>>> denied > > > >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 > rsyslogd: > > > No UDP > > > >>>>>>>>>>> > > > >>>>>>>>>> listen > > > >>>>>>>>> > > > >>>>>>>>>> socket > > > >>>>>>>>>>> could successfully be initialized, message reception > via > > > UDP > > > >>>>>>>>>>> > > > >>>>>>>>>> disabled. > > > >>>>>>>>> > > > >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 > rsyslogd: > > > imudp: > > > >>>>>>>>>>> > > > >>>>>>>>>> no > > > >>>>>>> > > > >>>>>>>> listeners > > > >>>>>>>>>>> could be started, input not activated. > > > >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 > rsyslogd3: > > > >>>>>>>>>>> > > > >>>>>>>>>> activation > > > >>>>>>> > > > >>>>>>>> of > > > >>>>>>>>> > > > >>>>>>>>>> module > > > >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] > > > >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 > rsyslogd- > > > 2077: > > > >>>>>>>>>>> > > > >>>>>>>>>> Could > > > >>>>>>> > > > >>>>>>>> not > > > >>>>>>>>> > > > >>>>>>>>>> create > > > >>>>>>>>>>> tcp listener, ignoring port 514. [try > > > >>>>>>>>>>> > > > >>>>>>>>>> http://www.rsyslog.com/e/2077 > > > >>>>>>> > > > >>>>>>>> ] > > > >>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>>> So permissions to bind and sockets seems to be the > > > problem... > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user > > > (without > > > >>>>>>>>>> > > > >>>>>>>>> making > > > >>>>>>> > > > >>>>>>>> some > > > >>>>>>>>> > > > >>>>>>>>>> other non-standard changes through sysctl) > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a > non- > > > root > > > >>>>>>>>>> > > > >>>>>>>>> user > > > >>>>>>> > > > >>>>>>>> - if > > > >>>>>>>>> > > > >>>>>>>>>> yes: how ? > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>> permission drop features > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> 2a. Is it possible to add permissions for non-root user > to > > > run > > > >>>>>>>>>> > > > >>>>>>>>> rsyslog > > > >>>>>>>>> > > > >>>>>>>>>> server - if yes: how ? > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>> pick a listening port > 1024 and it should work. > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user > - > > > can > > > >>>>>>>>>> > > > >>>>>>>>> chkconfig do > > > >>>>>>>>> > > > >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: > how ? > > > >>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>> su can run a command as a different user. > > > >>>>>>>>>> > > > >>>>>>>>>> although as Rainer points out, you may just be looking > for > > > the > > > >>>>>>>>>> > > > >>>>>>>>> permission > > > >>>>>>>>> > > > >>>>>>>>>> dropping features that are already in rsyslog. > > > >>>>>>>>>> > > > >>>>>>>>>> David Lang > > > >>>>>>>>>> > > > >>>>>>>>>> ______________________________****_________________ > > > >>>>>>>>>> rsyslog mailing list > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > > con.net/**mailman/listinfo/rsyslog> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>> n.net/mailman/listinfo/rsyslog**> > > > >>>>>>>>> > > > >>>>>>>>>> http://www.rsyslog.com/****professional- > > > > > > >>>>>>>>>> > > > >>>>>>>>> services/ > > services/ > > > >>>>>>>>> > > > > >>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> ______________________________**_________________ > > > >>>>>>>>> rsyslog mailing list > > > >>>>>>>>> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >>>>>>>>> http://www.rsyslog.com/**professional- > > > services/ > > > >>>>>>>>> > > > >>>>>>>> ______________________________**_________________ > > > >>>>>>>> rsyslog mailing list > > > >>>>>>>> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >>>>>>>> http://www.rsyslog.com/**professional- > > > services/ > > > >>>>>>>> > > > >>>>>>>> ______________________________**_________________ > > > >>>>>>> rsyslog mailing list > > > >>>>>>> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >>>>>>> http://www.rsyslog.com/**professional- > > > services/ > > > >>>>>>> > > > >>>>>> ______________________________**_________________ > > > >>>>>> rsyslog mailing list > > > >>>>>> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >>>>>> http://www.rsyslog.com/**professional- > > > services/ > > > >>>>>> > > > >>>>>> > > > >>>>> > > > >>>>> ______________________________**_________________ > > > >>>> rsyslog mailing list > > > >>>> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >>>> http://www.rsyslog.com/**professional- > > > services/ > > > >>>> > > > >>>> ______________________________**_________________ > > > >>> rsyslog mailing list > > > >>> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >>> http://www.rsyslog.com/**professional- > > > services/ > > > >>> > > > >> > > > >> > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > From rgerhards at hq.adiscon.com Fri Feb 3 09:47:13 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 09:47:13 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728184F@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184F@GRFEXC.intern.adiscon.co m> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281851@GRFEXC.intern.adiscon.com> > > I have attached debug info both when PrivDropTo is enabled and > > disabled. > > Only difference I can see is the 5 minutes it takes for the > > PrivDropTo_enabled run to timeout (motherproccess dies and > > childproccess > > thereby gets owned by init)... > > Ah, it looks like you use auto-backgrounding (which is the default due > to > historical reasons). You can disable that via -n. I don't know if the > init > script expects auto-backgrounding or not... I should add: if auto-backgrounding is used, the parent process is just a shim to start the actual instance (the child). It then waits some time on the child until it is sure it has started (I haven't visited that code for many years...). So it is expected that the parent terminates after a while (and I think-but do not know right now- that this may take some minutes). Suggest: try without auto-backgrouning so that we know if the problem is related to that Feature. rainer From michael at maymann.org Fri Feb 3 10:03:44 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 10:03:44 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281851@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281851@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: thanks for your reply. Tried without auto-backgrounding, here is the proccesses I see: root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh /sbin/service rsyslog start root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash /etc/init.d/rsyslog start root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n 14823 14822 0 10:43 pts/0 00:00:00 /usr/sbin/rsyslogd -c 6 -n Now it doesn't seem to timeout and kill the motherproccess...:-) ! Only thing is it doesn't return after: # service rsyslog start I have tried adding "&" to /etc/sysconfig/rsyslog: SYSLOGD_OPTIONS="-c 6 -n &" but again this kill the motherproccess... and my guess is the root-owned motherproccess should continue to be there - right ? Any idea how to implement this properly ? Thanks in advance :-) ! ~maymann 2012/2/3 Rainer Gerhards > > > I have attached debug info both when PrivDropTo is enabled and > > > disabled. > > > Only difference I can see is the 5 minutes it takes for the > > > PrivDropTo_enabled run to timeout (motherproccess dies and > > > childproccess > > > thereby gets owned by init)... > > > > Ah, it looks like you use auto-backgrounding (which is the default due > > to > > historical reasons). You can disable that via -n. I don't know if the > > init > > script expects auto-backgrounding or not... > > I should add: if auto-backgrounding is used, the parent process is just a > shim to start the actual instance (the child). It then waits some time on > the > child until it is sure it has started (I haven't visited that code for many > years...). So it is expected that the parent terminates after a while (and > I > think-but do not know right now- that this may take some minutes). > > Suggest: try without auto-backgrouning so that we know if the problem is > related to that Feature. > > rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Fri Feb 3 10:07:53 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 10:07:53 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728184F@GRFEXC.intern.adiscon.com ><9B6E2A 8877C38245BF B15CC491A11DA7281851@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281855@GRFEXC.intern.adiscon.com> I guess you need to understand what the init scripts demand. I don't do so I better do not provide any more comments ;) rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 10:04 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi, > > Rainer: thanks for your reply. > Tried without auto-backgrounding, here is the proccesses I see: > root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh /sbin/service > rsyslog start > root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash > /etc/init.d/rsyslog start > root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit -S > -c 0 > >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n > 14823 14822 0 10:43 pts/0 00:00:00 > /usr/sbin/rsyslogd > -c 6 -n > > Now it doesn't seem to timeout and kill the motherproccess...:-) ! > > Only thing is it doesn't return after: > # service rsyslog start > > I have tried adding "&" to /etc/sysconfig/rsyslog: > SYSLOGD_OPTIONS="-c 6 -n &" > but again this kill the motherproccess... and my guess is the root- > owned > motherproccess should continue to be there - right ? > > Any idea how to implement this properly ? > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/3 Rainer Gerhards > > > > > I have attached debug info both when PrivDropTo is enabled and > > > > disabled. > > > > Only difference I can see is the 5 minutes it takes for the > > > > PrivDropTo_enabled run to timeout (motherproccess dies and > > > > childproccess > > > > thereby gets owned by init)... > > > > > > Ah, it looks like you use auto-backgrounding (which is the default > due > > > to > > > historical reasons). You can disable that via -n. I don't know if > the > > > init > > > script expects auto-backgrounding or not... > > > > I should add: if auto-backgrounding is used, the parent process is > just a > > shim to start the actual instance (the child). It then waits some > time on > > the > > child until it is sure it has started (I haven't visited that code > for many > > years...). So it is expected that the parent terminates after a while > (and > > I > > think-but do not know right now- that this may take some minutes). > > > > Suggest: try without auto-backgrouning so that we know if the problem > is > > related to that Feature. > > > > rainer > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Fri Feb 3 10:28:10 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 10:28:10 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281855@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281855@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: Thanks for your help. Just to understand rsyslog: should the root-owned mother-proccess be kept alive (sounds like the right way to do things) or is the purpose that the motherproccess dies and child proccess gets owned by init (doesn't sound right) If the latter: the "&" (but in background) is sufficient: SYSLOGD_OPTIONS="-c 6 -n &" Otherwise I think I would somehow need to start a new shell and execute the rsyslog command with "&", e.g.: SYSLOGD_OPTIONS="-c 6 -n" bash -c "daemon --pidfile=\"${PIDFILE}\" $exec $SYSLOGD_OPTIONS" & Anyone with a working PrivDropToUser /etc/sysconfig/rsyslog+/etc/init.d/rsyslog ? Thanks in advance :-) ! Br. ~maymann 2012/2/3 Rainer Gerhards > I guess you need to understand what the init scripts demand. I don't do so > I > better do not provide any more comments ;) > > rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Friday, February 03, 2012 10:04 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > Hi, > > > > Rainer: thanks for your reply. > > Tried without auto-backgrounding, here is the proccesses I see: > > root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh /sbin/service > > rsyslog start > > root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash > > /etc/init.d/rsyslog start > > root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit -S > > -c 0 > > >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n > > 14823 14822 0 10:43 pts/0 00:00:00 > > /usr/sbin/rsyslogd > > -c 6 -n > > > > Now it doesn't seem to timeout and kill the motherproccess...:-) ! > > > > Only thing is it doesn't return after: > > # service rsyslog start > > > > I have tried adding "&" to /etc/sysconfig/rsyslog: > > SYSLOGD_OPTIONS="-c 6 -n &" > > but again this kill the motherproccess... and my guess is the root- > > owned > > motherproccess should continue to be there - right ? > > > > Any idea how to implement this properly ? > > > > > > Thanks in advance :-) ! > > ~maymann > > > > > > 2012/2/3 Rainer Gerhards > > > > > > > I have attached debug info both when PrivDropTo is enabled and > > > > > disabled. > > > > > Only difference I can see is the 5 minutes it takes for the > > > > > PrivDropTo_enabled run to timeout (motherproccess dies and > > > > > childproccess > > > > > thereby gets owned by init)... > > > > > > > > Ah, it looks like you use auto-backgrounding (which is the default > > due > > > > to > > > > historical reasons). You can disable that via -n. I don't know if > > the > > > > init > > > > script expects auto-backgrounding or not... > > > > > > I should add: if auto-backgrounding is used, the parent process is > > just a > > > shim to start the actual instance (the child). It then waits some > > time on > > > the > > > child until it is sure it has started (I haven't visited that code > > for many > > > years...). So it is expected that the parent terminates after a while > > (and > > > I > > > think-but do not know right now- that this may take some minutes). > > > > > > Suggest: try without auto-backgrouning so that we know if the problem > > is > > > related to that Feature. > > > > > > rainer > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Fri Feb 3 10:39:49 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 10:39:49 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com><9B6E 2A8877C38245 BFB15CC491A11DA7281855@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281857@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 10:28 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi, > > Rainer: Thanks for your help. > > Just to understand rsyslog: should the root-owned mother-proccess be > kept > alive (sounds like the right way to do things) or is the purpose that > the > motherproccess dies and child proccess gets owned by init (doesn't > sound > right) It doesn't "die" (co-notation: errs) but "terminates" (co-notation: all well, expected). Have a look yourself: http://git.adiscon.com/?p=rsyslog.git;a=blob;f=tools/syslogd.c;h=2e7a1e23a15d 24d4a4b0558c3f33253eb5baa3c7;hb=HEAD#l1582 Rainer > > If the latter: the "&" (but in background) is sufficient: > SYSLOGD_OPTIONS="-c 6 -n &" > Otherwise I think I would somehow need to start a new shell and execute > the > rsyslog command with "&", e.g.: > SYSLOGD_OPTIONS="-c 6 -n" > bash -c "daemon --pidfile=\"${PIDFILE}\" $exec $SYSLOGD_OPTIONS" & > > Anyone with a working PrivDropToUser > /etc/sysconfig/rsyslog+/etc/init.d/rsyslog ? > > > Thanks in advance :-) ! > > Br. > ~maymann > > > 2012/2/3 Rainer Gerhards > > > I guess you need to understand what the init scripts demand. I don't > do so > > I > > better do not provide any more comments ;) > > > > rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > Sent: Friday, February 03, 2012 10:04 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] rsyslog as non-root user > > > > > > Hi, > > > > > > Rainer: thanks for your reply. > > > Tried without auto-backgrounding, here is the proccesses I see: > > > root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh > /sbin/service > > > rsyslog start > > > root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash > > > /etc/init.d/rsyslog start > > > root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit > -S > > > -c 0 > > > >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n > > > 14823 14822 0 10:43 pts/0 00:00:00 > > > /usr/sbin/rsyslogd > > > -c 6 -n > > > > > > Now it doesn't seem to timeout and kill the motherproccess...:-) ! > > > > > > Only thing is it doesn't return after: > > > # service rsyslog start > > > > > > I have tried adding "&" to /etc/sysconfig/rsyslog: > > > SYSLOGD_OPTIONS="-c 6 -n &" > > > but again this kill the motherproccess... and my guess is the root- > > > owned > > > motherproccess should continue to be there - right ? > > > > > > Any idea how to implement this properly ? > > > > > > > > > Thanks in advance :-) ! > > > ~maymann > > > > > > > > > 2012/2/3 Rainer Gerhards > > > > > > > > > I have attached debug info both when PrivDropTo is enabled > and > > > > > > disabled. > > > > > > Only difference I can see is the 5 minutes it takes for the > > > > > > PrivDropTo_enabled run to timeout (motherproccess dies and > > > > > > childproccess > > > > > > thereby gets owned by init)... > > > > > > > > > > Ah, it looks like you use auto-backgrounding (which is the > default > > > due > > > > > to > > > > > historical reasons). You can disable that via -n. I don't know > if > > > the > > > > > init > > > > > script expects auto-backgrounding or not... > > > > > > > > I should add: if auto-backgrounding is used, the parent process > is > > > just a > > > > shim to start the actual instance (the child). It then waits some > > > time on > > > > the > > > > child until it is sure it has started (I haven't visited that > code > > > for many > > > > years...). So it is expected that the parent terminates after a > while > > > (and > > > > I > > > > think-but do not know right now- that this may take some > minutes). > > > > > > > > Suggest: try without auto-backgrouning so that we know if the > problem > > > is > > > > related to that Feature. > > > > > > > > rainer > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From david at lang.hm Fri Feb 3 10:42:32 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 3 Feb 2012 01:42:32 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184C@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728184F@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281851@GRFEXC.intern.adiscon.com> Message-ID: without auto backgrounding, what happens when you run it manually? David Lang On Fri, 3 Feb 2012, Michael Maymann wrote: > Hi, > > Rainer: thanks for your reply. > Tried without auto-backgrounding, here is the proccesses I see: > root 14814 14131 0 10:43 pts/0 00:00:00 /bin/sh /sbin/service > rsyslog start > root 14819 14814 0 10:43 pts/0 00:00:00 /bin/bash > /etc/init.d/rsyslog start > root 14822 14819 0 10:43 pts/0 00:00:00 /bin/bash -c ulimit -S -c 0 >> /dev/null 2>&1 ; /usr/sbin/rsyslogd -c 6 -n > 14823 14822 0 10:43 pts/0 00:00:00 /usr/sbin/rsyslogd > -c 6 -n > > Now it doesn't seem to timeout and kill the motherproccess...:-) ! > > Only thing is it doesn't return after: > # service rsyslog start > > I have tried adding "&" to /etc/sysconfig/rsyslog: > SYSLOGD_OPTIONS="-c 6 -n &" > but again this kill the motherproccess... and my guess is the root-owned > motherproccess should continue to be there - right ? > > Any idea how to implement this properly ? > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/3 Rainer Gerhards > >>>> I have attached debug info both when PrivDropTo is enabled and >>>> disabled. >>>> Only difference I can see is the 5 minutes it takes for the >>>> PrivDropTo_enabled run to timeout (motherproccess dies and >>>> childproccess >>>> thereby gets owned by init)... >>> >>> Ah, it looks like you use auto-backgrounding (which is the default due >>> to >>> historical reasons). You can disable that via -n. I don't know if the >>> init >>> script expects auto-backgrounding or not... >> >> I should add: if auto-backgrounding is used, the parent process is just a >> shim to start the actual instance (the child). It then waits some time on >> the >> child until it is sure it has started (I haven't visited that code for many >> years...). So it is expected that the parent terminates after a while (and >> I >> think-but do not know right now- that this may take some minutes). >> >> Suggest: try without auto-backgrouning so that we know if the problem is >> related to that Feature. >> >> rainer >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From david at lang.hm Fri Feb 3 10:48:22 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 3 Feb 2012 01:48:22 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: oops, that should have been RSYSLOG_DebugFormat template. David Lang On Thu, 2 Feb 2012, david at lang.hm wrote: > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > From: david at lang.hm > Reply-To: rsyslog-users > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > what does one of these messages look like if you write it out with the > RSYSLOG_DEBUG template? > > David Lang > > On Fri, 3 Feb 2012, Michael Maymann wrote: > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 >> From: Michael Maymann >> Reply-To: rsyslog-users >> To: rsyslog-users >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >> >> Please... Anyone? >> On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: >> >>> Hi, >>> >>> got it started... but still ??? dir+logfiles are showing up... >>> This is now my rsyslog.conf: >>> #SET PRIVILEGES >>> $PreserveFQDN on >>> $PrivDropToGroup >>> $PrivDropToUser >>> $DirCreateMode 0750 >>> $FileCreateMode 0640 >>> $UMASK 0027 >>> >>> #LOAD MODULES >>> $ModLoad imudp >>> $UDPServerRun 514 >>> $UDPServerAddress 127.0.0.1 >>> $ModLoad imtcp >>> $InputTCPServerRun 514 >>> >>> #SET DESTINATION FOR LOGS >>> $template >>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" >>> $template >>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" >>> $template >>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" >>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" >>> $template >>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" >>> $template >>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" >>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" >>> >>> $template >>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" >>> $template >>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" >>> $template >>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" >>> $template >>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" >>> $template >>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" >>> $template >>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" >>> $template >>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" >>> >>> #SET LOGGING CONDITIONS >>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >>> ?DYNsecure >>> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog >>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >>> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler >>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot >>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >>> and $fromhost != '???' then ?DYNtraps >>> >>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>> ?DYNIPsecure >>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>> ?DYNIPmaillog >>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron >>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>> ?DYNIPspooler >>> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot >>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >>> and $fromhost == '???' then ?DYNIPtraps >>> >>> I have tried with $fromhost, $fromhost-ip and $hostname - but all creates >>> ??? dir+files... >>> What variable should I use to handle this properly ? >>> >>> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> 2012/2/2 Michael Maymann >>> >>>> Hi, >>>> >>>> David: thanks for your reply... >>>> Here is my new rsyslog.conf: >>>> #SET PRIVILEGES >>>> $PreserveFQDN on >>>> $PrivDropToGroup >>>> $PrivDropToUser >>>> $DirCreateMode 0750 >>>> $FileCreateMode 0640 >>>> $UMASK 0027 >>>> >>>> #LOAD MODULES >>>> $ModLoad imudp >>>> $UDPServerRun 514 >>>> $UDPServerAddress 127.0.0.1 >>>> $ModLoad imtcp >>>> $InputTCPServerRun 514 >>>> >>>> #SET DESTINATION FOR LOGS >>>> $template >>>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" >>>> $template >>>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" >>>> $template >>>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" >>>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" >>>> $template >>>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" >>>> $template >>>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" >>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" >>>> >>>> $template >>>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages" >>>> $template >>>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure" >>>> $template >>>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog" >>>> $template >>>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron" >>>> $template >>>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler" >>>> $template >>>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log" >>>> $template >>>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps" >>>> >>>> #SET LOGGING CONDITIONS >>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>>> ?DYNsecure >>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>> ?DYNmaillog >>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron >>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>> ?DYNspooler >>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot >>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >>>> and %FROMHOST% != '???' then ?DYNtraps >>>> >>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>>> ?DYNIPsecure >>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>> ?DYNIPmaillog >>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron >>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>> ?DYNIPspooler >>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>>> ?DYNIPboot >>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>> >>>> but it fails...: >>>> # service rsyslog start >>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number >>>> means) >>>> [ OK ] >>>> >>>> my guess is it is my %FROMHOST% == '???' - is this format correct or how >>>> is this done... >>>> >>>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> >>>> 2012/2/1 >>>> >>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>> >>>>> Hi, >>>>>> >>>>>> I want to log information about hosts that are not logging with correct >>>>>> HOSTNAME. >>>>>> In my current setup, I get a dir "???" where these host(s) are logging >>>>>> to... >>>>>> >>>>>> I would like to change this to the hosts IP instead, something like: >>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>> >>>>> >>>>> rsyslog cannot do what you are asking. It can't assign a value to a >>>>> property. >>>>> >>>>> what you can do is to setup a different template and then if %fromhost% >>>>> is your special pattern you can log with this different template. >>>>> >>>>> David Lang >>>>> ______________________________**_________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/**professional-services/ >>>>> >>>> >>>> >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From david at lang.hm Fri Feb 3 10:50:14 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 3 Feb 2012 01:50:14 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: On Fri, 3 Feb 2012, Michael Maymann wrote: > Hi, > > David: unfortunately this was not the case...: > # cat /etc/sysconfig/selinux > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=disabled > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > > What else could cause this problem ? possibly a silly question, but have you verified that the user you are dropping privileges to has write permission on the directories that you write logs (and any queue files) to? David Lang > > Thanks in advance :-) ! > ~maymann > > 2012/2/2 Michael Maymann > >> Hi, >> >> David: Thanks for your reply - sounds possible... I will try this first >> thing tomorrow morning and report back with findings... >> >> Br. >> ~maymann >> >> 2012/2/2 >> >> On Thu, 2 Feb 2012, Michael Maymann wrote: >>> >>> Hi Rainer, >>>> >>>> I really have my doubts it has something to do with my startup script: >>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>> >>>> I'm running on RHEL6.1_x64. >>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>> test...? >>>> >>> >>> >>> my guess is that this is a SELINUX related problem. >>> >>> what happens if you try to start rsyslog manually (not by running the >>> startup script, but just running 'rsyslogd -c 6' " >>> >>> David Lang >>> >>> >>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/2 Michael Maymann >>>> >>>> Hi, >>>>> >>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>>> failing in the logs... and it actually doesn't fail... it works and >>>>> after >>>>> the timeout+failed notice only the proccess owned by >>>>> PrivDropToUser-USER is >>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>> >>>>> # service rsyslog start >>>>> Starting system logger: [FAILED] >>>>> >>>>> BEFORE failed status: >>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c 6 >>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>> /usr/sbin/rsyslogd -c 6 >>>>> >>>>> AFTER failed status root-owned proccess is killed and >>>>> PrivDropToUser-USER >>>>> owned proccess is therefore gets owned by init: >>>>> 9131 1 0 11:07 ? 00:00:00 >>>>> /usr/sbin/rsyslogd -c 6 >>>>> >>>>> Anyone who can help with this...?: >>>>> here is the debug output when starting running the init-script: >>>>> #/etc/init.d/rsyslog start >>>>> + . /etc/init.d/functions >>>>> ++ TEXTDOMAIN=initscripts >>>>> ++ umask 022 >>>>> ++ PATH=/sbin:/usr/sbin:/bin:/**usr/bin >>>>> ++ export PATH >>>>> ++ '[' -z '' ']' >>>>> ++ COLUMNS=80 >>>>> ++ '[' -z '' ']' >>>>> +++ /sbin/consoletype >>>>> ++ CONSOLETYPE=pty >>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>> ++ . /etc/profile.d/lang.sh >>>>> ++ unset LANGSH_SOURCED >>>>> ++ '[' -z '' ']' >>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>> ++ . /etc/sysconfig/init >>>>> +++ BOOTUP=color >>>>> +++ RES_COL=60 >>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>> +++ PROMPT=yes >>>>> +++ AUTOSWAP=no >>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]**' >>>>> +++ SINGLE=/sbin/sushell >>>>> ++ '[' pty = serial ']' >>>>> ++ >>>>> __sed_discard_ignored_files='/**\(~\|\.bak\|\.orig\|\.rpmnew\|** >>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>> + RETVAL=0 >>>>> + PIDFILE=/var/run/syslogd.pid >>>>> + prog=rsyslogd >>>>> + exec=/usr/sbin/rsyslogd >>>>> + lockfile=/var/lock/subsys/**rsyslogd >>>>> + case "$1" in >>>>> + start >>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>> + . /etc/sysconfig/rsyslog >>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>> + umask 077 >>>>> + echo -n 'Starting system logger: ' >>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>> /usr/sbin/rsyslogd -c 6 >>>>> + local gotbase= force= nicelevel corelimit >>>>> + local pid base= user= nice= bg= pid_file= >>>>> + local cgroup= >>>>> + nicelevel=0 >>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' -pidfile=/var/run/syslogd.pid >>>>> ']' >>>>> + case $1 in >>>>> + pid_file=/var/run/syslogd.pid >>>>> + shift >>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>> + '[' -z '' ']' >>>>> + base=rsyslogd >>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>> + local base=rsyslogd >>>>> + local pid_file=/var/run/syslogd.pid >>>>> + pid= >>>>> + '[' -f /var/run/syslogd.pid ']' >>>>> + return 3 >>>>> + '[' -n '' -a -z '' ']' >>>>> + corelimit='ulimit -S -c 0' >>>>> + '[' -n '' ']' >>>>> + '[' -n '' ']' >>>>> + '[' color = verbose -a -z '' ']' >>>>> + '[' -z '' ']' >>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c >>>>> 6' >>>>> ... >>>>> (hangs here for a long time) >>>>> ... >>>>> + '[' 1 -eq 0 ']' >>>>> + failure 'rsyslogd startup' >>>>> + local rc=1 >>>>> + '[' color '!=' verbose -a -z '' ']' >>>>> + echo_failure >>>>> + '[' color = color ']' >>>>> + echo -en '\033[60G' >>>>> + echo -n '[' >>>>> [+ '[' color = color ']' >>>>> + echo -en '\033[0;31m' >>>>> + echo -n FAILED >>>>> FAILED+ '[' color = color ']' >>>>> + echo -en '\033[0;39m' >>>>> + echo -n ']' >>>>> ]+ echo -ne '\r' >>>>> + return 1 >>>>> + '[' -x /usr/bin/plymouth ']' >>>>> + /usr/bin/plymouth --details >>>>> + return 1 >>>>> + RETVAL=1 >>>>> + echo >>>>> >>>>> + '[' 1 -eq 0 ']' >>>>> + return 1 >>>>> + exit 1 >>>>> >>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but >>>>> same thing happens... >>>>> >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>> >>>>> Br. >>>>> ~maymann >>>>> >>>>> >>>>> >>>>> 2012/2/2 Rainer Gerhards >>>>> >>>>> I can only help you with that part if you point me to why exactly the >>>>>> script >>>>>> claims what it does. So you may want to try find someone who can do >>>>>> that. >>>>>> I >>>>>> know this is probably a trivial question, but I don't know anything ;) >>>>>> >>>>>> Sry, rainer >>>>>> >>>>>> -----Original Message----- >>>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>>> rsyslog- >>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>> To: rsyslog-users >>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>> >>>>>>> Here is my startup script... only thing changed is the path to the new >>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if i >>>>>>> have >>>>>>> both or one of the entries...: >>>>>>> #!/bin/bash >>>>>>> # >>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>> # >>>>>>> # >>>>>>> # chkconfig: 2345 12 88 >>>>>>> # description: Syslog is the facility by which many daemons use to log >>>>>>> \ >>>>>>> # messages to various system log files. It is a good idea to always \ >>>>>>> # run rsyslog. >>>>>>> ### BEGIN INIT INFO >>>>>>> # Provides: $syslog >>>>>>> # Required-Start: $local_fs >>>>>>> # Required-Stop: $local_fs >>>>>>> # Default-Start: 2 3 4 5 >>>>>>> # Default-Stop: 0 1 6 >>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>> trapping >>>>>>> daemons >>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>> supporting, >>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>>> # sender lists, filtering on any message part, and fine >>>>>>> # grain output format control. >>>>>>> ### END INIT INFO >>>>>>> >>>>>>> # Source function library. >>>>>>> . /etc/init.d/functions >>>>>>> >>>>>>> RETVAL=0 >>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>> >>>>>>> prog=rsyslogd >>>>>>> #exec=/sbin/rsyslogd >>>>>>> exec=/usr/sbin/rsyslogd >>>>>>> lockfile=/var/lock/subsys/$**prog >>>>>>> >>>>>>> start() { >>>>>>> [ -x $exec ] || exit 5 >>>>>>> >>>>>>> # Source config >>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>> . /etc/sysconfig/rsyslog >>>>>>> fi >>>>>>> umask 077 >>>>>>> >>>>>>> echo -n $"Starting system logger: " >>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>> RETVAL=$? >>>>>>> echo >>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>> return $RETVAL >>>>>>> } >>>>>>> stop() { >>>>>>> echo -n $"Shutting down system logger: " >>>>>>> killproc $prog >>>>>>> RETVAL=$? >>>>>>> echo >>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>> return $RETVAL >>>>>>> } >>>>>>> reload() { >>>>>>> RETVAL=1 >>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>> echo -n "Reloading system logger..." >>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>> kill -HUP "$syslog"; >>>>>>> RETVAL=$? >>>>>>> fi >>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>> failure >>>>>>> else >>>>>>> success >>>>>>> fi >>>>>>> echo >>>>>>> return $RETVAL >>>>>>> } >>>>>>> rhstatus() { >>>>>>> status -p "${PIDFILE}" $prog >>>>>>> } >>>>>>> restart() { >>>>>>> stop >>>>>>> start >>>>>>> } >>>>>>> >>>>>>> case "$1" in >>>>>>> start) >>>>>>> start >>>>>>> ;; >>>>>>> stop) >>>>>>> stop >>>>>>> ;; >>>>>>> restart) >>>>>>> restart >>>>>>> ;; >>>>>>> reload|force-reload) >>>>>>> reload >>>>>>> ;; >>>>>>> status) >>>>>>> rhstatus >>>>>>> ;; >>>>>>> condrestart|try-restart) >>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>> restart >>>>>>> ;; >>>>>>> *) >>>>>>> echo $"Usage: $0 >>>>>>> {start|stop|restart|**condrestart|try-restart|**reload|force- >>>>>>> reload|status}" >>>>>>> exit 2 >>>>>>> esac >>>>>>> >>>>>>> exit $? >>>>>>> >>>>>>> 2012/2/2 Rainer Gerhards >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>>>>>>> rsyslog- >>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>> To: rsyslog-users >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> David: thanks - got it working with permission dropping, by far my >>>>>>>>> prefered >>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>> dropping: >>>>>>>>> hang+timeout" I send you can solve anything... anyway it works now >>>>>>>>> >>>>>>>> - >>>>>>> >>>>>>>> but >>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>> >>>>>>>> >>>>>>>> I have reviewed the debug log and I see nothing unexpected. From the >>>>>>>> timestamps I also see that there is no hang whatsoever. So it looks >>>>>>>> >>>>>>> like >>>>>>> >>>>>>>> there is some problem with the startup script, which I don't know. I >>>>>>>> suggest >>>>>>>> to ask what the FAILED status is caused by. We can then look why this >>>>>>>> happens. >>>>>>>> >>>>>>>> Sorry I have no better answer... >>>>>>>> Rainer >>>>>>>> >>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> 2012/2/1 >>>>>>>>> >>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>> >>>>>>>>>> fine >>>>>>> >>>>>>>> running >>>>>>>>> >>>>>>>>>> as root. >>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>> >>>>>>>>>> located >>>>>>> >>>>>>>> on NFS >>>>>>>>> >>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>> >>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>> #LOAD MODULES >>>>>>>>>>> $ModLoad imudp >>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>> $template >>>>>>>>>>> DYNmessages,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNsecure,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>> **$MONTH%_secure" >>>>>>> >>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNmaillog,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>> **$MONTH%_maillo >>>>>>> >>>>>>>> g" >>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>> DYNcron,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>>>> >>>>>>>>>> cron" >>>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNspooler,"/%****FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>> **$MONTH%_spoole >>>>>>> >>>>>>>> r" >>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> DYNboot,"/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>> **boot.log" >>>>>>> >>>>>>>> $template >>>>>>>>>>> >>>>>>>>>> DYNtraps,"/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>>>> _** >>>>>>>>> >>>>>>>>>> traps" >>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>>> >>>>>>>>>> 'WARNING' >>>>>>>>> >>>>>>>>>> then ?DYNtraps >>>>>>>>>>> >>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>> >>>>>>>>>> user: >>>>>>> >>>>>>>> 2012-01-31T15:45:52.997693+02:****00 rsyslogd: [origin >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>> 2012-01-31T15:45:52.997294+02:****00 rsyslogd: bind: >>>>>>>>>>> >>>>>>>>>> Permission >>>>>>>>> >>>>>>>>>> denied >>>>>>>>>>> 2012-01-31T15:45:52.997369+02:****00 rsyslogd: bind: >>>>>>>>>>> >>>>>>>>>> Permission >>>>>>>>> >>>>>>>>>> denied >>>>>>>>>>> 2012-01-31T15:45:52.997374+02:****00 rsyslogd: No UDP >>>>>>>>>>> >>>>>>>>>> listen >>>>>>>>> >>>>>>>>>> socket >>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>> >>>>>>>>>> disabled. >>>>>>>>> >>>>>>>>>> 2012-01-31T15:45:52.997376+02:****00 rsyslogd: imudp: >>>>>>>>>>> >>>>>>>>>> no >>>>>>> >>>>>>>> listeners >>>>>>>>>>> could be started, input not activated. >>>>>>>>>>> 2012-01-31T15:45:52.997379+02:****00 rsyslogd3: >>>>>>>>>>> >>>>>>>>>> activation >>>>>>> >>>>>>>> of >>>>>>>>> >>>>>>>>>> module >>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>> 2012-01-31T15:45:52.997643+02:****00 rsyslogd-2077: >>>>>>>>>>> >>>>>>>>>> Could >>>>>>> >>>>>>>> not >>>>>>>>> >>>>>>>>>> create >>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>> >>>>>>>> ] >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>>> >>>>>>>>> making >>>>>>> >>>>>>>> some >>>>>>>>> >>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>>> >>>>>>>>> user >>>>>>> >>>>>>>> - if >>>>>>>>> >>>>>>>>>> yes: how ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> permission drop features >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>>> >>>>>>>>> rsyslog >>>>>>>>> >>>>>>>>>> server - if yes: how ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>> >>>>>>>>> chkconfig do >>>>>>>>> >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> su can run a command as a different user. >>>>>>>>>> >>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>> >>>>>>>>> permission >>>>>>>>> >>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>> >>>>>>>>>> David Lang >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>>> rsyslog mailing list >>>>>>>>>> >>>>>>>>>> >>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>> >>>>>>> >>>>>>>> n.net/mailman/listinfo/rsyslog**> >>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/****professional- >>>>>>>>>> >>>>>>>>> services/ >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________**_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>>>> >>>>>>>> ______________________________**_________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>>> >>>>>>>> ______________________________**_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/**professional-services/ >>>>>>> >>>>>> ______________________________**_________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/**professional-services/ >>>>>> >>>>>> >>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Fri Feb 3 11:05:28 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 11:05:28 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi, Yes I have, and now set them to /tmp just for testing, but same thing...: PIDFILE=/tmp/syslogd.pi lockfile=/tmp/$prog When started manually, it seems to be working just fine... also after 5 minutes...:-) !: root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 root 14131 14128 0 09:04 pts/0 00:00:00 -bash 15442 14131 0 11:51 pts/0 00:00:00 /usr/sbin/rsyslogd -c 6 -n How can I implement similar behaviour to /etc/init.d/rsyslog+/etc/sysconfig/rsyslog...? Thanks in advance :-) ! ~maymann 2012/2/3 > On Fri, 3 Feb 2012, Michael Maymann wrote: > > Hi, >> >> David: unfortunately this was not the case...: >> # cat /etc/sysconfig/selinux >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - SELinux is fully disabled. >> SELINUX=disabled >> # SELINUXTYPE= type of policy in use. Possible values are: >> # targeted - Only targeted network daemons are protected. >> # strict - Full SELinux protection. >> SELINUXTYPE=targeted >> >> What else could cause this problem ? >> > > possibly a silly question, but have you verified that the user you are > dropping privileges to has write permission on the directories that you > write logs (and any queue files) to? > > David Lang > > >> Thanks in advance :-) ! >> ~maymann >> >> 2012/2/2 Michael Maymann >> >> Hi, >>> >>> David: Thanks for your reply - sounds possible... I will try this first >>> thing tomorrow morning and report back with findings... >>> >>> Br. >>> ~maymann >>> >>> 2012/2/2 >>> >>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>> >>>> >>>> Hi Rainer, >>>> >>>>> >>>>> I really have my doubts it has something to do with my startup script: >>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>> >>>>> I'm running on RHEL6.1_x64. >>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>> test...? >>>>> >>>>> >>>> >>>> my guess is that this is a SELINUX related problem. >>>> >>>> what happens if you try to start rsyslog manually (not by running the >>>> startup script, but just running 'rsyslogd -c 6' " >>>> >>>> David Lang >>>> >>>> >>>> >>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> 2012/2/2 Michael Maymann >>>>> >>>>> Hi, >>>>> >>>>>> >>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>>>> failing in the logs... and it actually doesn't fail... it works and >>>>>> after >>>>>> the timeout+failed notice only the proccess owned by >>>>>> PrivDropToUser-USER is >>>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>>> >>>>>> # service rsyslog start >>>>>> Starting system logger: [FAILED] >>>>>> >>>>>> BEFORE failed status: >>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd -c >>>>>> 6 >>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>> /usr/sbin/rsyslogd -c 6 >>>>>> >>>>>> AFTER failed status root-owned proccess is killed and >>>>>> PrivDropToUser-USER >>>>>> owned proccess is therefore gets owned by init: >>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>> /usr/sbin/rsyslogd -c 6 >>>>>> >>>>>> Anyone who can help with this...?: >>>>>> here is the debug output when starting running the init-script: >>>>>> #/etc/init.d/rsyslog start >>>>>> + . /etc/init.d/functions >>>>>> ++ TEXTDOMAIN=initscripts >>>>>> ++ umask 022 >>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/****usr/bin >>>>>> >>>>>> ++ export PATH >>>>>> ++ '[' -z '' ']' >>>>>> ++ COLUMNS=80 >>>>>> ++ '[' -z '' ']' >>>>>> +++ /sbin/consoletype >>>>>> ++ CONSOLETYPE=pty >>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>> ++ . /etc/profile.d/lang.sh >>>>>> ++ unset LANGSH_SOURCED >>>>>> ++ '[' -z '' ']' >>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>> ++ . /etc/sysconfig/init >>>>>> +++ BOOTUP=color >>>>>> +++ RES_COL=60 >>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>> +++ PROMPT=yes >>>>>> +++ AUTOSWAP=no >>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]****' >>>>>> >>>>>> +++ SINGLE=/sbin/sushell >>>>>> ++ '[' pty = serial ']' >>>>>> ++ >>>>>> __sed_discard_ignored_files='/****\(~\|\.bak\|\.orig\|\.**rpmnew\|** >>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>> + RETVAL=0 >>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>> + prog=rsyslogd >>>>>> + exec=/usr/sbin/rsyslogd >>>>>> + lockfile=/var/lock/subsys/****rsyslogd >>>>>> >>>>>> + case "$1" in >>>>>> + start >>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>> + . /etc/sysconfig/rsyslog >>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>> + umask 077 >>>>>> + echo -n 'Starting system logger: ' >>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>> /usr/sbin/rsyslogd -c 6 >>>>>> + local gotbase= force= nicelevel corelimit >>>>>> + local pid base= user= nice= bg= pid_file= >>>>>> + local cgroup= >>>>>> + nicelevel=0 >>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>> -pidfile=/var/run/syslogd.pid >>>>>> ']' >>>>>> + case $1 in >>>>>> + pid_file=/var/run/syslogd.pid >>>>>> + shift >>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>> + '[' -z '' ']' >>>>>> + base=rsyslogd >>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>> + local base=rsyslogd >>>>>> + local pid_file=/var/run/syslogd.pid >>>>>> + pid= >>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>> + return 3 >>>>>> + '[' -n '' -a -z '' ']' >>>>>> + corelimit='ulimit -S -c 0' >>>>>> + '[' -n '' ']' >>>>>> + '[' -n '' ']' >>>>>> + '[' color = verbose -a -z '' ']' >>>>>> + '[' -z '' ']' >>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd -c >>>>>> 6' >>>>>> ... >>>>>> (hangs here for a long time) >>>>>> ... >>>>>> + '[' 1 -eq 0 ']' >>>>>> + failure 'rsyslogd startup' >>>>>> + local rc=1 >>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>> + echo_failure >>>>>> + '[' color = color ']' >>>>>> + echo -en '\033[60G' >>>>>> + echo -n '[' >>>>>> [+ '[' color = color ']' >>>>>> + echo -en '\033[0;31m' >>>>>> + echo -n FAILED >>>>>> FAILED+ '[' color = color ']' >>>>>> + echo -en '\033[0;39m' >>>>>> + echo -n ']' >>>>>> ]+ echo -ne '\r' >>>>>> + return 1 >>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>> + /usr/bin/plymouth --details >>>>>> + return 1 >>>>>> + RETVAL=1 >>>>>> + echo >>>>>> >>>>>> + '[' 1 -eq 0 ']' >>>>>> + return 1 >>>>>> + exit 1 >>>>>> >>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - but >>>>>> same thing happens... >>>>>> >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>> >>>>>> Br. >>>>>> ~maymann >>>>>> >>>>>> >>>>>> >>>>>> 2012/2/2 Rainer Gerhards >>>>>> >>>>>> I can only help you with that part if you point me to why exactly the >>>>>> >>>>>>> script >>>>>>> claims what it does. So you may want to try find someone who can do >>>>>>> that. >>>>>>> I >>>>>>> know this is probably a trivial question, but I don't know anything >>>>>>> ;) >>>>>>> >>>>>>> Sry, rainer >>>>>>> >>>>>>> -----Original Message----- >>>>>>> >>>>>>>> From: rsyslog-bounces at lists.adiscon.****com>>>>>>> *adiscon.com >[mailto: >>>>>>>> >>>>>>>> rsyslog- >>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>> To: rsyslog-users >>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>> >>>>>>>> Here is my startup script... only thing changed is the path to the >>>>>>>> new >>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes if >>>>>>>> i >>>>>>>> have >>>>>>>> both or one of the entries...: >>>>>>>> #!/bin/bash >>>>>>>> # >>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>> # >>>>>>>> # >>>>>>>> # chkconfig: 2345 12 88 >>>>>>>> # description: Syslog is the facility by which many daemons use to >>>>>>>> log >>>>>>>> \ >>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>> always \ >>>>>>>> # run rsyslog. >>>>>>>> ### BEGIN INIT INFO >>>>>>>> # Provides: $syslog >>>>>>>> # Required-Start: $local_fs >>>>>>>> # Required-Stop: $local_fs >>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>> # Default-Stop: 0 1 6 >>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>> trapping >>>>>>>> daemons >>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>> supporting, >>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>>>> # sender lists, filtering on any message part, and fine >>>>>>>> # grain output format control. >>>>>>>> ### END INIT INFO >>>>>>>> >>>>>>>> # Source function library. >>>>>>>> . /etc/init.d/functions >>>>>>>> >>>>>>>> RETVAL=0 >>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>> >>>>>>>> prog=rsyslogd >>>>>>>> #exec=/sbin/rsyslogd >>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>> lockfile=/var/lock/subsys/$****prog >>>>>>>> >>>>>>>> >>>>>>>> start() { >>>>>>>> [ -x $exec ] || exit 5 >>>>>>>> >>>>>>>> # Source config >>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>> fi >>>>>>>> umask 077 >>>>>>>> >>>>>>>> echo -n $"Starting system logger: " >>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>> RETVAL=$? >>>>>>>> echo >>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>> return $RETVAL >>>>>>>> } >>>>>>>> stop() { >>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>> killproc $prog >>>>>>>> RETVAL=$? >>>>>>>> echo >>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>> return $RETVAL >>>>>>>> } >>>>>>>> reload() { >>>>>>>> RETVAL=1 >>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>> echo -n "Reloading system logger..." >>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>> kill -HUP "$syslog"; >>>>>>>> RETVAL=$? >>>>>>>> fi >>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>> failure >>>>>>>> else >>>>>>>> success >>>>>>>> fi >>>>>>>> echo >>>>>>>> return $RETVAL >>>>>>>> } >>>>>>>> rhstatus() { >>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>> } >>>>>>>> restart() { >>>>>>>> stop >>>>>>>> start >>>>>>>> } >>>>>>>> >>>>>>>> case "$1" in >>>>>>>> start) >>>>>>>> start >>>>>>>> ;; >>>>>>>> stop) >>>>>>>> stop >>>>>>>> ;; >>>>>>>> restart) >>>>>>>> restart >>>>>>>> ;; >>>>>>>> reload|force-reload) >>>>>>>> reload >>>>>>>> ;; >>>>>>>> status) >>>>>>>> rhstatus >>>>>>>> ;; >>>>>>>> condrestart|try-restart) >>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>> restart >>>>>>>> ;; >>>>>>>> *) >>>>>>>> echo $"Usage: $0 >>>>>>>> {start|stop|restart|****condrestart|try-restart|****reload|force- >>>>>>>> >>>>>>>> reload|status}" >>>>>>>> exit 2 >>>>>>>> esac >>>>>>>> >>>>>>>> exit $? >>>>>>>> >>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> >>>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com< >>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>> >[mailto: >>>>>>>>>> >>>>>>>>>> rsyslog- >>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>> To: rsyslog-users >>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> David: thanks - got it working with permission dropping, by far my >>>>>>>>>> prefered >>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>>> dropping: >>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works now >>>>>>>>>> >>>>>>>>>> - >>>>>>>>> >>>>>>>> >>>>>>>> but >>>>>>>>> >>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I have reviewed the debug log and I see nothing unexpected. From >>>>>>>>> the >>>>>>>>> timestamps I also see that there is no hang whatsoever. So it looks >>>>>>>>> >>>>>>>>> like >>>>>>>> >>>>>>>> there is some problem with the startup script, which I don't know. >>>>>>>>> I >>>>>>>>> suggest >>>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>>> this >>>>>>>>> happens. >>>>>>>>> >>>>>>>>> Sorry I have no better answer... >>>>>>>>> Rainer >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>>> ~maymann >>>>>>>>>> >>>>>>>>>> 2012/2/1 >>>>>>>>>> >>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>>> >>>>>>>>>>>> fine >>>>>>>>>>> >>>>>>>>>> >>>>>>>> running >>>>>>>>> >>>>>>>>>> >>>>>>>>>> as root. >>>>>>>>>>> >>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>> >>>>>>>>>>>> located >>>>>>>>>>> >>>>>>>>>> >>>>>>>> on NFS >>>>>>>>> >>>>>>>>>> >>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>> $template >>>>>>>>>>>> DYNmessages,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>>> **** >>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>> $template >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> DYNsecure,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>> ** >>>>>>>>>> >>>>>>>>> **$MONTH%_secure" >>>>>>>> >>>>>>>> $template >>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> DYNmaillog,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>> ** >>>>>>>>>> >>>>>>>>> **$MONTH%_maillo >>>>>>>> >>>>>>>> g" >>>>>>>>> >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> DYNcron,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>> MONTH%_**** >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> cron" >>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> DYNspooler,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>> ** >>>>>>>>>> >>>>>>>>> **$MONTH%_spoole >>>>>>>> >>>>>>>> r" >>>>>>>>> >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> DYNboot,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>> MONTH%_** >>>>>>>>>> >>>>>>>>> **boot.log" >>>>>>>> >>>>>>>> $template >>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> DYNtraps,"/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>> MONTH%** >>>>>>>>>>> >>>>>>>>>> _** >>>>>>>>>> >>>>>>>>>> traps" >>>>>>>>>>> >>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>>>> >>>>>>>>>>>> 'WARNING' >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> then ?DYNtraps >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>>> >>>>>>>>>>>> user: >>>>>>>>>>> >>>>>>>>>> >>>>>>>> 2012-01-31T15:45:52.997693+02:******00 rsyslogd: >>>>>>>>> [origin >>>>>>>>> >>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:******00 rsyslogd: >>>>>>>>>>>> bind: >>>>>>>>>>>> >>>>>>>>>>>> Permission >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> denied >>>>>>>>>>> >>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:******00 rsyslogd: >>>>>>>>>>>> bind: >>>>>>>>>>>> >>>>>>>>>>>> Permission >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> denied >>>>>>>>>>> >>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:******00 rsyslogd: No >>>>>>>>>>>> UDP >>>>>>>>>>>> >>>>>>>>>>>> listen >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> socket >>>>>>>>>>> >>>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>>> >>>>>>>>>>>> disabled. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2012-01-31T15:45:52.997376+02:******00 rsyslogd: >>>>>>>>>>> imudp: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> no >>>>>>>>>>> >>>>>>>>>> >>>>>>>> listeners >>>>>>>>> >>>>>>>>>> could be started, input not activated. >>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:******00 rsyslogd3: >>>>>>>>>>>> >>>>>>>>>>>> activation >>>>>>>>>>> >>>>>>>>>> >>>>>>>> of >>>>>>>>> >>>>>>>>>> >>>>>>>>>> module >>>>>>>>>>> >>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:******00 >>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>> >>>>>>>>>>>> Could >>>>>>>>>>> >>>>>>>>>> >>>>>>>> not >>>>>>>>> >>>>>>>>>> >>>>>>>>>> create >>>>>>>>>>> >>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>> >>>>>>>>>> >>>>>>>> ] >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>>>> >>>>>>>>>>> making >>>>>>>>>> >>>>>>>>> >>>>>>>> some >>>>>>>>> >>>>>>>>>> >>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>>>> >>>>>>>>>>> user >>>>>>>>>> >>>>>>>>> >>>>>>>> - if >>>>>>>>> >>>>>>>>>> >>>>>>>>>> yes: how ? >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> permission drop features >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>>>> >>>>>>>>>>> rsyslog >>>>>>>>>> >>>>>>>>>> server - if yes: how ? >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>>> >>>>>>>>>>> chkconfig do >>>>>>>>>> >>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>> >>>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>>> >>>>>>>>>>> permission >>>>>>>>>> >>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>> >>>>>>>>>>> David Lang >>>>>>>>>>> >>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> n.net/mailman/listinfo/**rsyslog** >>>>>>>>> > >>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/******professional- >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> services/>>>>>>>>> *tp://www.rsyslog.com/**professional-services/ >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>> >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>> > >>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>> ______________________________****_________________ >>>>>>>>> >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>> >>>>>>>> > >>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> ______________________________****_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>> >>>>>>> > >>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>> > >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>> > >>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>> > >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>> > >>>> >>>> >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Fri Feb 3 11:23:52 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 11:23:52 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: Hi, David: thanks for you reply...:-) ! This is not a known client causing the "???" entries - I don't know the ip(s)/hostname(s), and this is why i would like to log IP instead of hostname - as my guess is it is a network device without DNS entry...:-( ! Can I troubleshoot on the server somehow similar... or was that the intention all along...:-o ! Here is the client-debug output anyways...: # cat messages-debug Debug line with all properties: FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', PRI: 6, syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', msg: 'imklog 4.6.2, log source = /proc/kmsg started.' escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' Debug line with all properties: FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', PRI: 46, syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info=" http://www.rsyslog.com"] (re)start' escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info="http://www.rsyslog.com"] (re)start' rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info="http://www.rsyslog.com"] (re)start' Debug line with all properties: FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', PRI: 13, syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', msg: ' hej' escaped msg: ' hej' rawmsg: '<13>Feb 3 11:14:30 root: hej' Thanks in advance :-) ! ~maymann 2012/2/3 > oops, that should have been RSYSLOG_DebugFormat template. > > David Lang > > On Thu, 2 Feb 2012, david at lang.hm wrote: > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >> From: david at lang.hm >> >> Reply-To: rsyslog-users >> To: rsyslog-users >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >> >> what does one of these messages look like if you write it out with the >> RSYSLOG_DEBUG template? >> >> David Lang >> >> On Fri, 3 Feb 2012, Michael Maymann wrote: >> >> Date: Fri, 3 Feb 2012 07:00:26 +0100 >>> From: Michael Maymann >>> Reply-To: rsyslog-users >>> To: rsyslog-users >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>> >>> Please... Anyone? >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: >>> >>> Hi, >>>> >>>> got it started... but still ??? dir+logfiles are showing up... >>>> This is now my rsyslog.conf: >>>> #SET PRIVILEGES >>>> $PreserveFQDN on >>>> $PrivDropToGroup >>>> $PrivDropToUser >>>> $DirCreateMode 0750 >>>> $FileCreateMode 0640 >>>> $UMASK 0027 >>>> >>>> #LOAD MODULES >>>> $ModLoad imudp >>>> $UDPServerRun 514 >>>> $UDPServerAddress 127.0.0.1 >>>> $ModLoad imtcp >>>> $InputTCPServerRun 514 >>>> >>>> #SET DESTINATION FOR LOGS >>>> $template >>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>> $MONTH%_messages" >>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_* >>>> *secure" >>>> $template >>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**maillog" >>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>> cron" >>>> $template >>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**spooler" >>>> $template DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>> boot.log" >>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>> traps" >>>> >>>> $template >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>> YEAR%.%$MONTH%_messages" >>>> $template >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>> YEAR%.%$MONTH%_secure" >>>> $template >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>> YEAR%.%$MONTH%_maillog" >>>> $template >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>> MONTH%_cron" >>>> $template >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>> YEAR%.%$MONTH%_spooler" >>>> $template >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>> MONTH%_boot.log" >>>> $template >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>> MONTH%_traps" >>>> >>>> #SET LOGGING CONDITIONS >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >>>> ?DYNsecure >>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >>>> ?DYNmaillog >>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >>>> ?DYNspooler >>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot >>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>> 'WARNING' >>>> and $fromhost != '???' then ?DYNtraps >>>> >>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>>> ?DYNIPsecure >>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>>> ?DYNIPmaillog >>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron >>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>>> ?DYNIPspooler >>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >>>> ?DYNIPboot >>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>> 'WARNING' >>>> and $fromhost == '???' then ?DYNIPtraps >>>> >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all >>>> creates >>>> ??? dir+files... >>>> What variable should I use to handle this properly ? >>>> >>>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/2 Michael Maymann >>>> >>>> Hi, >>>>> >>>>> David: thanks for your reply... >>>>> Here is my new rsyslog.conf: >>>>> #SET PRIVILEGES >>>>> $PreserveFQDN on >>>>> $PrivDropToGroup >>>>> $PrivDropToUser >>>>> $DirCreateMode 0750 >>>>> $FileCreateMode 0640 >>>>> $UMASK 0027 >>>>> >>>>> #LOAD MODULES >>>>> $ModLoad imudp >>>>> $UDPServerRun 514 >>>>> $UDPServerAddress 127.0.0.1 >>>>> $ModLoad imtcp >>>>> $InputTCPServerRun 514 >>>>> >>>>> #SET DESTINATION FOR LOGS >>>>> $template >>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>> $MONTH%_messages" >>>>> $template >>>>> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**secure" >>>>> $template >>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> maillog" >>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> cron" >>>>> $template >>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> spooler" >>>>> $template >>>>> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" >>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_* >>>>> *traps" >>>>> >>>>> $template >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_messages" >>>>> $template >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_secure" >>>>> $template >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_maillog" >>>>> $template >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>> MONTH%_cron" >>>>> $template >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_spooler" >>>>> $template >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>> MONTH%_boot.log" >>>>> $template >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>> MONTH%_traps" >>>>> >>>>> #SET LOGGING CONDITIONS >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>>>> ?DYNsecure >>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>>> ?DYNmaillog >>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron >>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>>> ?DYNspooler >>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then >>>>> ?DYNboot >>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>> 'WARNING' >>>>> and %FROMHOST% != '???' then ?DYNtraps >>>>> >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>>>> ?DYNIPsecure >>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>>> ?DYNIPmaillog >>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >>>>> ?DYNIPcron >>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>>> ?DYNIPspooler >>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>>>> ?DYNIPboot >>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>> 'WARNING' >>>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>>> >>>>> but it fails...: >>>>> # service rsyslog start >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>> number >>>>> means) >>>>> [ OK ] >>>>> >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or >>>>> how >>>>> is this done... >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> >>>>> 2012/2/1 >>>>> >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>>> >>>>>>> I want to log information about hosts that are not logging with >>>>>>> correct >>>>>>> HOSTNAME. >>>>>>> In my current setup, I get a dir "???" where these host(s) are >>>>>>> logging >>>>>>> to... >>>>>>> >>>>>>> I would like to change this to the hosts IP instead, something like: >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>>> >>>>>>> >>>>>> rsyslog cannot do what you are asking. It can't assign a value to a >>>>>> property. >>>>>> >>>>>> what you can do is to setup a different template and then if >>>>>> %fromhost% >>>>>> is your special pattern you can log with this different template. >>>>>> >>>>>> David Lang >>>>>> ______________________________****_________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>> > >>>>>> http://www.rsyslog.com/****professional-services/ >>>>>> >>>>>> > >>>>>> >>>>>> >>>>> >>>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From rgerhards at hq.adiscon.com Fri Feb 3 16:43:09 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 16:43:09 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> I just checked where the ??? could be routed in. I see one case that happens when the DNS resolution fails. Would you be willing to run an instrumented build to capture a debug log so that we see when this happens? rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 11:24 AM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Hi, > > David: thanks for you reply...:-) ! > > This is not a known client causing the "???" entries - I don't know the > ip(s)/hostname(s), and this is why i would like to log IP instead of hostname - > as my guess is it is a network device without DNS entry...:-( ! > > Can I troubleshoot on the server somehow similar... or was that the intention > all along...:-o ! > > Here is the client-debug output anyways...: > # cat messages-debug > Debug line with all properties: > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > PRI: 6, > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > '-', MSGID: '-', > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > Debug line with all properties: > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > PRI: 46, > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', > PROCID: '-', MSGID: '-', > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info=" > http://www.rsyslog.com"] (re)start' > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > x-info="http://www.rsyslog.com"] (re)start' > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > x-info="http://www.rsyslog.com"] (re)start' > > Debug line with all properties: > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > PRI: 13, > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', > MSGID: '-', > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > msg: ' hej' > escaped msg: ' hej' > rawmsg: '<13>Feb 3 11:14:30 root: hej' > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/3 > > > oops, that should have been RSYSLOG_DebugFormat template. > > > > David Lang > > > > On Thu, 2 Feb 2012, david at lang.hm wrote: > > > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > >> From: david at lang.hm > >> > >> Reply-To: rsyslog-users > >> To: rsyslog-users > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > >> > >> what does one of these messages look like if you write it out with > >> the RSYSLOG_DEBUG template? > >> > >> David Lang > >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote: > >> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 > >>> From: Michael Maymann > >>> Reply-To: rsyslog-users > >>> To: rsyslog-users > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > >>> %IP% > >>> > >>> Please... Anyone? > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > wrote: > >>> > >>> Hi, > >>>> > >>>> got it started... but still ??? dir+logfiles are showing up... > >>>> This is now my rsyslog.conf: > >>>> #SET PRIVILEGES > >>>> $PreserveFQDN on > >>>> $PrivDropToGroup > >>>> $PrivDropToUser > >>>> $DirCreateMode 0750 > >>>> $FileCreateMode 0640 > >>>> $UMASK 0027 > >>>> > >>>> #LOAD MODULES > >>>> $ModLoad imudp > >>>> $UDPServerRun 514 > >>>> $UDPServerAddress 127.0.0.1 > >>>> $ModLoad imtcp > >>>> $InputTCPServerRun 514 > >>>> > >>>> #SET DESTINATION FOR LOGS > >>>> $template > >>>> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >>>> $MONTH%_messages" > >>>> $template > >>>> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > NTH%_* > >>>> *secure" > >>>> $template > >>>> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > NTH%_**maillog" > >>>> $template > >>>> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > H%_** > >>>> cron" > >>>> $template > >>>> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > NTH%_**spooler" > >>>> $template > >>>> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > H%_** > >>>> boot.log" > >>>> $template > >>>> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > H%_** > >>>> traps" > >>>> > >>>> $template > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>> YEAR%.%$MONTH%_messages" > >>>> $template > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>> YEAR%.%$MONTH%_secure" > >>>> $template > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>> YEAR%.%$MONTH%_maillog" > >>>> $template > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > IP%_%$YEAR%.%$** > >>>> MONTH%_cron" > >>>> $template > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>> YEAR%.%$MONTH%_spooler" > >>>> $template > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > IP%_%$YEAR%.%$** > >>>> MONTH%_boot.log" > >>>> $template > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > IP%_%$YEAR%.%$** > >>>> MONTH%_traps" > >>>> > >>>> #SET LOGGING CONDITIONS > >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???' > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost != > >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost > >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and > >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text == > >>>> 'local6' and $syslogseverity-text == 'WARNING' > >>>> and $fromhost != '???' then ?DYNtraps > >>>> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost > >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and > >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text == > >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if > >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then > >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost == > >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and > >>>> $syslogseverity-text == 'WARNING' > >>>> and $fromhost == '???' then ?DYNIPtraps > >>>> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all > >>>> creates ??? dir+files... > >>>> What variable should I use to handle this properly ? > >>>> > >>>> > >>>> Thanks in advance :-) ! > >>>> ~maymann > >>>> > >>>> 2012/2/2 Michael Maymann > >>>> > >>>> Hi, > >>>>> > >>>>> David: thanks for your reply... > >>>>> Here is my new rsyslog.conf: > >>>>> #SET PRIVILEGES > >>>>> $PreserveFQDN on > >>>>> $PrivDropToGroup > >>>>> $PrivDropToUser > >>>>> $DirCreateMode 0750 > >>>>> $FileCreateMode 0640 > >>>>> $UMASK 0027 > >>>>> > >>>>> #LOAD MODULES > >>>>> $ModLoad imudp > >>>>> $UDPServerRun 514 > >>>>> $UDPServerAddress 127.0.0.1 > >>>>> $ModLoad imtcp > >>>>> $InputTCPServerRun 514 > >>>>> > >>>>> #SET DESTINATION FOR LOGS > >>>>> $template > >>>>> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >>>>> $MONTH%_messages" > >>>>> $template > >>>>> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > NTH%_**secure" > >>>>> $template > >>>>> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > NTH%_** > >>>>> maillog" > >>>>> $template > >>>>> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > H%_** > >>>>> cron" > >>>>> $template > >>>>> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > NTH%_** > >>>>> spooler" > >>>>> $template > >>>>> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > H%_**boot.log" > >>>>> $template > >>>>> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > H%_* > >>>>> *traps" > >>>>> > >>>>> $template > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>>> YEAR%.%$MONTH%_messages" > >>>>> $template > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>>> YEAR%.%$MONTH%_secure" > >>>>> $template > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>>> YEAR%.%$MONTH%_maillog" > >>>>> $template > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > IP%_%$YEAR%.%$** > >>>>> MONTH%_cron" > >>>>> $template > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > IP%_%$** > >>>>> YEAR%.%$MONTH%_spooler" > >>>>> $template > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > IP%_%$YEAR%.%$** > >>>>> MONTH%_boot.log" > >>>>> $template > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > IP%_%$YEAR%.%$** > >>>>> MONTH%_traps" > >>>>> > >>>>> #SET LOGGING CONDITIONS > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST% > >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and > >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text == > >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if > >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then > >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% != > >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and > >>>>> $syslogseverity-text == 'WARNING' > >>>>> and %FROMHOST% != '???' then ?DYNtraps > >>>>> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text == > >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% == > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and > >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text == > >>>>> 'local6' and $syslogseverity-text == 'WARNING' > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps > >>>>> > >>>>> but it fails...: > >>>>> # service rsyslog start > >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see > >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that > >>>>> number > >>>>> means) > >>>>> [ OK ] > >>>>> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct > >>>>> or how is this done... > >>>>> > >>>>> > >>>>> Thanks in advance :-) ! > >>>>> ~maymann > >>>>> > >>>>> > >>>>> 2012/2/1 > >>>>> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > >>>>> > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>>> > >>>>>>> I want to log information about hosts that are not logging with > >>>>>>> correct HOSTNAME. > >>>>>>> In my current setup, I get a dir "???" where these host(s) are > >>>>>>> logging to... > >>>>>>> > >>>>>>> I would like to change this to the hosts IP instead, something like: > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > >>>>>>> > >>>>>>> > >>>>>> rsyslog cannot do what you are asking. It can't assign a value to > >>>>>> a property. > >>>>>> > >>>>>> what you can do is to setup a different template and then if > >>>>>> %fromhost% is your special pattern you can log with this > >>>>>> different template. > >>>>>> > >>>>>> David Lang > >>>>>> ______________________________****_________________ > >>>>>> rsyslog mailing list > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog> > >>>>>> >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog> > >>>>>> > > >>>>>> http://www.rsyslog.com/****professional- > services/ >>>>>> log.com/**professional-services/> > >>>>>> **services/ >>>>>> slog.com/professional-services/> > >>>>>> > > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>> ______________________________**_________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> scon.net/mailman/listinfo/rsyslog> > >>> http://www.rsyslog.com/**professional- > services/ >>> om/professional-services/> > >>> > >>> ______________________________**_________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> con.net/mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional- > services/ >> m/professional-services/> > >> > >> ______________________________**_________________ > > rsyslog mailing list > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > on.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional- > services/ > /professional-services/> > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Fri Feb 3 17:02:52 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 17:02:52 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> Message-ID: Sure...:-) ! ~maymann 2012/2/3 Rainer Gerhards > I just checked where the ??? could be routed in. I see one case that > happens > when the DNS resolution fails. Would you be willing to run an instrumented > build to capture a debug log so that we see when this happens? > > rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Friday, February 03, 2012 11:24 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > > > Hi, > > > > David: thanks for you reply...:-) ! > > > > This is not a known client causing the "???" entries - I don't know the > > ip(s)/hostname(s), and this is why i would like to log IP instead of > hostname - > > as my guess is it is a network device without DNS entry...:-( ! > > > > Can I troubleshoot on the server somehow similar... or was that the > intention > > all along...:-o ! > > > > Here is the client-debug output anyways...: > > # cat messages-debug > > Debug line with all properties: > > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > '', > > PRI: 6, > > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > > '-', MSGID: '-', > > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > > Debug line with all properties: > > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > '', > > PRI: 46, > > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', > > PROCID: '-', MSGID: '-', > > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > x-info=" > > http://www.rsyslog.com"] (re)start' > > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" > x-pid="13432" > > x-info="http://www.rsyslog.com"] (re)start' > > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > > x-info="http://www.rsyslog.com"] (re)start' > > > > Debug line with all properties: > > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > '', > > PRI: 13, > > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', > > MSGID: '-', > > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > msg: ' hej' > > escaped msg: ' hej' > > rawmsg: '<13>Feb 3 11:14:30 root: hej' > > > > > > Thanks in advance :-) ! > > ~maymann > > > > > > 2012/2/3 > > > > > oops, that should have been RSYSLOG_DebugFormat template. > > > > > > David Lang > > > > > > On Thu, 2 Feb 2012, david at lang.hm wrote: > > > > > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > >> From: david at lang.hm > > >> > > >> Reply-To: rsyslog-users > > >> To: rsyslog-users > > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > %IP% > > >> > > >> what does one of these messages look like if you write it out with > > >> the RSYSLOG_DEBUG template? > > >> > > >> David Lang > > >> > > >> On Fri, 3 Feb 2012, Michael Maymann wrote: > > >> > > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > >>> From: Michael Maymann > > >>> Reply-To: rsyslog-users > > >>> To: rsyslog-users > > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > >>> %IP% > > >>> > > >>> Please... Anyone? > > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > > wrote: > > >>> > > >>> Hi, > > >>>> > > >>>> got it started... but still ??? dir+logfiles are showing up... > > >>>> This is now my rsyslog.conf: > > >>>> #SET PRIVILEGES > > >>>> $PreserveFQDN on > > >>>> $PrivDropToGroup > > >>>> $PrivDropToUser > > >>>> $DirCreateMode 0750 > > >>>> $FileCreateMode 0640 > > >>>> $UMASK 0027 > > >>>> > > >>>> #LOAD MODULES > > >>>> $ModLoad imudp > > >>>> $UDPServerRun 514 > > >>>> $UDPServerAddress 127.0.0.1 > > >>>> $ModLoad imtcp > > >>>> $InputTCPServerRun 514 > > >>>> > > >>>> #SET DESTINATION FOR LOGS > > >>>> $template > > >>>> > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >>>> $MONTH%_messages" > > >>>> $template > > >>>> > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > NTH%_* > > >>>> *secure" > > >>>> $template > > >>>> > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > NTH%_**maillog" > > >>>> $template > > >>>> > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > H%_** > > >>>> cron" > > >>>> $template > > >>>> > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > NTH%_**spooler" > > >>>> $template > > >>>> > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > H%_** > > >>>> boot.log" > > >>>> $template > > >>>> > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > H%_** > > >>>> traps" > > >>>> > > >>>> $template > > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>> YEAR%.%$MONTH%_messages" > > >>>> $template > > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>> YEAR%.%$MONTH%_secure" > > >>>> $template > > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>> YEAR%.%$MONTH%_maillog" > > >>>> $template > > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > IP%_%$YEAR%.%$** > > >>>> MONTH%_cron" > > >>>> $template > > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>> YEAR%.%$MONTH%_spooler" > > >>>> $template > > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > IP%_%$YEAR%.%$** > > >>>> MONTH%_boot.log" > > >>>> $template > > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > IP%_%$YEAR%.%$** > > >>>> MONTH%_traps" > > >>>> > > >>>> #SET LOGGING CONDITIONS > > >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > > >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > > >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???' > > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost != > > >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost > > >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and > > >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text == > > >>>> 'local6' and $syslogseverity-text == 'WARNING' > > >>>> and $fromhost != '???' then ?DYNtraps > > >>>> > > >>>> if $syslogseverity <= '6' and $fromhost == '???' then > > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost > > >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and > > >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text == > > >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if > > >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then > > >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost == > > >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and > > >>>> $syslogseverity-text == 'WARNING' > > >>>> and $fromhost == '???' then ?DYNIPtraps > > >>>> > > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all > > >>>> creates ??? dir+files... > > >>>> What variable should I use to handle this properly ? > > >>>> > > >>>> > > >>>> Thanks in advance :-) ! > > >>>> ~maymann > > >>>> > > >>>> 2012/2/2 Michael Maymann > > >>>> > > >>>> Hi, > > >>>>> > > >>>>> David: thanks for your reply... > > >>>>> Here is my new rsyslog.conf: > > >>>>> #SET PRIVILEGES > > >>>>> $PreserveFQDN on > > >>>>> $PrivDropToGroup > > >>>>> $PrivDropToUser > > >>>>> $DirCreateMode 0750 > > >>>>> $FileCreateMode 0640 > > >>>>> $UMASK 0027 > > >>>>> > > >>>>> #LOAD MODULES > > >>>>> $ModLoad imudp > > >>>>> $UDPServerRun 514 > > >>>>> $UDPServerAddress 127.0.0.1 > > >>>>> $ModLoad imtcp > > >>>>> $InputTCPServerRun 514 > > >>>>> > > >>>>> #SET DESTINATION FOR LOGS > > >>>>> $template > > >>>>> > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >>>>> $MONTH%_messages" > > >>>>> $template > > >>>>> > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > NTH%_**secure" > > >>>>> $template > > >>>>> > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > NTH%_** > > >>>>> maillog" > > >>>>> $template > > >>>>> > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > H%_** > > >>>>> cron" > > >>>>> $template > > >>>>> > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > NTH%_** > > >>>>> spooler" > > >>>>> $template > > >>>>> > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > H%_**boot.log" > > >>>>> $template > > >>>>> > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > H%_* > > >>>>> *traps" > > >>>>> > > >>>>> $template > > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>>> YEAR%.%$MONTH%_messages" > > >>>>> $template > > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>>> YEAR%.%$MONTH%_secure" > > >>>>> $template > > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>>> YEAR%.%$MONTH%_maillog" > > >>>>> $template > > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > IP%_%$YEAR%.%$** > > >>>>> MONTH%_cron" > > >>>>> $template > > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > IP%_%$** > > >>>>> YEAR%.%$MONTH%_spooler" > > >>>>> $template > > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > IP%_%$YEAR%.%$** > > >>>>> MONTH%_boot.log" > > >>>>> $template > > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > IP%_%$YEAR%.%$** > > >>>>> MONTH%_traps" > > >>>>> > > >>>>> #SET LOGGING CONDITIONS > > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST% > > >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and > > >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text == > > >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if > > >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then > > >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% != > > >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and > > >>>>> $syslogseverity-text == 'WARNING' > > >>>>> and %FROMHOST% != '???' then ?DYNtraps > > >>>>> > > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text == > > >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% == > > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and > > >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text == > > >>>>> 'local6' and $syslogseverity-text == 'WARNING' > > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > >>>>> > > >>>>> but it fails...: > > >>>>> # service rsyslog start > > >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see > > >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that > > >>>>> number > > >>>>> means) > > >>>>> [ OK ] > > >>>>> > > >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct > > >>>>> or how is this done... > > >>>>> > > >>>>> > > >>>>> Thanks in advance :-) ! > > >>>>> ~maymann > > >>>>> > > >>>>> > > >>>>> 2012/2/1 > > >>>>> > > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > >>>>> > > >>>>>> > > >>>>>> Hi, > > >>>>>> > > >>>>>>> > > >>>>>>> I want to log information about hosts that are not logging with > > >>>>>>> correct HOSTNAME. > > >>>>>>> In my current setup, I get a dir "???" where these host(s) are > > >>>>>>> logging to... > > >>>>>>> > > >>>>>>> I would like to change this to the hosts IP instead, something > like: > > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > >>>>>>> > > >>>>>>> > > >>>>>> rsyslog cannot do what you are asking. It can't assign a value to > > >>>>>> a property. > > >>>>>> > > >>>>>> what you can do is to setup a different template and then if > > >>>>>> %fromhost% is your special pattern you can log with this > > >>>>>> different template. > > >>>>>> > > >>>>>> David Lang > > >>>>>> ______________________________****_________________ > > >>>>>> rsyslog mailing list > > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog> > > >>>>>> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog> > > >>>>>> > > > >>>>>> http://www.rsyslog.com/****professional- > > services/ > >>>>>> log.com/**professional-services/> > > >>>>>> > **services/ > >>>>>> slog.com/professional-services/> > > >>>>>> > > > >>>>>> > > >>>>>> > > >>>>> > > >>>>> > > >>>> ______________________________**_________________ > > >>> rsyslog mailing list > > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog > >>> scon.net/mailman/listinfo/rsyslog> > > >>> http://www.rsyslog.com/**professional- > > services/ > >>> om/professional-services/> > > >>> > > >>> ______________________________**_________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog > >> con.net/mailman/listinfo/rsyslog> > > >> http://www.rsyslog.com/**professional- > > services/ > >> m/professional-services/> > > >> > > >> ______________________________**_________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > on.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional- > > services/ > > /professional-services/> > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Fri Feb 3 17:05:38 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 17:05:38 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> Message-ID: Perhaps we could also figure this -thing out at the same time...:-) ! ~maymann 2012/2/3 Michael Maymann > Sure...:-) ! > > ~maymann > > > > 2012/2/3 Rainer Gerhards > >> I just checked where the ??? could be routed in. I see one case that >> happens >> when the DNS resolution fails. Would you be willing to run an >> instrumented >> build to capture a debug log so that we see when this happens? >> >> rainer >> >> > -----Original Message----- >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann >> > Sent: Friday, February 03, 2012 11:24 AM >> > To: rsyslog-users >> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >> > >> > Hi, >> > >> > David: thanks for you reply...:-) ! >> > >> > This is not a known client causing the "???" entries - I don't know the >> > ip(s)/hostname(s), and this is why i would like to log IP instead of >> hostname - >> > as my guess is it is a network device without DNS entry...:-( ! >> > >> > Can I troubleshoot on the server somehow similar... or was that the >> intention >> > all along...:-o ! >> > >> > Here is the client-debug output anyways...: >> > # cat messages-debug >> > Debug line with all properties: >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >> > '', >> > PRI: 6, >> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: >> > '-', MSGID: '-', >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' >> > >> > Debug line with all properties: >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >> > '', >> > PRI: 46, >> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', >> > PROCID: '-', MSGID: '-', >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >> x-info=" >> > http://www.rsyslog.com"] (re)start' >> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" >> x-pid="13432" >> > x-info="http://www.rsyslog.com"] (re)start' >> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >> > x-info="http://www.rsyslog.com"] (re)start' >> > >> > Debug line with all properties: >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >> > '', >> > PRI: 13, >> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', >> > MSGID: '-', >> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', >> > msg: ' hej' >> > escaped msg: ' hej' >> > rawmsg: '<13>Feb 3 11:14:30 root: hej' >> > >> > >> > Thanks in advance :-) ! >> > ~maymann >> > >> > >> > 2012/2/3 >> > >> > > oops, that should have been RSYSLOG_DebugFormat template. >> > > >> > > David Lang >> > > >> > > On Thu, 2 Feb 2012, david at lang.hm wrote: >> > > >> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >> > >> From: david at lang.hm >> > >> >> > >> Reply-To: rsyslog-users >> > >> To: rsyslog-users >> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == >> > %IP% >> > >> >> > >> what does one of these messages look like if you write it out with >> > >> the RSYSLOG_DEBUG template? >> > >> >> > >> David Lang >> > >> >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote: >> > >> >> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 >> > >>> From: Michael Maymann >> > >>> Reply-To: rsyslog-users >> > >>> To: rsyslog-users >> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == >> > >>> %IP% >> > >>> >> > >>> Please... Anyone? >> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" >> > wrote: >> > >>> >> > >>> Hi, >> > >>>> >> > >>>> got it started... but still ??? dir+logfiles are showing up... >> > >>>> This is now my rsyslog.conf: >> > >>>> #SET PRIVILEGES >> > >>>> $PreserveFQDN on >> > >>>> $PrivDropToGroup >> > >>>> $PrivDropToUser >> > >>>> $DirCreateMode 0750 >> > >>>> $FileCreateMode 0640 >> > >>>> $UMASK 0027 >> > >>>> >> > >>>> #LOAD MODULES >> > >>>> $ModLoad imudp >> > >>>> $UDPServerRun 514 >> > >>>> $UDPServerAddress 127.0.0.1 >> > >>>> $ModLoad imtcp >> > >>>> $InputTCPServerRun 514 >> > >>>> >> > >>>> #SET DESTINATION FOR LOGS >> > >>>> $template >> > >>>> >> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> > >>>> $MONTH%_messages" >> > >>>> $template >> > >>>> >> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO >> > NTH%_* >> > >>>> *secure" >> > >>>> $template >> > >>>> >> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO >> > NTH%_**maillog" >> > >>>> $template >> > >>>> >> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT >> > H%_** >> > >>>> cron" >> > >>>> $template >> > >>>> >> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO >> > NTH%_**spooler" >> > >>>> $template >> > >>>> >> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT >> > H%_** >> > >>>> boot.log" >> > >>>> $template >> > >>>> >> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT >> > H%_** >> > >>>> traps" >> > >>>> >> > >>>> $template >> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>> YEAR%.%$MONTH%_messages" >> > >>>> $template >> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>> YEAR%.%$MONTH%_secure" >> > >>>> $template >> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>> YEAR%.%$MONTH%_maillog" >> > >>>> $template >> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- >> > IP%_%$YEAR%.%$** >> > >>>> MONTH%_cron" >> > >>>> $template >> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>> YEAR%.%$MONTH%_spooler" >> > >>>> $template >> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- >> > IP%_%$YEAR%.%$** >> > >>>> MONTH%_boot.log" >> > >>>> $template >> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- >> > IP%_%$YEAR%.%$** >> > >>>> MONTH%_traps" >> > >>>> >> > >>>> #SET LOGGING CONDITIONS >> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >> > >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >> > >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???' >> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost != >> > >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost >> > >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and >> > >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text == >> > >>>> 'local6' and $syslogseverity-text == 'WARNING' >> > >>>> and $fromhost != '???' then ?DYNtraps >> > >>>> >> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then >> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost >> > >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and >> > >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text == >> > >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if >> > >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then >> > >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost == >> > >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and >> > >>>> $syslogseverity-text == 'WARNING' >> > >>>> and $fromhost == '???' then ?DYNIPtraps >> > >>>> >> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all >> > >>>> creates ??? dir+files... >> > >>>> What variable should I use to handle this properly ? >> > >>>> >> > >>>> >> > >>>> Thanks in advance :-) ! >> > >>>> ~maymann >> > >>>> >> > >>>> 2012/2/2 Michael Maymann >> > >>>> >> > >>>> Hi, >> > >>>>> >> > >>>>> David: thanks for your reply... >> > >>>>> Here is my new rsyslog.conf: >> > >>>>> #SET PRIVILEGES >> > >>>>> $PreserveFQDN on >> > >>>>> $PrivDropToGroup >> > >>>>> $PrivDropToUser >> > >>>>> $DirCreateMode 0750 >> > >>>>> $FileCreateMode 0640 >> > >>>>> $UMASK 0027 >> > >>>>> >> > >>>>> #LOAD MODULES >> > >>>>> $ModLoad imudp >> > >>>>> $UDPServerRun 514 >> > >>>>> $UDPServerAddress 127.0.0.1 >> > >>>>> $ModLoad imtcp >> > >>>>> $InputTCPServerRun 514 >> > >>>>> >> > >>>>> #SET DESTINATION FOR LOGS >> > >>>>> $template >> > >>>>> >> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> > >>>>> $MONTH%_messages" >> > >>>>> $template >> > >>>>> >> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO >> > NTH%_**secure" >> > >>>>> $template >> > >>>>> >> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO >> > NTH%_** >> > >>>>> maillog" >> > >>>>> $template >> > >>>>> >> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT >> > H%_** >> > >>>>> cron" >> > >>>>> $template >> > >>>>> >> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO >> > NTH%_** >> > >>>>> spooler" >> > >>>>> $template >> > >>>>> >> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT >> > H%_**boot.log" >> > >>>>> $template >> > >>>>> >> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT >> > H%_* >> > >>>>> *traps" >> > >>>>> >> > >>>>> $template >> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>>> YEAR%.%$MONTH%_messages" >> > >>>>> $template >> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>>> YEAR%.%$MONTH%_secure" >> > >>>>> $template >> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>>> YEAR%.%$MONTH%_maillog" >> > >>>>> $template >> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- >> > IP%_%$YEAR%.%$** >> > >>>>> MONTH%_cron" >> > >>>>> $template >> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- >> > IP%_%$** >> > >>>>> YEAR%.%$MONTH%_spooler" >> > >>>>> $template >> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- >> > IP%_%$YEAR%.%$** >> > >>>>> MONTH%_boot.log" >> > >>>>> $template >> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- >> > IP%_%$YEAR%.%$** >> > >>>>> MONTH%_traps" >> > >>>>> >> > >>>>> #SET LOGGING CONDITIONS >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then >> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST% >> > >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and >> > >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text == >> > >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if >> > >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >> > >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% != >> > >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and >> > >>>>> $syslogseverity-text == 'WARNING' >> > >>>>> and %FROMHOST% != '???' then ?DYNtraps >> > >>>>> >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then >> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and >> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text == >> > >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% == >> > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and >> > >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text == >> > >>>>> 'local6' and $syslogseverity-text == 'WARNING' >> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps >> > >>>>> >> > >>>>> but it fails...: >> > >>>>> # service rsyslog start >> > >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >> > >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >> > >>>>> number >> > >>>>> means) >> > >>>>> [ OK ] >> > >>>>> >> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct >> > >>>>> or how is this done... >> > >>>>> >> > >>>>> >> > >>>>> Thanks in advance :-) ! >> > >>>>> ~maymann >> > >>>>> >> > >>>>> >> > >>>>> 2012/2/1 >> > >>>>> >> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >> > >>>>> >> > >>>>>> >> > >>>>>> Hi, >> > >>>>>> >> > >>>>>>> >> > >>>>>>> I want to log information about hosts that are not logging with >> > >>>>>>> correct HOSTNAME. >> > >>>>>>> In my current setup, I get a dir "???" where these host(s) are >> > >>>>>>> logging to... >> > >>>>>>> >> > >>>>>>> I would like to change this to the hosts IP instead, something >> like: >> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >> > >>>>>>> >> > >>>>>>> >> > >>>>>> rsyslog cannot do what you are asking. It can't assign a value to >> > >>>>>> a property. >> > >>>>>> >> > >>>>>> what you can do is to setup a different template and then if >> > >>>>>> %fromhost% is your special pattern you can log with this >> > >>>>>> different template. >> > >>>>>> >> > >>>>>> David Lang >> > >>>>>> ______________________________****_________________ >> > >>>>>> rsyslog mailing list >> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog< >> http://list >> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog> >> > >>>>>> > http://lis >> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog> >> > >>>>>> > >> > >>>>>> http://www.rsyslog.com/****professional- >> > services/> > >>>>>> log.com/**professional-services/> >> > >>>>>> > > **services/> > >>>>>> slog.com/professional-services/> >> > >>>>>> > >> > >>>>>> >> > >>>>>> >> > >>>>> >> > >>>>> >> > >>>> ______________________________**_________________ >> > >>> rsyslog mailing list >> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog< >> http://lists.adi >> > >>> scon.net/mailman/listinfo/rsyslog> >> > >>> http://www.rsyslog.com/**professional- >> > services/> > >>> om/professional-services/> >> > >>> >> > >>> ______________________________**_________________ >> > >> rsyslog mailing list >> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog< >> http://lists.adis >> > >> con.net/mailman/listinfo/rsyslog> >> > >> http://www.rsyslog.com/**professional- >> > services/> > >> m/professional-services/> >> > >> >> > >> ______________________________**_________________ >> > > rsyslog mailing list >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog< >> http://lists.adisc >> > > on.net/mailman/listinfo/rsyslog> >> > > http://www.rsyslog.com/**professional- >> > services/> > > /professional-services/> >> > > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > > From rgerhards at hq.adiscon.com Fri Feb 3 17:06:05 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 17:06:05 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728185E@GRFEXC.intern.adiscon.com> Ok - I am right now upgrading a module to the v6 config format, will add some instrumentation as next step. Probably Monday. rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 5:03 PM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Sure...:-) ! > > ~maymann > > > 2012/2/3 Rainer Gerhards > > > I just checked where the ??? could be routed in. I see one case that > > happens when the DNS resolution fails. Would you be willing to run an > > instrumented build to capture a debug log so that we see when this > > happens? > > > > rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > Sent: Friday, February 03, 2012 11:24 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > > %IP% > > > > > > Hi, > > > > > > David: thanks for you reply...:-) ! > > > > > > This is not a known client causing the "???" entries - I don't know > > > the ip(s)/hostname(s), and this is why i would like to log IP > > > instead of > > hostname - > > > as my guess is it is a network device without DNS entry...:-( ! > > > > > > Can I troubleshoot on the server somehow similar... or was that the > > intention > > > all along...:-o ! > > > > > > Here is the client-debug output anyways...: > > > # cat messages-debug > > > Debug line with all properties: > > > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '', > > > PRI: 6, > > > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > > > '-', MSGID: '-', > > > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > > > > Debug line with all properties: > > > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '', > > > PRI: 46, > > > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > > > 'rsyslogd', > > > PROCID: '-', MSGID: '-', > > > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > > x-info=" > > > http://www.rsyslog.com"] (re)start' > > > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" > > x-pid="13432" > > > x-info="http://www.rsyslog.com"] (re)start' > > > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > > > x-info="http://www.rsyslog.com"] (re)start' > > > > > > Debug line with all properties: > > > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '', > > > PRI: 13, > > > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: > > > '-', > > > MSGID: '-', > > > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > > msg: ' hej' > > > escaped msg: ' hej' > > > rawmsg: '<13>Feb 3 11:14:30 root: hej' > > > > > > > > > Thanks in advance :-) ! > > > ~maymann > > > > > > > > > 2012/2/3 > > > > > > > oops, that should have been RSYSLOG_DebugFormat template. > > > > > > > > David Lang > > > > > > > > On Thu, 2 Feb 2012, david at lang.hm wrote: > > > > > > > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > > >> From: david at lang.hm > > > >> > > > >> Reply-To: rsyslog-users > > > >> To: rsyslog-users > > > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > > > %IP% > > > >> > > > >> what does one of these messages look like if you write it out > > > >> with the RSYSLOG_DEBUG template? > > > >> > > > >> David Lang > > > >> > > > >> On Fri, 3 Feb 2012, Michael Maymann wrote: > > > >> > > > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > > >>> From: Michael Maymann > > > >>> Reply-To: rsyslog-users > > > >>> To: rsyslog-users > > > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > > > >>> %IP% > > > >>> > > > >>> Please... Anyone? > > > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > > > > wrote: > > > >>> > > > >>> Hi, > > > >>>> > > > >>>> got it started... but still ??? dir+logfiles are showing up... > > > >>>> This is now my rsyslog.conf: > > > >>>> #SET PRIVILEGES > > > >>>> $PreserveFQDN on > > > >>>> $PrivDropToGroup > > > >>>> $PrivDropToUser > > > >>>> $DirCreateMode 0750 > > > >>>> $FileCreateMode 0640 > > > >>>> $UMASK 0027 > > > >>>> > > > >>>> #LOAD MODULES > > > >>>> $ModLoad imudp > > > >>>> $UDPServerRun 514 > > > >>>> $UDPServerAddress 127.0.0.1 > > > >>>> $ModLoad imtcp > > > >>>> $InputTCPServerRun 514 > > > >>>> > > > >>>> #SET DESTINATION FOR LOGS > > > >>>> $template > > > >>>> > > > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > >>>> $MONTH%_messages" > > > >>>> $template > > > >>>> > > > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > > NTH%_* > > > >>>> *secure" > > > >>>> $template > > > >>>> > > > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > > NTH%_**maillog" > > > >>>> $template > > > >>>> > > > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > > H%_** > > > >>>> cron" > > > >>>> $template > > > >>>> > > > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > > NTH%_**spooler" > > > >>>> $template > > > >>>> > > > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > > H%_** > > > >>>> boot.log" > > > >>>> $template > > > >>>> > > > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > > H%_** > > > >>>> traps" > > > >>>> > > > >>>> $template > > > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>> YEAR%.%$MONTH%_messages" > > > >>>> $template > > > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>> YEAR%.%$MONTH%_secure" > > > >>>> $template > > > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>> YEAR%.%$MONTH%_maillog" > > > >>>> $template > > > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > > IP%_%$YEAR%.%$** > > > >>>> MONTH%_cron" > > > >>>> $template > > > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>> YEAR%.%$MONTH%_spooler" > > > >>>> $template > > > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > > IP%_%$YEAR%.%$** > > > >>>> MONTH%_boot.log" > > > >>>> $template > > > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > > IP%_%$YEAR%.%$** > > > >>>> MONTH%_traps" > > > >>>> > > > >>>> #SET LOGGING CONDITIONS > > > >>>> if $syslogseverity <= '6' and $fromhost != '???' then > > > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and > > > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text == 'mail' > and $fromhost != '???' > > > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and > > > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text == > > > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if > > > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then > > > >>>> ?DYNboot if $syslogfacility-text == 'local6' and $syslogseverity-text > == 'WARNING' > > > >>>> and $fromhost != '???' then ?DYNtraps > > > >>>> > > > >>>> if $syslogseverity <= '6' and $fromhost == '???' then > > > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > > > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text == > > > >>>> 'mail' and $fromhost == '???' then ?DYNIPmaillog if > > > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then > > > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost == > > > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' > > > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text > > > >>>> == 'local6' and $syslogseverity-text == 'WARNING' > > > >>>> and $fromhost == '???' then ?DYNIPtraps > > > >>>> > > > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > > > >>>> all creates ??? dir+files... > > > >>>> What variable should I use to handle this properly ? > > > >>>> > > > >>>> > > > >>>> Thanks in advance :-) ! > > > >>>> ~maymann > > > >>>> > > > >>>> 2012/2/2 Michael Maymann > > > >>>> > > > >>>> Hi, > > > >>>>> > > > >>>>> David: thanks for your reply... > > > >>>>> Here is my new rsyslog.conf: > > > >>>>> #SET PRIVILEGES > > > >>>>> $PreserveFQDN on > > > >>>>> $PrivDropToGroup > > > >>>>> $PrivDropToUser > > > >>>>> $DirCreateMode 0750 > > > >>>>> $FileCreateMode 0640 > > > >>>>> $UMASK 0027 > > > >>>>> > > > >>>>> #LOAD MODULES > > > >>>>> $ModLoad imudp > > > >>>>> $UDPServerRun 514 > > > >>>>> $UDPServerAddress 127.0.0.1 > > > >>>>> $ModLoad imtcp > > > >>>>> $InputTCPServerRun 514 > > > >>>>> > > > >>>>> #SET DESTINATION FOR LOGS > > > >>>>> $template > > > >>>>> > > > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > > >>>>> $MONTH%_messages" > > > >>>>> $template > > > >>>>> > > > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > > NTH%_**secure" > > > >>>>> $template > > > >>>>> > > > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > > NTH%_** > > > >>>>> maillog" > > > >>>>> $template > > > >>>>> > > > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > > H%_** > > > >>>>> cron" > > > >>>>> $template > > > >>>>> > > > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > > NTH%_** > > > >>>>> spooler" > > > >>>>> $template > > > >>>>> > > > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > > H%_**boot.log" > > > >>>>> $template > > > >>>>> > > > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > > H%_* > > > >>>>> *traps" > > > >>>>> > > > >>>>> $template > > > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>>> YEAR%.%$MONTH%_messages" > > > >>>>> $template > > > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>>> YEAR%.%$MONTH%_secure" > > > >>>>> $template > > > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>>> YEAR%.%$MONTH%_maillog" > > > >>>>> $template > > > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > > IP%_%$YEAR%.%$** > > > >>>>> MONTH%_cron" > > > >>>>> $template > > > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > > IP%_%$** > > > >>>>> YEAR%.%$MONTH%_spooler" > > > >>>>> $template > > > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > > IP%_%$YEAR%.%$** > > > >>>>> MONTH%_boot.log" > > > >>>>> $template > > > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > > IP%_%$YEAR%.%$** > > > >>>>> MONTH%_traps" > > > >>>>> > > > >>>>> #SET LOGGING CONDITIONS > > > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and > > > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text == > > > >>>>> 'mail' and %FROMHOST% != '???' then ?DYNmaillog if > > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > > > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% != > > > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7' and > > > >>>>> %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text == > > > >>>>> 'local6' and $syslogseverity-text == 'WARNING' > > > >>>>> and %FROMHOST% != '???' then ?DYNtraps > > > >>>>> > > > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > > > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text > > > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if > > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > > > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% == > > > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' > > > >>>>> and %FROMHOST% == '???' then ?DYNIPboot if > > > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > > > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > > >>>>> > > > >>>>> but it fails...: > > > >>>>> # service rsyslog start > > > >>>>> Starting system logger: rsyslogd: run failed with error -2207 > > > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn > > > >>>>> what that number > > > >>>>> means) > > > >>>>> [ > > > >>>>> OK ] > > > >>>>> > > > >>>>> my guess is it is my %FROMHOST% == '???' - is this format > > > >>>>> correct or how is this done... > > > >>>>> > > > >>>>> > > > >>>>> Thanks in advance :-) ! > > > >>>>> ~maymann > > > >>>>> > > > >>>>> > > > >>>>> 2012/2/1 > > > >>>>> > > > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > > >>>>> > > > >>>>>> > > > >>>>>> Hi, > > > >>>>>> > > > >>>>>>> > > > >>>>>>> I want to log information about hosts that are not logging > > > >>>>>>> with correct HOSTNAME. > > > >>>>>>> In my current setup, I get a dir "???" where these host(s) > > > >>>>>>> are logging to... > > > >>>>>>> > > > >>>>>>> I would like to change this to the hosts IP instead, > > > >>>>>>> something > > like: > > > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > > >>>>>>> > > > >>>>>>> > > > >>>>>> rsyslog cannot do what you are asking. It can't assign a > > > >>>>>> value to a property. > > > >>>>>> > > > >>>>>> what you can do is to setup a different template and then if > > > >>>>>> %fromhost% is your special pattern you can log with this > > > >>>>>> different template. > > > >>>>>> > > > >>>>>> David Lang > > > >>>>>> > ______________________________****_________________ > > > >>>>>> rsyslog mailing list > > > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog > > >>>>>> list s.adiscon.net/**mailman/listinfo/rsyslog> > > > >>>>>> > > >>>>>> /lis ts.adiscon.net/mailman/listinfo/rsyslog> > > > >>>>>> > > > > >>>>>> http://www.rsyslog.com/****professional- > > > services/ > > >>>>>> log.com/**professional-services/> > > > >>>>>> > > **services/ > > >>>>>> slog.com/professional-services/> > > > >>>>>> > > > > >>>>>> > > > >>>>>> > > > >>>>> > > > >>>>> > > > >>>> ______________________________**_________________ > > > >>> rsyslog mailing list > > > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog > > >>> .adi scon.net/mailman/listinfo/rsyslog> > > > >>> http://www.rsyslog.com/**professional- > > > services/ > > >>> om/professional-services/> > > > >>> > > > >>> ______________________________**_________________ > > > >> rsyslog mailing list > > > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog > > >> adis con.net/mailman/listinfo/rsyslog> > > > >> http://www.rsyslog.com/**professional- > > > services/ > > >> m/professional-services/> > > > >> > > > >> ______________________________**_________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > > disc > > > > on.net/mailman/listinfo/rsyslog> > > > > http://www.rsyslog.com/**professional- > > > services/ > > > /professional-services/> > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From rgerhards at hq.adiscon.com Fri Feb 3 17:09:28 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 3 Feb 2012 17:09:28 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728185F@GRFEXC.intern.adiscon.com> Michael, you really don't understand me: I do not see ANY problem at all what could be wrong in rsyslog (I don't say there is none...)! All I see is that it operates correctly! So tell me how should I instrument it? What to look for? And why? I don't think I can help you here without further input on why the script reports this failure. Don't be upset, but I won't respond any longer to this thread as it turns out to become a huge waste of time for me... I wish I had a better answer... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 03, 2012 5:06 PM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Perhaps we could also figure this -thing out at the same > time...:-) ! > > ~maymann > > 2012/2/3 Michael Maymann > > > Sure...:-) ! > > > > ~maymann > > > > > > > > 2012/2/3 Rainer Gerhards > > > >> I just checked where the ??? could be routed in. I see one case that > >> happens when the DNS resolution fails. Would you be willing to run > >> an instrumented build to capture a debug log so that we see when this > >> happens? > >> > >> rainer > >> > >> > -----Original Message----- > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > >> > Sent: Friday, February 03, 2012 11:24 AM > >> > To: rsyslog-users > >> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > >> > %IP% > >> > > >> > Hi, > >> > > >> > David: thanks for you reply...:-) ! > >> > > >> > This is not a known client causing the "???" entries - I don't know > >> > the ip(s)/hostname(s), and this is why i would like to log IP > >> > instead of > >> hostname - > >> > as my guess is it is a network device without DNS entry...:-( ! > >> > > >> > Can I troubleshoot on the server somehow similar... or was that the > >> intention > >> > all along...:-o ! > >> > > >> > Here is the client-debug output anyways...: > >> > # cat messages-debug > >> > Debug line with all properties: > >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > >> > '', > >> > PRI: 6, > >> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > >> > '-', MSGID: '-', > >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > >> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >> > > >> > Debug line with all properties: > >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > >> > '', > >> > PRI: 46, > >> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > >> > 'rsyslogd', > >> > PROCID: '-', MSGID: '-', > >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > >> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > >> x-info=" > >> > http://www.rsyslog.com"] (re)start' > >> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" > >> x-pid="13432" > >> > x-info="http://www.rsyslog.com"] (re)start' > >> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > >> > x-info="http://www.rsyslog.com"] (re)start' > >> > > >> > Debug line with all properties: > >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > >> > '', > >> > PRI: 13, > >> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: > >> > '-', > >> > MSGID: '-', > >> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > >> > msg: ' hej' > >> > escaped msg: ' hej' > >> > rawmsg: '<13>Feb 3 11:14:30 root: hej' > >> > > >> > > >> > Thanks in advance :-) ! > >> > ~maymann > >> > > >> > > >> > 2012/2/3 > >> > > >> > > oops, that should have been RSYSLOG_DebugFormat template. > >> > > > >> > > David Lang > >> > > > >> > > On Thu, 2 Feb 2012, david at lang.hm wrote: > >> > > > >> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > >> > >> From: david at lang.hm > >> > >> > >> > >> Reply-To: rsyslog-users > >> > >> To: rsyslog-users > >> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > >> > %IP% > >> > >> > >> > >> what does one of these messages look like if you write it out > >> > >> with the RSYSLOG_DEBUG template? > >> > >> > >> > >> David Lang > >> > >> > >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote: > >> > >> > >> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 > >> > >>> From: Michael Maymann > >> > >>> Reply-To: rsyslog-users > >> > >>> To: rsyslog-users > >> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > >> > >>> == %IP% > >> > >>> > >> > >>> Please... Anyone? > >> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > > >> > wrote: > >> > >>> > >> > >>> Hi, > >> > >>>> > >> > >>>> got it started... but still ??? dir+logfiles are showing up... > >> > >>>> This is now my rsyslog.conf: > >> > >>>> #SET PRIVILEGES > >> > >>>> $PreserveFQDN on > >> > >>>> $PrivDropToGroup > >> > >>>> $PrivDropToUser > >> > >>>> $DirCreateMode 0750 > >> > >>>> $FileCreateMode 0640 > >> > >>>> $UMASK 0027 > >> > >>>> > >> > >>>> #LOAD MODULES > >> > >>>> $ModLoad imudp > >> > >>>> $UDPServerRun 514 > >> > >>>> $UDPServerAddress 127.0.0.1 > >> > >>>> $ModLoad imtcp > >> > >>>> $InputTCPServerRun 514 > >> > >>>> > >> > >>>> #SET DESTINATION FOR LOGS > >> > >>>> $template > >> > >>>> > >> > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >> > >>>> $MONTH%_messages" > >> > >>>> $template > >> > >>>> > >> > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_* > >> > >>>> *secure" > >> > >>>> $template > >> > >>>> > >> > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_**maillog" > >> > >>>> $template > >> > >>>> > >> > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > >> > H%_** > >> > >>>> cron" > >> > >>>> $template > >> > >>>> > >> > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_**spooler" > >> > >>>> $template > >> > >>>> > >> > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > >> > H%_** > >> > >>>> boot.log" > >> > >>>> $template > >> > >>>> > >> > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > >> > H%_** > >> > >>>> traps" > >> > >>>> > >> > >>>> $template > >> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>> YEAR%.%$MONTH%_messages" > >> > >>>> $template > >> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>> YEAR%.%$MONTH%_secure" > >> > >>>> $template > >> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>> YEAR%.%$MONTH%_maillog" > >> > >>>> $template > >> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > >> > IP%_%$YEAR%.%$** > >> > >>>> MONTH%_cron" > >> > >>>> $template > >> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>> YEAR%.%$MONTH%_spooler" > >> > >>>> $template > >> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > >> > IP%_%$YEAR%.%$** > >> > >>>> MONTH%_boot.log" > >> > >>>> $template > >> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > >> > IP%_%$YEAR%.%$** > >> > >>>> MONTH%_traps" > >> > >>>> > >> > >>>> #SET LOGGING CONDITIONS > >> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then > >> > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and > >> > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text == 'mail' > and $fromhost != '???' > >> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and > >> > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text == > >> > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if > >> > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then > >> > >>>> ?DYNboot if $syslogfacility-text == 'local6' and $syslogseverity-text > == 'WARNING' > >> > >>>> and $fromhost != '???' then ?DYNtraps > >> > >>>> > >> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then > >> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > >> > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text > >> > >>>> == 'mail' and $fromhost == '???' then ?DYNIPmaillog if > >> > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then > >> > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost == > >> > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' > >> > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text > >> > >>>> == 'local6' and $syslogseverity-text == 'WARNING' > >> > >>>> and $fromhost == '???' then ?DYNIPtraps > >> > >>>> > >> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > >> > >>>> all creates ??? dir+files... > >> > >>>> What variable should I use to handle this properly ? > >> > >>>> > >> > >>>> > >> > >>>> Thanks in advance :-) ! > >> > >>>> ~maymann > >> > >>>> > >> > >>>> 2012/2/2 Michael Maymann > >> > >>>> > >> > >>>> Hi, > >> > >>>>> > >> > >>>>> David: thanks for your reply... > >> > >>>>> Here is my new rsyslog.conf: > >> > >>>>> #SET PRIVILEGES > >> > >>>>> $PreserveFQDN on > >> > >>>>> $PrivDropToGroup > >> > >>>>> $PrivDropToUser > >> > >>>>> $DirCreateMode 0750 > >> > >>>>> $FileCreateMode 0640 > >> > >>>>> $UMASK 0027 > >> > >>>>> > >> > >>>>> #LOAD MODULES > >> > >>>>> $ModLoad imudp > >> > >>>>> $UDPServerRun 514 > >> > >>>>> $UDPServerAddress 127.0.0.1 > >> > >>>>> $ModLoad imtcp > >> > >>>>> $InputTCPServerRun 514 > >> > >>>>> > >> > >>>>> #SET DESTINATION FOR LOGS > >> > >>>>> $template > >> > >>>>> > >> > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > >> > >>>>> $MONTH%_messages" > >> > >>>>> $template > >> > >>>>> > >> > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_**secure" > >> > >>>>> $template > >> > >>>>> > >> > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_** > >> > >>>>> maillog" > >> > >>>>> $template > >> > >>>>> > >> > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > >> > H%_** > >> > >>>>> cron" > >> > >>>>> $template > >> > >>>>> > >> > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > >> > NTH%_** > >> > >>>>> spooler" > >> > >>>>> $template > >> > >>>>> > >> > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > >> > H%_**boot.log" > >> > >>>>> $template > >> > >>>>> > >> > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > >> > H%_* > >> > >>>>> *traps" > >> > >>>>> > >> > >>>>> $template > >> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>>> YEAR%.%$MONTH%_messages" > >> > >>>>> $template > >> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>>> YEAR%.%$MONTH%_secure" > >> > >>>>> $template > >> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>>> YEAR%.%$MONTH%_maillog" > >> > >>>>> $template > >> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > >> > IP%_%$YEAR%.%$** > >> > >>>>> MONTH%_cron" > >> > >>>>> $template > >> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > >> > IP%_%$** > >> > >>>>> YEAR%.%$MONTH%_spooler" > >> > >>>>> $template > >> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > >> > IP%_%$YEAR%.%$** > >> > >>>>> MONTH%_boot.log" > >> > >>>>> $template > >> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > >> > IP%_%$YEAR%.%$** > >> > >>>>> MONTH%_traps" > >> > >>>>> > >> > >>>>> #SET LOGGING CONDITIONS > >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > >> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and > >> > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text > >> > >>>>> == 'mail' and %FROMHOST% != '???' then ?DYNmaillog if > >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > >> > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% != > >> > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7' > >> > >>>>> and %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text > >> > >>>>> == 'local6' and $syslogseverity-text == 'WARNING' > >> > >>>>> and %FROMHOST% != '???' then ?DYNtraps > >> > >>>>> > >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > >> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > >> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text > >> > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if > >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > >> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% > >> > >>>>> == '???' then ?DYNIPspooler if $syslogfacility-text == > >> > >>>>> 'local7' and %FROMHOST% == '???' then ?DYNIPboot if > >> > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > >> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps > >> > >>>>> > >> > >>>>> but it fails...: > >> > >>>>> # service rsyslog start > >> > >>>>> Starting system logger: rsyslogd: run failed with error -2207 > >> > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn > >> > >>>>> what that number > >> > >>>>> means) > >> > >>>>> [ > >> > >>>>> OK ] > >> > >>>>> > >> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format > >> > >>>>> correct or how is this done... > >> > >>>>> > >> > >>>>> > >> > >>>>> Thanks in advance :-) ! > >> > >>>>> ~maymann > >> > >>>>> > >> > >>>>> > >> > >>>>> 2012/2/1 > >> > >>>>> > >> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > >> > >>>>> > >> > >>>>>> > >> > >>>>>> Hi, > >> > >>>>>> > >> > >>>>>>> > >> > >>>>>>> I want to log information about hosts that are not logging > >> > >>>>>>> with correct HOSTNAME. > >> > >>>>>>> In my current setup, I get a dir "???" where these host(s) > >> > >>>>>>> are logging to... > >> > >>>>>>> > >> > >>>>>>> I would like to change this to the hosts IP instead, > >> > >>>>>>> something > >> like: > >> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>> rsyslog cannot do what you are asking. It can't assign a > >> > >>>>>> value to a property. > >> > >>>>>> > >> > >>>>>> what you can do is to setup a different template and then if > >> > >>>>>> %fromhost% is your special pattern you can log with this > >> > >>>>>> different template. > >> > >>>>>> > >> > >>>>>> David Lang > >> > >>>>>> > ______________________________****_________________ > >> > >>>>>> rsyslog mailing list > >> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog< > >> http://list > >> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog> > >> > >>>>>> >> http://lis > >> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog> > >> > >>>>>> > > >> > >>>>>> http://www.rsyslog.com/****professional- > >> > services/ >> > >>>>>> log.com/**professional-services/> > >> > >>>>>> >> > **services/ >> > >>>>>> slog.com/professional-services/> > >> > >>>>>> > > >> > >>>>>> > >> > >>>>>> > >> > >>>>> > >> > >>>>> > >> > >>>> ______________________________**_________________ > >> > >>> rsyslog mailing list > >> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > >> http://lists.adi > >> > >>> scon.net/mailman/listinfo/rsyslog> > >> > >>> http://www.rsyslog.com/**professional- > >> > services/ >> > >>> om/professional-services/> > >> > >>> > >> > >>> ______________________________**_________________ > >> > >> rsyslog mailing list > >> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > >> http://lists.adis > >> > >> con.net/mailman/listinfo/rsyslog> > >> > >> http://www.rsyslog.com/**professional- > >> > services/ >> > >> m/professional-services/> > >> > >> > >> > >> ______________________________**_________________ > >> > > rsyslog mailing list > >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog< > >> http://lists.adisc > >> > > on.net/mailman/listinfo/rsyslog> > >> > > http://www.rsyslog.com/**professional- > >> > services/ >> > > /professional-services/> > >> > > > >> > _______________________________________________ > >> > rsyslog mailing list > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > http://www.rsyslog.com/professional-services/ > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Fri Feb 3 17:22:54 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 17:22:54 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728185F@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728185B@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA728185F@GRFEXC.intern.adiscon.com> Message-ID: Perfect...:-) ! Hi Rainer: No problem. Taking this back to the original thread... Have a nice weekend :-) ! Br. ~maymann 2012/2/3 Rainer Gerhards > Michael, > > you really don't understand me: I do not see ANY problem at all what could > be > wrong in rsyslog (I don't say there is none...)! All I see is that it > operates correctly! So tell me how should I instrument it? What to look > for? > And why? > > I don't think I can help you here without further input on why the script > reports this failure. Don't be upset, but I won't respond any longer to > this > thread as it turns out to become a huge waste of time for me... > > I wish I had a better answer... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Friday, February 03, 2012 5:06 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > > > Perhaps we could also figure this -thing out at the same > > time...:-) ! > > > > ~maymann > > > > 2012/2/3 Michael Maymann > > > > > Sure...:-) ! > > > > > > ~maymann > > > > > > > > > > > > 2012/2/3 Rainer Gerhards > > > > > >> I just checked where the ??? could be routed in. I see one case that > > >> happens when the DNS resolution fails. Would you be willing to run > > >> an instrumented build to capture a debug log so that we see when this > > >> happens? > > >> > > >> rainer > > >> > > >> > -----Original Message----- > > >> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > >> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > >> > Sent: Friday, February 03, 2012 11:24 AM > > >> > To: rsyslog-users > > >> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > >> > %IP% > > >> > > > >> > Hi, > > >> > > > >> > David: thanks for you reply...:-) ! > > >> > > > >> > This is not a known client causing the "???" entries - I don't know > > >> > the ip(s)/hostname(s), and this is why i would like to log IP > > >> > instead of > > >> hostname - > > >> > as my guess is it is a network device without DNS entry...:-( ! > > >> > > > >> > Can I troubleshoot on the server somehow similar... or was that the > > >> intention > > >> > all along...:-o ! > > >> > > > >> > Here is the client-debug output anyways...: > > >> > # cat messages-debug > > >> > Debug line with all properties: > > >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > >> > '', > > >> > PRI: 6, > > >> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > PROCID: > > >> > '-', MSGID: '-', > > >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > >> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> > > > >> > Debug line with all properties: > > >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > >> > '', > > >> > PRI: 46, > > >> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > > >> > 'rsyslogd', > > >> > PROCID: '-', MSGID: '-', > > >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > >> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > > >> x-info=" > > >> > http://www.rsyslog.com"] (re)start' > > >> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" > > >> x-pid="13432" > > >> > x-info="http://www.rsyslog.com"] (re)start' > > >> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" > x-pid="13432" > > >> > x-info="http://www.rsyslog.com"] (re)start' > > >> > > > >> > Debug line with all properties: > > >> > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > >> > '', > > >> > PRI: 13, > > >> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: > > >> > '-', > > >> > MSGID: '-', > > >> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > >> > msg: ' hej' > > >> > escaped msg: ' hej' > > >> > rawmsg: '<13>Feb 3 11:14:30 root: hej' > > >> > > > >> > > > >> > Thanks in advance :-) ! > > >> > ~maymann > > >> > > > >> > > > >> > 2012/2/3 > > >> > > > >> > > oops, that should have been RSYSLOG_DebugFormat template. > > >> > > > > >> > > David Lang > > >> > > > > >> > > On Thu, 2 Feb 2012, david at lang.hm wrote: > > >> > > > > >> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > >> > >> From: david at lang.hm > > >> > >> > > >> > >> Reply-To: rsyslog-users > > >> > >> To: rsyslog-users > > >> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > > == > > >> > %IP% > > >> > >> > > >> > >> what does one of these messages look like if you write it out > > >> > >> with the RSYSLOG_DEBUG template? > > >> > >> > > >> > >> David Lang > > >> > >> > > >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote: > > >> > >> > > >> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > >> > >>> From: Michael Maymann > > >> > >>> Reply-To: rsyslog-users > > >> > >>> To: rsyslog-users > > >> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > > >> > >>> == %IP% > > >> > >>> > > >> > >>> Please... Anyone? > > >> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > > > > >> > wrote: > > >> > >>> > > >> > >>> Hi, > > >> > >>>> > > >> > >>>> got it started... but still ??? dir+logfiles are showing up... > > >> > >>>> This is now my rsyslog.conf: > > >> > >>>> #SET PRIVILEGES > > >> > >>>> $PreserveFQDN on > > >> > >>>> $PrivDropToGroup > > >> > >>>> $PrivDropToUser > > >> > >>>> $DirCreateMode 0750 > > >> > >>>> $FileCreateMode 0640 > > >> > >>>> $UMASK 0027 > > >> > >>>> > > >> > >>>> #LOAD MODULES > > >> > >>>> $ModLoad imudp > > >> > >>>> $UDPServerRun 514 > > >> > >>>> $UDPServerAddress 127.0.0.1 > > >> > >>>> $ModLoad imtcp > > >> > >>>> $InputTCPServerRun 514 > > >> > >>>> > > >> > >>>> #SET DESTINATION FOR LOGS > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >> > >>>> $MONTH%_messages" > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > >> > NTH%_* > > >> > >>>> *secure" > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > >> > NTH%_**maillog" > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > >> > H%_** > > >> > >>>> cron" > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > >> > NTH%_**spooler" > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > >> > H%_** > > >> > >>>> boot.log" > > >> > >>>> $template > > >> > >>>> > > >> > > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > >> > H%_** > > >> > >>>> traps" > > >> > >>>> > > >> > >>>> $template > > >> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>> YEAR%.%$MONTH%_messages" > > >> > >>>> $template > > >> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>> YEAR%.%$MONTH%_secure" > > >> > >>>> $template > > >> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>> YEAR%.%$MONTH%_maillog" > > >> > >>>> $template > > >> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > >> > IP%_%$YEAR%.%$** > > >> > >>>> MONTH%_cron" > > >> > >>>> $template > > >> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>> YEAR%.%$MONTH%_spooler" > > >> > >>>> $template > > >> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > >> > IP%_%$YEAR%.%$** > > >> > >>>> MONTH%_boot.log" > > >> > >>>> $template > > >> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > >> > IP%_%$YEAR%.%$** > > >> > >>>> MONTH%_traps" > > >> > >>>> > > >> > >>>> #SET LOGGING CONDITIONS > > >> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then > > >> > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and > > >> > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text == > 'mail' > > and $fromhost != '???' > > >> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and > > >> > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text == > > >> > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if > > >> > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then > > >> > >>>> ?DYNboot if $syslogfacility-text == 'local6' and > $syslogseverity-text > > == 'WARNING' > > >> > >>>> and $fromhost != '???' then ?DYNtraps > > >> > >>>> > > >> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then > > >> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > > >> > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text > > >> > >>>> == 'mail' and $fromhost == '???' then ?DYNIPmaillog if > > >> > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then > > >> > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost == > > >> > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' > > >> > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text > > >> > >>>> == 'local6' and $syslogseverity-text == 'WARNING' > > >> > >>>> and $fromhost == '???' then ?DYNIPtraps > > >> > >>>> > > >> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > > >> > >>>> all creates ??? dir+files... > > >> > >>>> What variable should I use to handle this properly ? > > >> > >>>> > > >> > >>>> > > >> > >>>> Thanks in advance :-) ! > > >> > >>>> ~maymann > > >> > >>>> > > >> > >>>> 2012/2/2 Michael Maymann > > >> > >>>> > > >> > >>>> Hi, > > >> > >>>>> > > >> > >>>>> David: thanks for your reply... > > >> > >>>>> Here is my new rsyslog.conf: > > >> > >>>>> #SET PRIVILEGES > > >> > >>>>> $PreserveFQDN on > > >> > >>>>> $PrivDropToGroup > > >> > >>>>> $PrivDropToUser > > >> > >>>>> $DirCreateMode 0750 > > >> > >>>>> $FileCreateMode 0640 > > >> > >>>>> $UMASK 0027 > > >> > >>>>> > > >> > >>>>> #LOAD MODULES > > >> > >>>>> $ModLoad imudp > > >> > >>>>> $UDPServerRun 514 > > >> > >>>>> $UDPServerAddress 127.0.0.1 > > >> > >>>>> $ModLoad imtcp > > >> > >>>>> $InputTCPServerRun 514 > > >> > >>>>> > > >> > >>>>> #SET DESTINATION FOR LOGS > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** > > >> > >>>>> $MONTH%_messages" > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO > > >> > NTH%_**secure" > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > >> > NTH%_** > > >> > >>>>> maillog" > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > >> > H%_** > > >> > >>>>> cron" > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO > > >> > NTH%_** > > >> > >>>>> spooler" > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > >> > H%_**boot.log" > > >> > >>>>> $template > > >> > >>>>> > > >> > > > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT > > >> > H%_* > > >> > >>>>> *traps" > > >> > >>>>> > > >> > >>>>> $template > > >> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>>> YEAR%.%$MONTH%_messages" > > >> > >>>>> $template > > >> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>>> YEAR%.%$MONTH%_secure" > > >> > >>>>> $template > > >> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>>> YEAR%.%$MONTH%_maillog" > > >> > >>>>> $template > > >> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > >> > IP%_%$YEAR%.%$** > > >> > >>>>> MONTH%_cron" > > >> > >>>>> $template > > >> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST- > > >> > IP%_%$** > > >> > >>>>> YEAR%.%$MONTH%_spooler" > > >> > >>>>> $template > > >> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > >> > IP%_%$YEAR%.%$** > > >> > >>>>> MONTH%_boot.log" > > >> > >>>>> $template > > >> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST- > > >> > IP%_%$YEAR%.%$** > > >> > >>>>> MONTH%_traps" > > >> > >>>>> > > >> > >>>>> #SET LOGGING CONDITIONS > > >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > >> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and > > >> > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text > > >> > >>>>> == 'mail' and %FROMHOST% != '???' then ?DYNmaillog if > > >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > > >> > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% != > > >> > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7' > > >> > >>>>> and %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text > > >> > >>>>> == 'local6' and $syslogseverity-text == 'WARNING' > > >> > >>>>> and %FROMHOST% != '???' then ?DYNtraps > > >> > >>>>> > > >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > >> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and > > >> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text > > >> > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if > > >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > > >> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% > > >> > >>>>> == '???' then ?DYNIPspooler if $syslogfacility-text == > > >> > >>>>> 'local7' and %FROMHOST% == '???' then ?DYNIPboot if > > >> > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text == > > 'WARNING' > > >> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > >> > >>>>> > > >> > >>>>> but it fails...: > > >> > >>>>> # service rsyslog start > > >> > >>>>> Starting system logger: rsyslogd: run failed with error -2207 > > >> > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn > > >> > >>>>> what that number > > >> > >>>>> means) > > >> > >>>>> [ > > >> > >>>>> OK ] > > >> > >>>>> > > >> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format > > >> > >>>>> correct or how is this done... > > >> > >>>>> > > >> > >>>>> > > >> > >>>>> Thanks in advance :-) ! > > >> > >>>>> ~maymann > > >> > >>>>> > > >> > >>>>> > > >> > >>>>> 2012/2/1 > > >> > >>>>> > > >> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > >> > >>>>> > > >> > >>>>>> > > >> > >>>>>> Hi, > > >> > >>>>>> > > >> > >>>>>>> > > >> > >>>>>>> I want to log information about hosts that are not logging > > >> > >>>>>>> with correct HOSTNAME. > > >> > >>>>>>> In my current setup, I get a dir "???" where these host(s) > > >> > >>>>>>> are logging to... > > >> > >>>>>>> > > >> > >>>>>>> I would like to change this to the hosts IP instead, > > >> > >>>>>>> something > > >> like: > > >> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > >> > >>>>>>> > > >> > >>>>>>> > > >> > >>>>>> rsyslog cannot do what you are asking. It can't assign a > > >> > >>>>>> value to a property. > > >> > >>>>>> > > >> > >>>>>> what you can do is to setup a different template and then if > > >> > >>>>>> %fromhost% is your special pattern you can log with this > > >> > >>>>>> different template. > > >> > >>>>>> > > >> > >>>>>> David Lang > > >> > >>>>>> > > ______________________________****_________________ > > >> > >>>>>> rsyslog mailing list > > >> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog< > > >> http://list > > >> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog> > > >> > >>>>>> > >> http://lis > > >> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog> > > >> > >>>>>> > > > >> > >>>>>> http://www.rsyslog.com/****professional- > > >> > services/ > >> > >>>>>> log.com/**professional-services/> > > >> > >>>>>> > >> > **services/ > >> > >>>>>> slog.com/professional-services/> > > >> > >>>>>> > > > >> > >>>>>> > > >> > >>>>>> > > >> > >>>>> > > >> > >>>>> > > >> > >>>> ______________________________**_________________ > > >> > >>> rsyslog mailing list > > >> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > > >> http://lists.adi > > >> > >>> scon.net/mailman/listinfo/rsyslog> > > >> > >>> http://www.rsyslog.com/**professional- > > >> > services/ > >> > >>> om/professional-services/> > > >> > >>> > > >> > >>> ______________________________**_________________ > > >> > >> rsyslog mailing list > > >> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > > >> http://lists.adis > > >> > >> con.net/mailman/listinfo/rsyslog> > > >> > >> http://www.rsyslog.com/**professional- > > >> > services/ > >> > >> m/professional-services/> > > >> > >> > > >> > >> ______________________________**_________________ > > >> > > rsyslog mailing list > > >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog< > > >> http://lists.adisc > > >> > > on.net/mailman/listinfo/rsyslog> > > >> > > http://www.rsyslog.com/**professional- > > >> > services/ > >> > > /professional-services/> > > >> > > > > >> > _______________________________________________ > > >> > rsyslog mailing list > > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> > http://www.rsyslog.com/professional-services/ > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Fri Feb 3 22:21:45 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 3 Feb 2012 22:21:45 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi, starting it manually doesn't return the prompt either...:-( ! here is my current /etc/init.d/rsyslog.conf anyway...: # cat /etc/init.d/rsyslog #!/bin/bash #set -x # # rsyslog Starts rsyslogd/rklogd. # # # chkconfig: 2345 12 88 # description: Syslog is the facility by which many daemons use to log \ # messages to various system log files. It is a good idea to always \ # run rsyslog. ### BEGIN INIT INFO # Provides: $syslog # Required-Start: $local_fs # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Enhanced system logging and kernel message trapping daemons # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, # among others, MySQL, syslog/tcp, RFC 3195, permitted # sender lists, filtering on any message part, and fine # grain output format control. ### END INIT INFO # Source function library. . /etc/init.d/functions RETVAL=0 PIDFILE=/var/run/syslogd.pid #PIDFILE=/tmp/syslogd.pid prog=rsyslogd #exec=/sbin/rsyslogd exec=/usr/sbin/rsyslogd lockfile=/var/lock/subsys/$prog #lockfile=/tmp/$prog start() { [ -x $exec ] || exit 5 # Source config if [ -f /etc/sysconfig/rsyslog ] ; then . /etc/sysconfig/rsyslog fi umask 077 echo -n $"Starting system logger: " daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> /tmp/rsyslog.log RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { echo -n $"Shutting down system logger: " killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } reload() { RETVAL=1 syslog=$(cat "${PIDFILE}" 2>/dev/null) echo -n "Reloading system logger..." if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then kill -HUP "$syslog"; RETVAL=$? fi if [ $RETVAL -ne 0 ]; then failure else success fi echo return $RETVAL } rhstatus() { status -p "${PIDFILE}" $prog } restart() { stop start } case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload|force-reload) reload ;; status) rhstatus ;; condrestart|try-restart) rhstatus >/dev/null 2>&1 || exit 0 restart ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}" exit 2 esac exit $? Please anyone who can help with this ? Thanks in advance :-) ! ~maymann 2012/2/3 Michael Maymann > Hi, > > Yes I have, and now set them to /tmp just for testing, but same thing...: > PIDFILE=/tmp/syslogd.pi > lockfile=/tmp/$prog > > When started manually, it seems to be working just fine... also after 5 > minutes...:-) !: > root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd > root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 > root 14131 14128 0 09:04 pts/0 00:00:00 -bash > 15442 14131 0 11:51 pts/0 00:00:00 > /usr/sbin/rsyslogd -c 6 -n > > How can I implement similar behaviour to > /etc/init.d/rsyslog+/etc/sysconfig/rsyslog...? > > > > Thanks in advance :-) ! > ~maymann > > 2012/2/3 > > On Fri, 3 Feb 2012, Michael Maymann wrote: >> >> Hi, >>> >>> David: unfortunately this was not the case...: >>> # cat /etc/sysconfig/selinux >>> # This file controls the state of SELinux on the system. >>> # SELINUX= can take one of these three values: >>> # enforcing - SELinux security policy is enforced. >>> # permissive - SELinux prints warnings instead of enforcing. >>> # disabled - SELinux is fully disabled. >>> SELINUX=disabled >>> # SELINUXTYPE= type of policy in use. Possible values are: >>> # targeted - Only targeted network daemons are protected. >>> # strict - Full SELinux protection. >>> SELINUXTYPE=targeted >>> >>> What else could cause this problem ? >>> >> >> possibly a silly question, but have you verified that the user you are >> dropping privileges to has write permission on the directories that you >> write logs (and any queue files) to? >> >> David Lang >> >> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> 2012/2/2 Michael Maymann >>> >>> Hi, >>>> >>>> David: Thanks for your reply - sounds possible... I will try this first >>>> thing tomorrow morning and report back with findings... >>>> >>>> Br. >>>> ~maymann >>>> >>>> 2012/2/2 >>>> >>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>> >>>>> >>>>> Hi Rainer, >>>>> >>>>>> >>>>>> I really have my doubts it has something to do with my startup script: >>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>> >>>>>> I'm running on RHEL6.1_x64. >>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>> test...? >>>>>> >>>>>> >>>>> >>>>> my guess is that this is a SELINUX related problem. >>>>> >>>>> what happens if you try to start rsyslog manually (not by running the >>>>> startup script, but just running 'rsyslogd -c 6' " >>>>> >>>>> David Lang >>>>> >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>>> ~maymann >>>>>> >>>>>> 2012/2/2 Michael Maymann >>>>>> >>>>>> Hi, >>>>>> >>>>>>> >>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>>>>> failing in the logs... and it actually doesn't fail... it works and >>>>>>> after >>>>>>> the timeout+failed notice only the proccess owned by >>>>>>> PrivDropToUser-USER is >>>>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>>>> >>>>>>> # service rsyslog start >>>>>>> Starting system logger: [FAILED] >>>>>>> >>>>>>> BEFORE failed status: >>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd >>>>>>> -c 6 >>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>> >>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>> PrivDropToUser-USER >>>>>>> owned proccess is therefore gets owned by init: >>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>> >>>>>>> Anyone who can help with this...?: >>>>>>> here is the debug output when starting running the init-script: >>>>>>> #/etc/init.d/rsyslog start >>>>>>> + . /etc/init.d/functions >>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>> ++ umask 022 >>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/****usr/bin >>>>>>> >>>>>>> ++ export PATH >>>>>>> ++ '[' -z '' ']' >>>>>>> ++ COLUMNS=80 >>>>>>> ++ '[' -z '' ']' >>>>>>> +++ /sbin/consoletype >>>>>>> ++ CONSOLETYPE=pty >>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>> ++ unset LANGSH_SOURCED >>>>>>> ++ '[' -z '' ']' >>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>> ++ . /etc/sysconfig/init >>>>>>> +++ BOOTUP=color >>>>>>> +++ RES_COL=60 >>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>> +++ PROMPT=yes >>>>>>> +++ AUTOSWAP=no >>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]****' >>>>>>> >>>>>>> +++ SINGLE=/sbin/sushell >>>>>>> ++ '[' pty = serial ']' >>>>>>> ++ >>>>>>> __sed_discard_ignored_files='/****\(~\|\.bak\|\.orig\|\.**rpmnew\|** >>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>> + RETVAL=0 >>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>> + prog=rsyslogd >>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>> + lockfile=/var/lock/subsys/****rsyslogd >>>>>>> >>>>>>> + case "$1" in >>>>>>> + start >>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>> + . /etc/sysconfig/rsyslog >>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>> + umask 077 >>>>>>> + echo -n 'Starting system logger: ' >>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>> + local cgroup= >>>>>>> + nicelevel=0 >>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>> ']' >>>>>>> + case $1 in >>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>> + shift >>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>> + '[' -z '' ']' >>>>>>> + base=rsyslogd >>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>> + local base=rsyslogd >>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>> + pid= >>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>> + return 3 >>>>>>> + '[' -n '' -a -z '' ']' >>>>>>> + corelimit='ulimit -S -c 0' >>>>>>> + '[' -n '' ']' >>>>>>> + '[' -n '' ']' >>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>> + '[' -z '' ']' >>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd >>>>>>> -c >>>>>>> 6' >>>>>>> ... >>>>>>> (hangs here for a long time) >>>>>>> ... >>>>>>> + '[' 1 -eq 0 ']' >>>>>>> + failure 'rsyslogd startup' >>>>>>> + local rc=1 >>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>> + echo_failure >>>>>>> + '[' color = color ']' >>>>>>> + echo -en '\033[60G' >>>>>>> + echo -n >>>>>>> '[' >>>>>>> [+ '[' color = color ']' >>>>>>> + echo -en '\033[0;31m' >>>>>>> + echo -n FAILED >>>>>>> FAILED+ '[' color = color ']' >>>>>>> + echo -en '\033[0;39m' >>>>>>> + echo -n ']' >>>>>>> ]+ echo -ne '\r' >>>>>>> + return 1 >>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>> + /usr/bin/plymouth --details >>>>>>> + return 1 >>>>>>> + RETVAL=1 >>>>>>> + echo >>>>>>> >>>>>>> + '[' 1 -eq 0 ']' >>>>>>> + return 1 >>>>>>> + exit 1 >>>>>>> >>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - >>>>>>> but >>>>>>> same thing happens... >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks in advance :-) ! >>>>>>> >>>>>>> Br. >>>>>>> ~maymann >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2012/2/2 Rainer Gerhards >>>>>>> >>>>>>> I can only help you with that part if you point me to why exactly >>>>>>> the >>>>>>> >>>>>>>> script >>>>>>>> claims what it does. So you may want to try find someone who can do >>>>>>>> that. >>>>>>>> I >>>>>>>> know this is probably a trivial question, but I don't know anything >>>>>>>> ;) >>>>>>>> >>>>>>>> Sry, rainer >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> >>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com>>>>>>>> **adiscon.com >[mailto: >>>>>>>>> >>>>>>>>> rsyslog- >>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>> To: rsyslog-users >>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>> >>>>>>>>> Here is my startup script... only thing changed is the path to the >>>>>>>>> new >>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes >>>>>>>>> if i >>>>>>>>> have >>>>>>>>> both or one of the entries...: >>>>>>>>> #!/bin/bash >>>>>>>>> # >>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>> # >>>>>>>>> # >>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>> # description: Syslog is the facility by which many daemons use to >>>>>>>>> log >>>>>>>>> \ >>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>> always \ >>>>>>>>> # run rsyslog. >>>>>>>>> ### BEGIN INIT INFO >>>>>>>>> # Provides: $syslog >>>>>>>>> # Required-Start: $local_fs >>>>>>>>> # Required-Stop: $local_fs >>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>> trapping >>>>>>>>> daemons >>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>> supporting, >>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>> fine >>>>>>>>> # grain output format control. >>>>>>>>> ### END INIT INFO >>>>>>>>> >>>>>>>>> # Source function library. >>>>>>>>> . /etc/init.d/functions >>>>>>>>> >>>>>>>>> RETVAL=0 >>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>> >>>>>>>>> prog=rsyslogd >>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>> lockfile=/var/lock/subsys/$****prog >>>>>>>>> >>>>>>>>> >>>>>>>>> start() { >>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>> >>>>>>>>> # Source config >>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>> fi >>>>>>>>> umask 077 >>>>>>>>> >>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>> RETVAL=$? >>>>>>>>> echo >>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>> return $RETVAL >>>>>>>>> } >>>>>>>>> stop() { >>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>> killproc $prog >>>>>>>>> RETVAL=$? >>>>>>>>> echo >>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>> return $RETVAL >>>>>>>>> } >>>>>>>>> reload() { >>>>>>>>> RETVAL=1 >>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>> kill -HUP "$syslog"; >>>>>>>>> RETVAL=$? >>>>>>>>> fi >>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>> failure >>>>>>>>> else >>>>>>>>> success >>>>>>>>> fi >>>>>>>>> echo >>>>>>>>> return $RETVAL >>>>>>>>> } >>>>>>>>> rhstatus() { >>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>> } >>>>>>>>> restart() { >>>>>>>>> stop >>>>>>>>> start >>>>>>>>> } >>>>>>>>> >>>>>>>>> case "$1" in >>>>>>>>> start) >>>>>>>>> start >>>>>>>>> ;; >>>>>>>>> stop) >>>>>>>>> stop >>>>>>>>> ;; >>>>>>>>> restart) >>>>>>>>> restart >>>>>>>>> ;; >>>>>>>>> reload|force-reload) >>>>>>>>> reload >>>>>>>>> ;; >>>>>>>>> status) >>>>>>>>> rhstatus >>>>>>>>> ;; >>>>>>>>> condrestart|try-restart) >>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>> restart >>>>>>>>> ;; >>>>>>>>> *) >>>>>>>>> echo $"Usage: $0 >>>>>>>>> {start|stop|restart|****condrestart|try-restart|****reload|force- >>>>>>>>> >>>>>>>>> reload|status}" >>>>>>>>> exit 2 >>>>>>>>> esac >>>>>>>>> >>>>>>>>> exit $? >>>>>>>>> >>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> >>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com< >>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>> >[mailto: >>>>>>>>>>> >>>>>>>>>>> rsyslog- >>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>> To: rsyslog-users >>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> David: thanks - got it working with permission dropping, by far >>>>>>>>>>> my >>>>>>>>>>> prefered >>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>>>> dropping: >>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works >>>>>>>>>>> now >>>>>>>>>>> >>>>>>>>>>> - >>>>>>>>>> >>>>>>>>> >>>>>>>>> but >>>>>>>>>> >>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. From >>>>>>>>>> the >>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>> looks >>>>>>>>>> >>>>>>>>>> like >>>>>>>>> >>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>> know. I >>>>>>>>>> suggest >>>>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>>>> this >>>>>>>>>> happens. >>>>>>>>>> >>>>>>>>>> Sorry I have no better answer... >>>>>>>>>> Rainer >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>> ~maymann >>>>>>>>>>> >>>>>>>>>>> 2012/2/1 >>>>>>>>>>> >>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>>>> >>>>>>>>>>>>> fine >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> running >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> as root. >>>>>>>>>>>> >>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>> >>>>>>>>>>>>> located >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> on NFS >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>> $template >>>>>>>>>>>>> DYNmessages,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>>>> **** >>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> DYNsecure,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>> ** >>>>>>>>>>> >>>>>>>>>> **$MONTH%_secure" >>>>>>>>> >>>>>>>>> $template >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> DYNmaillog,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%* >>>>>>>>>>> *** >>>>>>>>>>> >>>>>>>>>> **$MONTH%_maillo >>>>>>>>> >>>>>>>>> g" >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> $template >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> DYNcron,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> cron" >>>>>>>>>>>> >>>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> DYNspooler,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%* >>>>>>>>>>> *** >>>>>>>>>>> >>>>>>>>>> **$MONTH%_spoole >>>>>>>>> >>>>>>>>> r" >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> $template >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> DYNboot,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>> MONTH%_** >>>>>>>>>>> >>>>>>>>>> **boot.log" >>>>>>>>> >>>>>>>>> $template >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>> DYNtraps,"/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>> MONTH%** >>>>>>>>>>>> >>>>>>>>>>> _** >>>>>>>>>>> >>>>>>>>>>> traps" >>>>>>>>>>>> >>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>>>>> >>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>>>> >>>>>>>>>>>>> user: >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> 2012-01-31T15:45:52.997693+02:******00 rsyslogd: >>>>>>>>>> [origin >>>>>>>>>> >>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:******00 rsyslogd: >>>>>>>>>>>>> bind: >>>>>>>>>>>>> >>>>>>>>>>>>> Permission >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> denied >>>>>>>>>>>> >>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:******00 rsyslogd: >>>>>>>>>>>>> bind: >>>>>>>>>>>>> >>>>>>>>>>>>> Permission >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> denied >>>>>>>>>>>> >>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:******00 rsyslogd: >>>>>>>>>>>>> No UDP >>>>>>>>>>>>> >>>>>>>>>>>>> listen >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> socket >>>>>>>>>>>> >>>>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>>>> >>>>>>>>>>>>> disabled. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2012-01-31T15:45:52.997376+02:******00 rsyslogd: >>>>>>>>>>>> imudp: >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> no >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> listeners >>>>>>>>>> >>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:******00 rsyslogd3: >>>>>>>>>>>>> >>>>>>>>>>>>> activation >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> of >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> module >>>>>>>>>>>> >>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:******00 >>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>> >>>>>>>>>>>>> Could >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> not >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> create >>>>>>>>>>>> >>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>> >>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> ] >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>>>>> >>>>>>>>>>>> making >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> some >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>>>>> >>>>>>>>>>>> user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> - if >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> yes: how ? >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> permission drop features >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>>>>> >>>>>>>>>>>> rsyslog >>>>>>>>>>> >>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>>>> >>>>>>>>>>>> chkconfig do >>>>>>>>>>> >>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>> >>>>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>>>> >>>>>>>>>>>> permission >>>>>>>>>>> >>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>> >>>>>>>>>>>> David Lang >>>>>>>>>>>> >>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> n.net/mailman/listinfo/**rsyslog** >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/******professional- >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> services/>>>>>>>>>> **tp://www.rsyslog.com/**professional-services/ >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>>> >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> ______________________________****_________________ >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>>> >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>> > >>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>> ______________________________****_________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>> >>>>>>>> > >>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ______________________________****_________________ >>>>>>> >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>> > >>>>>> http://www.rsyslog.com/****professional-services/ >>>>>> >>>>>> > >>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>> > >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>> > >>>>> >>>>> >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > > From david at lang.hm Sat Feb 4 04:23:46 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 3 Feb 2012 19:23:46 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: On Fri, 3 Feb 2012, Michael Maymann wrote: > starting it manually doesn't return the prompt either...:-( ! I wouldn't expect it to return to the prompt with bacgrounding disabled. The question is does it work? If you start it manually without the -n option, does it work or does it stop entirely? David Lang > here is my current /etc/init.d/rsyslog.conf anyway...: > # cat /etc/init.d/rsyslog > #!/bin/bash > #set -x > # > # rsyslog Starts rsyslogd/rklogd. > # > # > # chkconfig: 2345 12 88 > # description: Syslog is the facility by which many daemons use to log \ > # messages to various system log files. It is a good idea to always \ > # run rsyslog. > ### BEGIN INIT INFO > # Provides: $syslog > # Required-Start: $local_fs > # Required-Stop: $local_fs > # Default-Start: 2 3 4 5 > # Default-Stop: 0 1 6 > # Short-Description: Enhanced system logging and kernel message trapping > daemons > # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, > # among others, MySQL, syslog/tcp, RFC 3195, permitted > # sender lists, filtering on any message part, and fine > # grain output format control. > ### END INIT INFO > # Source function library. > . /etc/init.d/functions > RETVAL=0 > PIDFILE=/var/run/syslogd.pid > #PIDFILE=/tmp/syslogd.pid > prog=rsyslogd > #exec=/sbin/rsyslogd > exec=/usr/sbin/rsyslogd > lockfile=/var/lock/subsys/$prog > #lockfile=/tmp/$prog > start() { > [ -x $exec ] || exit 5 > # Source config > if [ -f /etc/sysconfig/rsyslog ] ; then > . /etc/sysconfig/rsyslog > fi > umask 077 > echo -n $"Starting system logger: " > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> > /tmp/rsyslog.log > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch $lockfile > return $RETVAL > } > stop() { > echo -n $"Shutting down system logger: " > killproc $prog > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f $lockfile > return $RETVAL > } > reload() { > RETVAL=1 > syslog=$(cat "${PIDFILE}" 2>/dev/null) > echo -n "Reloading system logger..." > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > kill -HUP "$syslog"; > RETVAL=$? > fi > if [ $RETVAL -ne 0 ]; then > failure > else > success > fi > echo > return $RETVAL > } > rhstatus() { > status -p "${PIDFILE}" $prog > } > restart() { > stop > start > } > case "$1" in > start) > start > ;; > stop) > stop > ;; > restart) > restart > ;; > reload|force-reload) > reload > ;; > status) > rhstatus > ;; > condrestart|try-restart) > rhstatus >/dev/null 2>&1 || exit 0 > restart > ;; > *) > echo $"Usage: $0 > {start|stop|restart|condrestart|try-restart|reload|force-reload|status}" > exit 2 > esac > exit $? > > > Please anyone who can help with this ? > > Thanks in advance :-) ! > ~maymann > > 2012/2/3 Michael Maymann > >> Hi, >> >> Yes I have, and now set them to /tmp just for testing, but same thing...: >> PIDFILE=/tmp/syslogd.pi >> lockfile=/tmp/$prog >> >> When started manually, it seems to be working just fine... also after 5 >> minutes...:-) !: >> root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd >> root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 >> root 14131 14128 0 09:04 pts/0 00:00:00 -bash >> 15442 14131 0 11:51 pts/0 00:00:00 >> /usr/sbin/rsyslogd -c 6 -n >> >> How can I implement similar behaviour to >> /etc/init.d/rsyslog+/etc/sysconfig/rsyslog...? >> >> >> >> Thanks in advance :-) ! >> ~maymann >> >> 2012/2/3 >> >> On Fri, 3 Feb 2012, Michael Maymann wrote: >>> >>> Hi, >>>> >>>> David: unfortunately this was not the case...: >>>> # cat /etc/sysconfig/selinux >>>> # This file controls the state of SELinux on the system. >>>> # SELINUX= can take one of these three values: >>>> # enforcing - SELinux security policy is enforced. >>>> # permissive - SELinux prints warnings instead of enforcing. >>>> # disabled - SELinux is fully disabled. >>>> SELINUX=disabled >>>> # SELINUXTYPE= type of policy in use. Possible values are: >>>> # targeted - Only targeted network daemons are protected. >>>> # strict - Full SELinux protection. >>>> SELINUXTYPE=targeted >>>> >>>> What else could cause this problem ? >>>> >>> >>> possibly a silly question, but have you verified that the user you are >>> dropping privileges to has write permission on the directories that you >>> write logs (and any queue files) to? >>> >>> David Lang >>> >>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/2 Michael Maymann >>>> >>>> Hi, >>>>> >>>>> David: Thanks for your reply - sounds possible... I will try this first >>>>> thing tomorrow morning and report back with findings... >>>>> >>>>> Br. >>>>> ~maymann >>>>> >>>>> 2012/2/2 >>>>> >>>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>>> >>>>>> >>>>>> Hi Rainer, >>>>>> >>>>>>> >>>>>>> I really have my doubts it has something to do with my startup script: >>>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>>> >>>>>>> I'm running on RHEL6.1_x64. >>>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>>> test...? >>>>>>> >>>>>>> >>>>>> >>>>>> my guess is that this is a SELINUX related problem. >>>>>> >>>>>> what happens if you try to start rsyslog manually (not by running the >>>>>> startup script, but just running 'rsyslogd -c 6' " >>>>>> >>>>>> David Lang >>>>>> >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>>> ~maymann >>>>>>> >>>>>>> 2012/2/2 Michael Maymann >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> >>>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>>>>>> failing in the logs... and it actually doesn't fail... it works and >>>>>>>> after >>>>>>>> the timeout+failed notice only the proccess owned by >>>>>>>> PrivDropToUser-USER is >>>>>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>>>>> >>>>>>>> # service rsyslog start >>>>>>>> Starting system logger: [FAILED] >>>>>>>> >>>>>>>> BEFORE failed status: >>>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd >>>>>>>> -c 6 >>>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>> >>>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>>> PrivDropToUser-USER >>>>>>>> owned proccess is therefore gets owned by init: >>>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>> >>>>>>>> Anyone who can help with this...?: >>>>>>>> here is the debug output when starting running the init-script: >>>>>>>> #/etc/init.d/rsyslog start >>>>>>>> + . /etc/init.d/functions >>>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>>> ++ umask 022 >>>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/****usr/bin >>>>>>>> >>>>>>>> ++ export PATH >>>>>>>> ++ '[' -z '' ']' >>>>>>>> ++ COLUMNS=80 >>>>>>>> ++ '[' -z '' ']' >>>>>>>> +++ /sbin/consoletype >>>>>>>> ++ CONSOLETYPE=pty >>>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>>> ++ unset LANGSH_SOURCED >>>>>>>> ++ '[' -z '' ']' >>>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>>> ++ . /etc/sysconfig/init >>>>>>>> +++ BOOTUP=color >>>>>>>> +++ RES_COL=60 >>>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>>> +++ PROMPT=yes >>>>>>>> +++ AUTOSWAP=no >>>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]****' >>>>>>>> >>>>>>>> +++ SINGLE=/sbin/sushell >>>>>>>> ++ '[' pty = serial ']' >>>>>>>> ++ >>>>>>>> __sed_discard_ignored_files='/****\(~\|\.bak\|\.orig\|\.**rpmnew\|** >>>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>>> + RETVAL=0 >>>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>>> + prog=rsyslogd >>>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>>> + lockfile=/var/lock/subsys/****rsyslogd >>>>>>>> >>>>>>>> + case "$1" in >>>>>>>> + start >>>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>>> + . /etc/sysconfig/rsyslog >>>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>>> + umask 077 >>>>>>>> + echo -n 'Starting system logger: ' >>>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>>> + local cgroup= >>>>>>>> + nicelevel=0 >>>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>>> ']' >>>>>>>> + case $1 in >>>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>>> + shift >>>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>>> + '[' -z '' ']' >>>>>>>> + base=rsyslogd >>>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>>> + local base=rsyslogd >>>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>>> + pid= >>>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>>> + return 3 >>>>>>>> + '[' -n '' -a -z '' ']' >>>>>>>> + corelimit='ulimit -S -c 0' >>>>>>>> + '[' -n '' ']' >>>>>>>> + '[' -n '' ']' >>>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>>> + '[' -z '' ']' >>>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd >>>>>>>> -c >>>>>>>> 6' >>>>>>>> ... >>>>>>>> (hangs here for a long time) >>>>>>>> ... >>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>> + failure 'rsyslogd startup' >>>>>>>> + local rc=1 >>>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>>> + echo_failure >>>>>>>> + '[' color = color ']' >>>>>>>> + echo -en '\033[60G' >>>>>>>> + echo -n >>>>>>>> '[' >>>>>>>> [+ '[' color = color ']' >>>>>>>> + echo -en '\033[0;31m' >>>>>>>> + echo -n FAILED >>>>>>>> FAILED+ '[' color = color ']' >>>>>>>> + echo -en '\033[0;39m' >>>>>>>> + echo -n ']' >>>>>>>> ]+ echo -ne '\r' >>>>>>>> + return 1 >>>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>>> + /usr/bin/plymouth --details >>>>>>>> + return 1 >>>>>>>> + RETVAL=1 >>>>>>>> + echo >>>>>>>> >>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>> + return 1 >>>>>>>> + exit 1 >>>>>>>> >>>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - >>>>>>>> but >>>>>>>> same thing happens... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks in advance :-) ! >>>>>>>> >>>>>>>> Br. >>>>>>>> ~maymann >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>> >>>>>>>> I can only help you with that part if you point me to why exactly >>>>>>>> the >>>>>>>> >>>>>>>>> script >>>>>>>>> claims what it does. So you may want to try find someone who can do >>>>>>>>> that. >>>>>>>>> I >>>>>>>>> know this is probably a trivial question, but I don't know anything >>>>>>>>> ;) >>>>>>>>> >>>>>>>>> Sry, rainer >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> >>>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com>>>>>>>>> **adiscon.com >[mailto: >>>>>>>>>> >>>>>>>>>> rsyslog- >>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>>> To: rsyslog-users >>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>> >>>>>>>>>> Here is my startup script... only thing changed is the path to the >>>>>>>>>> new >>>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes >>>>>>>>>> if i >>>>>>>>>> have >>>>>>>>>> both or one of the entries...: >>>>>>>>>> #!/bin/bash >>>>>>>>>> # >>>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>>> # >>>>>>>>>> # >>>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>>> # description: Syslog is the facility by which many daemons use to >>>>>>>>>> log >>>>>>>>>> \ >>>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>>> always \ >>>>>>>>>> # run rsyslog. >>>>>>>>>> ### BEGIN INIT INFO >>>>>>>>>> # Provides: $syslog >>>>>>>>>> # Required-Start: $local_fs >>>>>>>>>> # Required-Stop: $local_fs >>>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>>> trapping >>>>>>>>>> daemons >>>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>>> supporting, >>>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>>> fine >>>>>>>>>> # grain output format control. >>>>>>>>>> ### END INIT INFO >>>>>>>>>> >>>>>>>>>> # Source function library. >>>>>>>>>> . /etc/init.d/functions >>>>>>>>>> >>>>>>>>>> RETVAL=0 >>>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>>> >>>>>>>>>> prog=rsyslogd >>>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>>> lockfile=/var/lock/subsys/$****prog >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> start() { >>>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>>> >>>>>>>>>> # Source config >>>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>>> fi >>>>>>>>>> umask 077 >>>>>>>>>> >>>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>>> RETVAL=$? >>>>>>>>>> echo >>>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>>> return $RETVAL >>>>>>>>>> } >>>>>>>>>> stop() { >>>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>>> killproc $prog >>>>>>>>>> RETVAL=$? >>>>>>>>>> echo >>>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>>> return $RETVAL >>>>>>>>>> } >>>>>>>>>> reload() { >>>>>>>>>> RETVAL=1 >>>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>>> kill -HUP "$syslog"; >>>>>>>>>> RETVAL=$? >>>>>>>>>> fi >>>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>>> failure >>>>>>>>>> else >>>>>>>>>> success >>>>>>>>>> fi >>>>>>>>>> echo >>>>>>>>>> return $RETVAL >>>>>>>>>> } >>>>>>>>>> rhstatus() { >>>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>>> } >>>>>>>>>> restart() { >>>>>>>>>> stop >>>>>>>>>> start >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> case "$1" in >>>>>>>>>> start) >>>>>>>>>> start >>>>>>>>>> ;; >>>>>>>>>> stop) >>>>>>>>>> stop >>>>>>>>>> ;; >>>>>>>>>> restart) >>>>>>>>>> restart >>>>>>>>>> ;; >>>>>>>>>> reload|force-reload) >>>>>>>>>> reload >>>>>>>>>> ;; >>>>>>>>>> status) >>>>>>>>>> rhstatus >>>>>>>>>> ;; >>>>>>>>>> condrestart|try-restart) >>>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>>> restart >>>>>>>>>> ;; >>>>>>>>>> *) >>>>>>>>>> echo $"Usage: $0 >>>>>>>>>> {start|stop|restart|****condrestart|try-restart|****reload|force- >>>>>>>>>> >>>>>>>>>> reload|status}" >>>>>>>>>> exit 2 >>>>>>>>>> esac >>>>>>>>>> >>>>>>>>>> exit $? >>>>>>>>>> >>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> >>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com< >>>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>>>> [mailto: >>>>>>>>>>>> >>>>>>>>>>>> rsyslog- >>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> David: thanks - got it working with permission dropping, by far >>>>>>>>>>>> my >>>>>>>>>>>> prefered >>>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>>>>> dropping: >>>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works >>>>>>>>>>>> now >>>>>>>>>>>> >>>>>>>>>>>> - >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> but >>>>>>>>>>> >>>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. From >>>>>>>>>>> the >>>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>>> looks >>>>>>>>>>> >>>>>>>>>>> like >>>>>>>>>> >>>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>>> know. I >>>>>>>>>>> suggest >>>>>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>>>>> this >>>>>>>>>>> happens. >>>>>>>>>>> >>>>>>>>>>> Sorry I have no better answer... >>>>>>>>>>> Rainer >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>> ~maymann >>>>>>>>>>>> >>>>>>>>>>>> 2012/2/1 >>>>>>>>>>>> >>>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>>>>> >>>>>>>>>>>>>> fine >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> running >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> as root. >>>>>>>>>>>>> >>>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>>> >>>>>>>>>>>>>> located >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> on NFS >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> DYNmessages,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>>>>> **** >>>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNsecure,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>>> ** >>>>>>>>>>>> >>>>>>>>>>> **$MONTH%_secure" >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNmaillog,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%* >>>>>>>>>>>> *** >>>>>>>>>>>> >>>>>>>>>>> **$MONTH%_maillo >>>>>>>>>> >>>>>>>>>> g" >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNcron,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> cron" >>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNspooler,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%* >>>>>>>>>>>> *** >>>>>>>>>>>> >>>>>>>>>>> **$MONTH%_spoole >>>>>>>>>> >>>>>>>>>> r" >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNboot,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>> MONTH%_** >>>>>>>>>>>> >>>>>>>>>>> **boot.log" >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> DYNtraps,"/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>> MONTH%** >>>>>>>>>>>>> >>>>>>>>>>>> _** >>>>>>>>>>>> >>>>>>>>>>>> traps" >>>>>>>>>>>>> >>>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>>>>>> >>>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>>>>> >>>>>>>>>>>>>> user: >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> 2012-01-31T15:45:52.997693+02:******00 rsyslogd: >>>>>>>>>>> [origin >>>>>>>>>>> >>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:******00 rsyslogd: >>>>>>>>>>>>>> bind: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Permission >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> denied >>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:******00 rsyslogd: >>>>>>>>>>>>>> bind: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Permission >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> denied >>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:******00 rsyslogd: >>>>>>>>>>>>>> No UDP >>>>>>>>>>>>>> >>>>>>>>>>>>>> listen >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> socket >>>>>>>>>>>>> >>>>>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>>>>> >>>>>>>>>>>>>> disabled. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2012-01-31T15:45:52.997376+02:******00 rsyslogd: >>>>>>>>>>>>> imudp: >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> no >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> listeners >>>>>>>>>>> >>>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:******00 rsyslogd3: >>>>>>>>>>>>>> >>>>>>>>>>>>>> activation >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> of >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> module >>>>>>>>>>>>> >>>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:******00 >>>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Could >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> not >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> create >>>>>>>>>>>>> >>>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> ] >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>>>>>> >>>>>>>>>>>>> making >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> some >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>>>>>> >>>>>>>>>>>>> user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> - if >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> permission drop features >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog >>>>>>>>>>>> >>>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>>>>> >>>>>>>>>>>>> chkconfig do >>>>>>>>>>>> >>>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>>> >>>>>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>>>>> >>>>>>>>>>>>> permission >>>>>>>>>>>> >>>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>>> >>>>>>>>>>>>> David Lang >>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> n.net/mailman/listinfo/**rsyslog** >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/******professional- >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> services/>>>>>>>>>>> **tp://www.rsyslog.com/**professional-services/ >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>>>> >>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>> >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>>> >>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> ______________________________****_________________ >>>>>>>> >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>> >>>>>>>> >>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>> >>>>>>>> >>>>>>> >>>>>>> ______________________________****_________________ >>>>>>> >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>>> >>>>>> http://www.rsyslog.com/****professional-services/ >>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From david at lang.hm Sat Feb 4 04:39:20 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 3 Feb 2012 19:39:20 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: I was actually meaning for you to do this on the server where you are seeing the ??? show up. but this does show that the sending machine thinks it's doing everythig correcty (assuming the you put in the message below is actually correct) what I would want to see from the server log is one of the messages with the ??? in it that you are trying to fix. David Lang On Fri, 3 Feb 2012, Michael Maymann wrote: > Hi, > > David: thanks for you reply...:-) ! > > This is not a known client causing the "???" entries - I don't know the > ip(s)/hostname(s), and this is why i would like to log IP instead of > hostname - as my guess is it is a network device without DNS entry...:-( ! > > Can I troubleshoot on the server somehow similar... or was that the > intention all along...:-o ! > > Here is the client-debug output anyways...: > # cat messages-debug > Debug line with all properties: > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', > PRI: 6, > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > '-', MSGID: '-', > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > Debug line with all properties: > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', > PRI: 46, > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', > PROCID: '-', MSGID: '-', > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info=" > http://www.rsyslog.com"] (re)start' > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > x-info="http://www.rsyslog.com"] (re)start' > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > x-info="http://www.rsyslog.com"] (re)start' > > Debug line with all properties: > FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', > PRI: 13, > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', > MSGID: '-', > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > msg: ' hej' > escaped msg: ' hej' > rawmsg: '<13>Feb 3 11:14:30 root: hej' > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/3 > >> oops, that should have been RSYSLOG_DebugFormat template. >> >> David Lang >> >> On Thu, 2 Feb 2012, david at lang.hm wrote: >> >> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >>> From: david at lang.hm >>> >>> Reply-To: rsyslog-users >>> To: rsyslog-users >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>> >>> what does one of these messages look like if you write it out with the >>> RSYSLOG_DEBUG template? >>> >>> David Lang >>> >>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>> >>> Date: Fri, 3 Feb 2012 07:00:26 +0100 >>>> From: Michael Maymann >>>> Reply-To: rsyslog-users >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>> >>>> Please... Anyone? >>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: >>>> >>>> Hi, >>>>> >>>>> got it started... but still ??? dir+logfiles are showing up... >>>>> This is now my rsyslog.conf: >>>>> #SET PRIVILEGES >>>>> $PreserveFQDN on >>>>> $PrivDropToGroup >>>>> $PrivDropToUser >>>>> $DirCreateMode 0750 >>>>> $FileCreateMode 0640 >>>>> $UMASK 0027 >>>>> >>>>> #LOAD MODULES >>>>> $ModLoad imudp >>>>> $UDPServerRun 514 >>>>> $UDPServerAddress 127.0.0.1 >>>>> $ModLoad imtcp >>>>> $InputTCPServerRun 514 >>>>> >>>>> #SET DESTINATION FOR LOGS >>>>> $template >>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>> $MONTH%_messages" >>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_* >>>>> *secure" >>>>> $template >>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**maillog" >>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> cron" >>>>> $template >>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**spooler" >>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> boot.log" >>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>>> traps" >>>>> >>>>> $template >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_messages" >>>>> $template >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_secure" >>>>> $template >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_maillog" >>>>> $template >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>> MONTH%_cron" >>>>> $template >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>> YEAR%.%$MONTH%_spooler" >>>>> $template >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>> MONTH%_boot.log" >>>>> $template >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>> MONTH%_traps" >>>>> >>>>> #SET LOGGING CONDITIONS >>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >>>>> ?DYNsecure >>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >>>>> ?DYNmaillog >>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >>>>> ?DYNspooler >>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot >>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>> 'WARNING' >>>>> and $fromhost != '???' then ?DYNtraps >>>>> >>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>>>> ?DYNIPsecure >>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>>>> ?DYNIPmaillog >>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron >>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>>>> ?DYNIPspooler >>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >>>>> ?DYNIPboot >>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>> 'WARNING' >>>>> and $fromhost == '???' then ?DYNIPtraps >>>>> >>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all >>>>> creates >>>>> ??? dir+files... >>>>> What variable should I use to handle this properly ? >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> 2012/2/2 Michael Maymann >>>>> >>>>> Hi, >>>>>> >>>>>> David: thanks for your reply... >>>>>> Here is my new rsyslog.conf: >>>>>> #SET PRIVILEGES >>>>>> $PreserveFQDN on >>>>>> $PrivDropToGroup >>>>>> $PrivDropToUser >>>>>> $DirCreateMode 0750 >>>>>> $FileCreateMode 0640 >>>>>> $UMASK 0027 >>>>>> >>>>>> #LOAD MODULES >>>>>> $ModLoad imudp >>>>>> $UDPServerRun 514 >>>>>> $UDPServerAddress 127.0.0.1 >>>>>> $ModLoad imtcp >>>>>> $InputTCPServerRun 514 >>>>>> >>>>>> #SET DESTINATION FOR LOGS >>>>>> $template >>>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>> $MONTH%_messages" >>>>>> $template >>>>>> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**secure" >>>>>> $template >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>> maillog" >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>> cron" >>>>>> $template >>>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>> spooler" >>>>>> $template >>>>>> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_* >>>>>> *traps" >>>>>> >>>>>> $template >>>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>>> YEAR%.%$MONTH%_messages" >>>>>> $template >>>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>>> YEAR%.%$MONTH%_secure" >>>>>> $template >>>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>>> YEAR%.%$MONTH%_maillog" >>>>>> $template >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>>> MONTH%_cron" >>>>>> $template >>>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$** >>>>>> YEAR%.%$MONTH%_spooler" >>>>>> $template >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>>> MONTH%_boot.log" >>>>>> $template >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$** >>>>>> MONTH%_traps" >>>>>> >>>>>> #SET LOGGING CONDITIONS >>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>>>>> ?DYNsecure >>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>>>> ?DYNmaillog >>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron >>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>>>> ?DYNspooler >>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then >>>>>> ?DYNboot >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>> 'WARNING' >>>>>> and %FROMHOST% != '???' then ?DYNtraps >>>>>> >>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>>>>> ?DYNIPsecure >>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>>>> ?DYNIPmaillog >>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >>>>>> ?DYNIPcron >>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>>>> ?DYNIPspooler >>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>>>>> ?DYNIPboot >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>> 'WARNING' >>>>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>>>> >>>>>> but it fails...: >>>>>> # service rsyslog start >>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>>> number >>>>>> means) >>>>>> [ OK ] >>>>>> >>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or >>>>>> how >>>>>> is this done... >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>> ~maymann >>>>>> >>>>>> >>>>>> 2012/2/1 >>>>>> >>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> >>>>>>>> I want to log information about hosts that are not logging with >>>>>>>> correct >>>>>>>> HOSTNAME. >>>>>>>> In my current setup, I get a dir "???" where these host(s) are >>>>>>>> logging >>>>>>>> to... >>>>>>>> >>>>>>>> I would like to change this to the hosts IP instead, something like: >>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>>>> >>>>>>>> >>>>>>> rsyslog cannot do what you are asking. It can't assign a value to a >>>>>>> property. >>>>>>> >>>>>>> what you can do is to setup a different template and then if >>>>>>> %fromhost% >>>>>>> is your special pattern you can log with this different template. >>>>>>> >>>>>>> David Lang >>>>>>> ______________________________****_________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>> >>>>>>>> >>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From david at lang.hm Sat Feb 4 05:02:24 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 3 Feb 2012 20:02:24 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Ok, looking through this script, one thing I see is that there is a comment character before the debug flag and the redirect of the output. as part of just general troubleshooting 101, I would want to capture the stdout and stderr of the process that's not working, so could you remove the "#-d" from the line and add "2>&1" to the line and see if anything interesting shows up in the log? the second thing is that this script is not starting rsyslog directly, it's using the command "daemon" to start rsyslog. It's possible that having rsyslog background itself and let the parent exit is confusing "daemon" (because daemon is monitoring the child process and when it exits, daemon assumes that something is wrong). If that's the case then it should work with the -n option to tell rsyslog not to background itself. The fact that adding it causes the startup script to never complete makes me think that daemon isn't doing it's job properly. you say that this is /etc/init.d/rsyslog.conf, but then the first line is referring to /etc/init.d/rsyslog, which is it? if this is a config file that some other script is using, the problem may be in that other script. I think you mentioned somewhere along the line, but I don't remember, what distro is this? In any case, this file has a bunch of stuff at the top that makes me think this is not a standard init file. this looks similar to an upstart file, but doesn't match my Ubuntu systems. David Lang On Fri, 3 Feb 2012, Michael Maymann wrote: > Date: Fri, 3 Feb 2012 22:21:45 +0100 > From: Michael Maymann > Reply-To: rsyslog-users > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi, > > starting it manually doesn't return the prompt either...:-( ! > > here is my current /etc/init.d/rsyslog.conf anyway...: > # cat /etc/init.d/rsyslog > #!/bin/bash > #set -x > # > # rsyslog Starts rsyslogd/rklogd. > # > # > # chkconfig: 2345 12 88 > # description: Syslog is the facility by which many daemons use to log \ > # messages to various system log files. It is a good idea to always \ > # run rsyslog. > ### BEGIN INIT INFO > # Provides: $syslog > # Required-Start: $local_fs > # Required-Stop: $local_fs > # Default-Start: 2 3 4 5 > # Default-Stop: 0 1 6 > # Short-Description: Enhanced system logging and kernel message trapping > daemons > # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, > # among others, MySQL, syslog/tcp, RFC 3195, permitted > # sender lists, filtering on any message part, and fine > # grain output format control. > ### END INIT INFO > # Source function library. > . /etc/init.d/functions > RETVAL=0 > PIDFILE=/var/run/syslogd.pid > #PIDFILE=/tmp/syslogd.pid > prog=rsyslogd > #exec=/sbin/rsyslogd > exec=/usr/sbin/rsyslogd > lockfile=/var/lock/subsys/$prog > #lockfile=/tmp/$prog > start() { > [ -x $exec ] || exit 5 > # Source config > if [ -f /etc/sysconfig/rsyslog ] ; then > . /etc/sysconfig/rsyslog > fi > umask 077 > echo -n $"Starting system logger: " > daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> > /tmp/rsyslog.log > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && touch $lockfile > return $RETVAL > } > stop() { > echo -n $"Shutting down system logger: " > killproc $prog > RETVAL=$? > echo > [ $RETVAL -eq 0 ] && rm -f $lockfile > return $RETVAL > } > reload() { > RETVAL=1 > syslog=$(cat "${PIDFILE}" 2>/dev/null) > echo -n "Reloading system logger..." > if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then > kill -HUP "$syslog"; > RETVAL=$? > fi > if [ $RETVAL -ne 0 ]; then > failure > else > success > fi > echo > return $RETVAL > } > rhstatus() { > status -p "${PIDFILE}" $prog > } > restart() { > stop > start > } > case "$1" in > start) > start > ;; > stop) > stop > ;; > restart) > restart > ;; > reload|force-reload) > reload > ;; > status) > rhstatus > ;; > condrestart|try-restart) > rhstatus >/dev/null 2>&1 || exit 0 > restart > ;; > *) > echo $"Usage: $0 > {start|stop|restart|condrestart|try-restart|reload|force-reload|status}" > exit 2 > esac > exit $? > > > Please anyone who can help with this ? > > Thanks in advance :-) ! > ~maymann > > 2012/2/3 Michael Maymann > >> Hi, >> >> Yes I have, and now set them to /tmp just for testing, but same thing...: >> PIDFILE=/tmp/syslogd.pi >> lockfile=/tmp/$prog >> >> When started manually, it seems to be working just fine... also after 5 >> minutes...:-) !: >> root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd >> root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 >> root 14131 14128 0 09:04 pts/0 00:00:00 -bash >> 15442 14131 0 11:51 pts/0 00:00:00 >> /usr/sbin/rsyslogd -c 6 -n >> >> How can I implement similar behaviour to >> /etc/init.d/rsyslog+/etc/sysconfig/rsyslog...? >> >> >> >> Thanks in advance :-) ! >> ~maymann >> >> 2012/2/3 >> >> On Fri, 3 Feb 2012, Michael Maymann wrote: >>> >>> Hi, >>>> >>>> David: unfortunately this was not the case...: >>>> # cat /etc/sysconfig/selinux >>>> # This file controls the state of SELinux on the system. >>>> # SELINUX= can take one of these three values: >>>> # enforcing - SELinux security policy is enforced. >>>> # permissive - SELinux prints warnings instead of enforcing. >>>> # disabled - SELinux is fully disabled. >>>> SELINUX=disabled >>>> # SELINUXTYPE= type of policy in use. Possible values are: >>>> # targeted - Only targeted network daemons are protected. >>>> # strict - Full SELinux protection. >>>> SELINUXTYPE=targeted >>>> >>>> What else could cause this problem ? >>>> >>> >>> possibly a silly question, but have you verified that the user you are >>> dropping privileges to has write permission on the directories that you >>> write logs (and any queue files) to? >>> >>> David Lang >>> >>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/2 Michael Maymann >>>> >>>> Hi, >>>>> >>>>> David: Thanks for your reply - sounds possible... I will try this first >>>>> thing tomorrow morning and report back with findings... >>>>> >>>>> Br. >>>>> ~maymann >>>>> >>>>> 2012/2/2 >>>>> >>>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>>> >>>>>> >>>>>> Hi Rainer, >>>>>> >>>>>>> >>>>>>> I really have my doubts it has something to do with my startup script: >>>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>>> >>>>>>> I'm running on RHEL6.1_x64. >>>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>>> test...? >>>>>>> >>>>>>> >>>>>> >>>>>> my guess is that this is a SELINUX related problem. >>>>>> >>>>>> what happens if you try to start rsyslog manually (not by running the >>>>>> startup script, but just running 'rsyslogd -c 6' " >>>>>> >>>>>> David Lang >>>>>> >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>>> ~maymann >>>>>>> >>>>>>> 2012/2/2 Michael Maymann >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> >>>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything about >>>>>>>> failing in the logs... and it actually doesn't fail... it works and >>>>>>>> after >>>>>>>> the timeout+failed notice only the proccess owned by >>>>>>>> PrivDropToUser-USER is >>>>>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>>>>> >>>>>>>> # service rsyslog start >>>>>>>> Starting system logger: [FAILED] >>>>>>>> >>>>>>>> BEFORE failed status: >>>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd >>>>>>>> -c 6 >>>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>> >>>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>>> PrivDropToUser-USER >>>>>>>> owned proccess is therefore gets owned by init: >>>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>> >>>>>>>> Anyone who can help with this...?: >>>>>>>> here is the debug output when starting running the init-script: >>>>>>>> #/etc/init.d/rsyslog start >>>>>>>> + . /etc/init.d/functions >>>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>>> ++ umask 022 >>>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/****usr/bin >>>>>>>> >>>>>>>> ++ export PATH >>>>>>>> ++ '[' -z '' ']' >>>>>>>> ++ COLUMNS=80 >>>>>>>> ++ '[' -z '' ']' >>>>>>>> +++ /sbin/consoletype >>>>>>>> ++ CONSOLETYPE=pty >>>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>>> ++ unset LANGSH_SOURCED >>>>>>>> ++ '[' -z '' ']' >>>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>>> ++ . /etc/sysconfig/init >>>>>>>> +++ BOOTUP=color >>>>>>>> +++ RES_COL=60 >>>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>>> +++ PROMPT=yes >>>>>>>> +++ AUTOSWAP=no >>>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]****' >>>>>>>> >>>>>>>> +++ SINGLE=/sbin/sushell >>>>>>>> ++ '[' pty = serial ']' >>>>>>>> ++ >>>>>>>> __sed_discard_ignored_files='/****\(~\|\.bak\|\.orig\|\.**rpmnew\|** >>>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>>> + RETVAL=0 >>>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>>> + prog=rsyslogd >>>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>>> + lockfile=/var/lock/subsys/****rsyslogd >>>>>>>> >>>>>>>> + case "$1" in >>>>>>>> + start >>>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>>> + . /etc/sysconfig/rsyslog >>>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>>> + umask 077 >>>>>>>> + echo -n 'Starting system logger: ' >>>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>>> + local cgroup= >>>>>>>> + nicelevel=0 >>>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>>> ']' >>>>>>>> + case $1 in >>>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>>> + shift >>>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>>> + '[' -z '' ']' >>>>>>>> + base=rsyslogd >>>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>>> + local base=rsyslogd >>>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>>> + pid= >>>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>>> + return 3 >>>>>>>> + '[' -n '' -a -z '' ']' >>>>>>>> + corelimit='ulimit -S -c 0' >>>>>>>> + '[' -n '' ']' >>>>>>>> + '[' -n '' ']' >>>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>>> + '[' -z '' ']' >>>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd >>>>>>>> -c >>>>>>>> 6' >>>>>>>> ... >>>>>>>> (hangs here for a long time) >>>>>>>> ... >>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>> + failure 'rsyslogd startup' >>>>>>>> + local rc=1 >>>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>>> + echo_failure >>>>>>>> + '[' color = color ']' >>>>>>>> + echo -en '\033[60G' >>>>>>>> + echo -n >>>>>>>> '[' >>>>>>>> [+ '[' color = color ']' >>>>>>>> + echo -en '\033[0;31m' >>>>>>>> + echo -n FAILED >>>>>>>> FAILED+ '[' color = color ']' >>>>>>>> + echo -en '\033[0;39m' >>>>>>>> + echo -n ']' >>>>>>>> ]+ echo -ne '\r' >>>>>>>> + return 1 >>>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>>> + /usr/bin/plymouth --details >>>>>>>> + return 1 >>>>>>>> + RETVAL=1 >>>>>>>> + echo >>>>>>>> >>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>> + return 1 >>>>>>>> + exit 1 >>>>>>>> >>>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - >>>>>>>> but >>>>>>>> same thing happens... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks in advance :-) ! >>>>>>>> >>>>>>>> Br. >>>>>>>> ~maymann >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>> >>>>>>>> I can only help you with that part if you point me to why exactly >>>>>>>> the >>>>>>>> >>>>>>>>> script >>>>>>>>> claims what it does. So you may want to try find someone who can do >>>>>>>>> that. >>>>>>>>> I >>>>>>>>> know this is probably a trivial question, but I don't know anything >>>>>>>>> ;) >>>>>>>>> >>>>>>>>> Sry, rainer >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> >>>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com>>>>>>>>> **adiscon.com >[mailto: >>>>>>>>>> >>>>>>>>>> rsyslog- >>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>>> To: rsyslog-users >>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>> >>>>>>>>>> Here is my startup script... only thing changed is the path to the >>>>>>>>>> new >>>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes >>>>>>>>>> if i >>>>>>>>>> have >>>>>>>>>> both or one of the entries...: >>>>>>>>>> #!/bin/bash >>>>>>>>>> # >>>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>>> # >>>>>>>>>> # >>>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>>> # description: Syslog is the facility by which many daemons use to >>>>>>>>>> log >>>>>>>>>> \ >>>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>>> always \ >>>>>>>>>> # run rsyslog. >>>>>>>>>> ### BEGIN INIT INFO >>>>>>>>>> # Provides: $syslog >>>>>>>>>> # Required-Start: $local_fs >>>>>>>>>> # Required-Stop: $local_fs >>>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>>> trapping >>>>>>>>>> daemons >>>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>>> supporting, >>>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>>> fine >>>>>>>>>> # grain output format control. >>>>>>>>>> ### END INIT INFO >>>>>>>>>> >>>>>>>>>> # Source function library. >>>>>>>>>> . /etc/init.d/functions >>>>>>>>>> >>>>>>>>>> RETVAL=0 >>>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>>> >>>>>>>>>> prog=rsyslogd >>>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>>> lockfile=/var/lock/subsys/$****prog >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> start() { >>>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>>> >>>>>>>>>> # Source config >>>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>>> fi >>>>>>>>>> umask 077 >>>>>>>>>> >>>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>>> RETVAL=$? >>>>>>>>>> echo >>>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>>> return $RETVAL >>>>>>>>>> } >>>>>>>>>> stop() { >>>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>>> killproc $prog >>>>>>>>>> RETVAL=$? >>>>>>>>>> echo >>>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>>> return $RETVAL >>>>>>>>>> } >>>>>>>>>> reload() { >>>>>>>>>> RETVAL=1 >>>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>>> kill -HUP "$syslog"; >>>>>>>>>> RETVAL=$? >>>>>>>>>> fi >>>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>>> failure >>>>>>>>>> else >>>>>>>>>> success >>>>>>>>>> fi >>>>>>>>>> echo >>>>>>>>>> return $RETVAL >>>>>>>>>> } >>>>>>>>>> rhstatus() { >>>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>>> } >>>>>>>>>> restart() { >>>>>>>>>> stop >>>>>>>>>> start >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> case "$1" in >>>>>>>>>> start) >>>>>>>>>> start >>>>>>>>>> ;; >>>>>>>>>> stop) >>>>>>>>>> stop >>>>>>>>>> ;; >>>>>>>>>> restart) >>>>>>>>>> restart >>>>>>>>>> ;; >>>>>>>>>> reload|force-reload) >>>>>>>>>> reload >>>>>>>>>> ;; >>>>>>>>>> status) >>>>>>>>>> rhstatus >>>>>>>>>> ;; >>>>>>>>>> condrestart|try-restart) >>>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>>> restart >>>>>>>>>> ;; >>>>>>>>>> *) >>>>>>>>>> echo $"Usage: $0 >>>>>>>>>> {start|stop|restart|****condrestart|try-restart|****reload|force- >>>>>>>>>> >>>>>>>>>> reload|status}" >>>>>>>>>> exit 2 >>>>>>>>>> esac >>>>>>>>>> >>>>>>>>>> exit $? >>>>>>>>>> >>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> >>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.****com< >>>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>>>> [mailto: >>>>>>>>>>>> >>>>>>>>>>>> rsyslog- >>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> David: thanks - got it working with permission dropping, by far >>>>>>>>>>>> my >>>>>>>>>>>> prefered >>>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>>>>> dropping: >>>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works >>>>>>>>>>>> now >>>>>>>>>>>> >>>>>>>>>>>> - >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> but >>>>>>>>>>> >>>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. From >>>>>>>>>>> the >>>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>>> looks >>>>>>>>>>> >>>>>>>>>>> like >>>>>>>>>> >>>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>>> know. I >>>>>>>>>>> suggest >>>>>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>>>>> this >>>>>>>>>>> happens. >>>>>>>>>>> >>>>>>>>>>> Sorry I have no better answer... >>>>>>>>>>> Rainer >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>> ~maymann >>>>>>>>>>>> >>>>>>>>>>>> 2012/2/1 >>>>>>>>>>>> >>>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>>>>> >>>>>>>>>>>>>> fine >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> running >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> as root. >>>>>>>>>>>>> >>>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>>> >>>>>>>>>>>>>> located >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> on NFS >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> DYNmessages,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>>>>> **** >>>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNsecure,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%** >>>>>>>>>>>> ** >>>>>>>>>>>> >>>>>>>>>>> **$MONTH%_secure" >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNmaillog,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%* >>>>>>>>>>>> *** >>>>>>>>>>>> >>>>>>>>>>> **$MONTH%_maillo >>>>>>>>>> >>>>>>>>>> g" >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNcron,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> cron" >>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNspooler,"/%******FROMHOST%/%FROMHOST%_%$YEAR%.%* >>>>>>>>>>>> *** >>>>>>>>>>>> >>>>>>>>>>> **$MONTH%_spoole >>>>>>>>>> >>>>>>>>>> r" >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNboot,"/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>> MONTH%_** >>>>>>>>>>>> >>>>>>>>>>> **boot.log" >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> DYNtraps,"/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>> MONTH%** >>>>>>>>>>>>> >>>>>>>>>>>> _** >>>>>>>>>>>> >>>>>>>>>>>> traps" >>>>>>>>>>>>> >>>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>>>>>>> >>>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>>>>> >>>>>>>>>>>>>> user: >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> 2012-01-31T15:45:52.997693+02:******00 rsyslogd: >>>>>>>>>>> [origin >>>>>>>>>>> >>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:******00 rsyslogd: >>>>>>>>>>>>>> bind: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Permission >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> denied >>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:******00 rsyslogd: >>>>>>>>>>>>>> bind: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Permission >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> denied >>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:******00 rsyslogd: >>>>>>>>>>>>>> No UDP >>>>>>>>>>>>>> >>>>>>>>>>>>>> listen >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> socket >>>>>>>>>>>>> >>>>>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>>>>> >>>>>>>>>>>>>> disabled. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2012-01-31T15:45:52.997376+02:******00 rsyslogd: >>>>>>>>>>>>> imudp: >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> no >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> listeners >>>>>>>>>>> >>>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:******00 rsyslogd3: >>>>>>>>>>>>>> >>>>>>>>>>>>>> activation >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> of >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> module >>>>>>>>>>>>> >>>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:******00 >>>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Could >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> not >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> create >>>>>>>>>>>>> >>>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> ] >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user (without >>>>>>>>>>>>> >>>>>>>>>>>>> making >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> some >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a non-root >>>>>>>>>>>>> >>>>>>>>>>>>> user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> - if >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> permission drop features >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to run >>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog >>>>>>>>>>>> >>>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>>>>> >>>>>>>>>>>>> chkconfig do >>>>>>>>>>>> >>>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>>> >>>>>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>>>>> >>>>>>>>>>>>> permission >>>>>>>>>>>> >>>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>>> >>>>>>>>>>>>> David Lang >>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> n.net/mailman/listinfo/**rsyslog** >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/******professional- >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> services/>>>>>>>>>>> **tp://www.rsyslog.com/**professional-services/ >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>>>> >>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ______________________________****_________________ >>>>>>>>>>> >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>>> >>>>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> ______________________________****_________________ >>>>>>>> >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>>> >>>>>>>> >>>>>>> http://www.rsyslog.com/****professional-services/ >>>>>>> >>>>>>>> >>>>>>> >>>>>>> ______________________________****_________________ >>>>>>> >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>>> >>>>>> http://www.rsyslog.com/****professional-services/ >>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Sat Feb 4 08:08:50 2012 From: michael at maymann.org (Michael Maymann) Date: Sat, 4 Feb 2012 08:08:50 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi David, thanks for your reply. Now I got it working... :-) ! I'm running on RHEL6.1_x64 and my /etc/init.d/rsyslog is standard, only thing changed is: #exec=/sbin/rsyslogd exec=/usr/sbin/rsyslogd I have now the following in my /etc/sysconfig/rsyslog: SYSLOGD_OPTIONS="-c 6 &" so without the "-n" option but with the "&" the startup script now works perfectly, and the motherproccess also lives for the first 5 minuted (As Rainer was so kind to find in the code - thanks !) as it should, to make sure everything starts up properly. The "-n &" made the startup-script work, but killed the motherproccess right away. The "-n" made the startup-script fail after 5 minutes (when motherproccess died), but rsyslog worked as it should. I still think that when using this behaviour should be enforced from within rsyslog code itself (as users then didn't have to add anything to their /etc/sysconfig/rsyslog), but I leave it up to others to decide this...! David+Rainer: Thanks for you help on this...much appreciated...:-) ! ~maymann 2012/2/4 > Ok, looking through this script, one thing I see is that there is a > comment character before the debug flag and the redirect of the output. > > as part of just general troubleshooting 101, I would want to capture the > stdout and stderr of the process that's not working, so could you remove > the "#-d" from the line and add "2>&1" to the line and see if anything > interesting shows up in the log? > > the second thing is that this script is not starting rsyslog directly, > it's using the command "daemon" to start rsyslog. It's possible that having > rsyslog background itself and let the parent exit is confusing "daemon" > (because daemon is monitoring the child process and when it exits, daemon > assumes that something is wrong). If that's the case then it should work > with the -n option to tell rsyslog not to background itself. The fact that > adding it causes the startup script to never complete makes me think that > daemon isn't doing it's job properly. > > you say that this is /etc/init.d/rsyslog.conf, but then the first line is > referring to /etc/init.d/rsyslog, which is it? if this is a config file > that some other script is using, the problem may be in that other script. > > I think you mentioned somewhere along the line, but I don't remember, what > distro is this? > > In any case, this file has a bunch of stuff at the top that makes me think > this is not a standard init file. > > this looks similar to an upstart file, but doesn't match my Ubuntu systems. > > David Lang > > > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > Date: Fri, 3 Feb 2012 22:21:45 +0100 >> From: Michael Maymann >> Reply-To: rsyslog-users >> To: rsyslog-users >> >> Subject: Re: [rsyslog] rsyslog as non-root user >> >> Hi, >> >> starting it manually doesn't return the prompt either...:-( ! >> >> here is my current /etc/init.d/rsyslog.conf anyway...: >> # cat /etc/init.d/rsyslog >> #!/bin/bash >> #set -x >> # >> # rsyslog Starts rsyslogd/rklogd. >> # >> # >> # chkconfig: 2345 12 88 >> # description: Syslog is the facility by which many daemons use to log \ >> # messages to various system log files. It is a good idea to always \ >> # run rsyslog. >> ### BEGIN INIT INFO >> # Provides: $syslog >> # Required-Start: $local_fs >> # Required-Stop: $local_fs >> # Default-Start: 2 3 4 5 >> # Default-Stop: 0 1 6 >> # Short-Description: Enhanced system logging and kernel message trapping >> daemons >> # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, >> # among others, MySQL, syslog/tcp, RFC 3195, permitted >> # sender lists, filtering on any message part, and fine >> # grain output format control. >> ### END INIT INFO >> # Source function library. >> . /etc/init.d/functions >> RETVAL=0 >> PIDFILE=/var/run/syslogd.pid >> #PIDFILE=/tmp/syslogd.pid >> prog=rsyslogd >> #exec=/sbin/rsyslogd >> exec=/usr/sbin/rsyslogd >> lockfile=/var/lock/subsys/$**prog >> #lockfile=/tmp/$prog >> start() { >> [ -x $exec ] || exit 5 >> # Source config >> if [ -f /etc/sysconfig/rsyslog ] ; then >> . /etc/sysconfig/rsyslog >> fi >> umask 077 >> echo -n $"Starting system logger: " >> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> >> /tmp/rsyslog.log >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && touch $lockfile >> return $RETVAL >> } >> stop() { >> echo -n $"Shutting down system logger: " >> killproc $prog >> RETVAL=$? >> echo >> [ $RETVAL -eq 0 ] && rm -f $lockfile >> return $RETVAL >> } >> reload() { >> RETVAL=1 >> syslog=$(cat "${PIDFILE}" 2>/dev/null) >> echo -n "Reloading system logger..." >> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >> kill -HUP "$syslog"; >> RETVAL=$? >> fi >> if [ $RETVAL -ne 0 ]; then >> failure >> else >> success >> fi >> echo >> return $RETVAL >> } >> rhstatus() { >> status -p "${PIDFILE}" $prog >> } >> restart() { >> stop >> start >> } >> case "$1" in >> start) >> start >> ;; >> stop) >> stop >> ;; >> restart) >> restart >> ;; >> reload|force-reload) >> reload >> ;; >> status) >> rhstatus >> ;; >> condrestart|try-restart) >> rhstatus >/dev/null 2>&1 || exit 0 >> restart >> ;; >> *) >> echo $"Usage: $0 >> {start|stop|restart|**condrestart|try-restart|** >> reload|force-reload|status}" >> exit 2 >> esac >> exit $? >> >> >> Please anyone who can help with this ? >> >> Thanks in advance :-) ! >> ~maymann >> >> 2012/2/3 Michael Maymann >> >> Hi, >>> >>> Yes I have, and now set them to /tmp just for testing, but same thing...: >>> PIDFILE=/tmp/syslogd.pi >>> lockfile=/tmp/$prog >>> >>> When started manually, it seems to be working just fine... also after 5 >>> minutes...:-) !: >>> root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd >>> root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 >>> root 14131 14128 0 09:04 pts/0 00:00:00 -bash >>> 15442 14131 0 11:51 pts/0 00:00:00 >>> /usr/sbin/rsyslogd -c 6 -n >>> >>> How can I implement similar behaviour to >>> /etc/init.d/rsyslog+/etc/**sysconfig/rsyslog...? >>> >>> >>> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> 2012/2/3 >>> >>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>> >>>> >>>> Hi, >>>> >>>>> >>>>> David: unfortunately this was not the case...: >>>>> # cat /etc/sysconfig/selinux >>>>> # This file controls the state of SELinux on the system. >>>>> # SELINUX= can take one of these three values: >>>>> # enforcing - SELinux security policy is enforced. >>>>> # permissive - SELinux prints warnings instead of enforcing. >>>>> # disabled - SELinux is fully disabled. >>>>> SELINUX=disabled >>>>> # SELINUXTYPE= type of policy in use. Possible values are: >>>>> # targeted - Only targeted network daemons are protected. >>>>> # strict - Full SELinux protection. >>>>> SELINUXTYPE=targeted >>>>> >>>>> What else could cause this problem ? >>>>> >>>>> >>>> possibly a silly question, but have you verified that the user you are >>>> dropping privileges to has write permission on the directories that you >>>> write logs (and any queue files) to? >>>> >>>> David Lang >>>> >>>> >>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> 2012/2/2 Michael Maymann >>>>> >>>>> Hi, >>>>> >>>>>> >>>>>> David: Thanks for your reply - sounds possible... I will try this >>>>>> first >>>>>> thing tomorrow morning and report back with findings... >>>>>> >>>>>> Br. >>>>>> ~maymann >>>>>> >>>>>> 2012/2/2 >>>>>> >>>>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>>>> >>>>>> >>>>>>> Hi Rainer, >>>>>>> >>>>>>> >>>>>>>> I really have my doubts it has something to do with my startup >>>>>>>> script: >>>>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>>>> >>>>>>>> I'm running on RHEL6.1_x64. >>>>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>>>> test...? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> my guess is that this is a SELINUX related problem. >>>>>>> >>>>>>> what happens if you try to start rsyslog manually (not by running the >>>>>>> startup script, but just running 'rsyslogd -c 6' " >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks in advance :-) ! >>>>>>> >>>>>>>> ~maymann >>>>>>>> >>>>>>>> 2012/2/2 Michael Maymann >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything >>>>>>>>> about >>>>>>>>> failing in the logs... and it actually doesn't fail... it works and >>>>>>>>> after >>>>>>>>> the timeout+failed notice only the proccess owned by >>>>>>>>> PrivDropToUser-USER is >>>>>>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>>>>>> >>>>>>>>> # service rsyslog start >>>>>>>>> Starting system logger: [FAILED] >>>>>>>>> >>>>>>>>> BEFORE failed status: >>>>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd >>>>>>>>> -c 6 >>>>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>> >>>>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>>>> PrivDropToUser-USER >>>>>>>>> owned proccess is therefore gets owned by init: >>>>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>> >>>>>>>>> Anyone who can help with this...?: >>>>>>>>> here is the debug output when starting running the init-script: >>>>>>>>> #/etc/init.d/rsyslog start >>>>>>>>> + . /etc/init.d/functions >>>>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>>>> ++ umask 022 >>>>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/******usr/bin >>>>>>>>> >>>>>>>>> >>>>>>>>> ++ export PATH >>>>>>>>> ++ '[' -z '' ']' >>>>>>>>> ++ COLUMNS=80 >>>>>>>>> ++ '[' -z '' ']' >>>>>>>>> +++ /sbin/consoletype >>>>>>>>> ++ CONSOLETYPE=pty >>>>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>>>> ++ unset LANGSH_SOURCED >>>>>>>>> ++ '[' -z '' ']' >>>>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>>>> ++ . /etc/sysconfig/init >>>>>>>>> +++ BOOTUP=color >>>>>>>>> +++ RES_COL=60 >>>>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>>>> +++ PROMPT=yes >>>>>>>>> +++ AUTOSWAP=no >>>>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]******' >>>>>>>>> >>>>>>>>> >>>>>>>>> +++ SINGLE=/sbin/sushell >>>>>>>>> ++ '[' pty = serial ']' >>>>>>>>> ++ >>>>>>>>> __sed_discard_ignored_files='/******\(~\|\.bak\|\.orig\|\.**** >>>>>>>>> rpmnew\|** >>>>>>>>> >>>>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>>>> + RETVAL=0 >>>>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>>>> + prog=rsyslogd >>>>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>>>> + lockfile=/var/lock/subsys/******rsyslogd >>>>>>>>> >>>>>>>>> >>>>>>>>> + case "$1" in >>>>>>>>> + start >>>>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>>>> + . /etc/sysconfig/rsyslog >>>>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>>>> + umask 077 >>>>>>>>> + echo -n 'Starting system logger: ' >>>>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>>>> + local cgroup= >>>>>>>>> + nicelevel=0 >>>>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>>>> ']' >>>>>>>>> + case $1 in >>>>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>>>> + shift >>>>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>>>> + '[' -z '' ']' >>>>>>>>> + base=rsyslogd >>>>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>>>> + local base=rsyslogd >>>>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>>>> + pid= >>>>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>>>> + return 3 >>>>>>>>> + '[' -n '' -a -z '' ']' >>>>>>>>> + corelimit='ulimit -S -c 0' >>>>>>>>> + '[' -n '' ']' >>>>>>>>> + '[' -n '' ']' >>>>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>>>> + '[' -z '' ']' >>>>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd >>>>>>>>> -c >>>>>>>>> 6' >>>>>>>>> ... >>>>>>>>> (hangs here for a long time) >>>>>>>>> ... >>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>> + failure 'rsyslogd startup' >>>>>>>>> + local rc=1 >>>>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>>>> + echo_failure >>>>>>>>> + '[' color = color ']' >>>>>>>>> + echo -en '\033[60G' >>>>>>>>> + echo -n >>>>>>>>> '[' >>>>>>>>> [+ '[' color = color ']' >>>>>>>>> + echo -en '\033[0;31m' >>>>>>>>> + echo -n FAILED >>>>>>>>> FAILED+ '[' color = color ']' >>>>>>>>> + echo -en '\033[0;39m' >>>>>>>>> + echo -n ']' >>>>>>>>> ]+ echo -ne '\r' >>>>>>>>> + return 1 >>>>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>>>> + /usr/bin/plymouth --details >>>>>>>>> + return 1 >>>>>>>>> + RETVAL=1 >>>>>>>>> + echo >>>>>>>>> >>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>> + return 1 >>>>>>>>> + exit 1 >>>>>>>>> >>>>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - >>>>>>>>> but >>>>>>>>> same thing happens... >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>> >>>>>>>>> Br. >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>> >>>>>>>>> I can only help you with that part if you point me to why exactly >>>>>>>>> the >>>>>>>>> >>>>>>>>> script >>>>>>>>>> claims what it does. So you may want to try find someone who can >>>>>>>>>> do >>>>>>>>>> that. >>>>>>>>>> I >>>>>>>>>> know this is probably a trivial question, but I don't know >>>>>>>>>> anything >>>>>>>>>> ;) >>>>>>>>>> >>>>>>>>>> Sry, rainer >>>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> >>>>>>>>>> From: rsyslog-bounces at lists.adiscon.** >>>>>>>>>>> ****com>>>>>>>>>> **adiscon.com >>>>>>>>>>> >>[mailto: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> rsyslog- >>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>>>> To: rsyslog-users >>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>> >>>>>>>>>>> Here is my startup script... only thing changed is the path to >>>>>>>>>>> the >>>>>>>>>>> new >>>>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes >>>>>>>>>>> if i >>>>>>>>>>> have >>>>>>>>>>> both or one of the entries...: >>>>>>>>>>> #!/bin/bash >>>>>>>>>>> # >>>>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>>>> # >>>>>>>>>>> # >>>>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>>>> # description: Syslog is the facility by which many daemons use >>>>>>>>>>> to >>>>>>>>>>> log >>>>>>>>>>> \ >>>>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>>>> always \ >>>>>>>>>>> # run rsyslog. >>>>>>>>>>> ### BEGIN INIT INFO >>>>>>>>>>> # Provides: $syslog >>>>>>>>>>> # Required-Start: $local_fs >>>>>>>>>>> # Required-Stop: $local_fs >>>>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>>>> trapping >>>>>>>>>>> daemons >>>>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>>>> supporting, >>>>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, >>>>>>>>>>> permitted >>>>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>>>> fine >>>>>>>>>>> # grain output format control. >>>>>>>>>>> ### END INIT INFO >>>>>>>>>>> >>>>>>>>>>> # Source function library. >>>>>>>>>>> . /etc/init.d/functions >>>>>>>>>>> >>>>>>>>>>> RETVAL=0 >>>>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>>>> >>>>>>>>>>> prog=rsyslogd >>>>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>>>> lockfile=/var/lock/subsys/$******prog >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> start() { >>>>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>>>> >>>>>>>>>>> # Source config >>>>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>>>> fi >>>>>>>>>>> umask 077 >>>>>>>>>>> >>>>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>>>> RETVAL=$? >>>>>>>>>>> echo >>>>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>>>> return $RETVAL >>>>>>>>>>> } >>>>>>>>>>> stop() { >>>>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>>>> killproc $prog >>>>>>>>>>> RETVAL=$? >>>>>>>>>>> echo >>>>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>>>> return $RETVAL >>>>>>>>>>> } >>>>>>>>>>> reload() { >>>>>>>>>>> RETVAL=1 >>>>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>>>> kill -HUP "$syslog"; >>>>>>>>>>> RETVAL=$? >>>>>>>>>>> fi >>>>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>>>> failure >>>>>>>>>>> else >>>>>>>>>>> success >>>>>>>>>>> fi >>>>>>>>>>> echo >>>>>>>>>>> return $RETVAL >>>>>>>>>>> } >>>>>>>>>>> rhstatus() { >>>>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>>>> } >>>>>>>>>>> restart() { >>>>>>>>>>> stop >>>>>>>>>>> start >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> case "$1" in >>>>>>>>>>> start) >>>>>>>>>>> start >>>>>>>>>>> ;; >>>>>>>>>>> stop) >>>>>>>>>>> stop >>>>>>>>>>> ;; >>>>>>>>>>> restart) >>>>>>>>>>> restart >>>>>>>>>>> ;; >>>>>>>>>>> reload|force-reload) >>>>>>>>>>> reload >>>>>>>>>>> ;; >>>>>>>>>>> status) >>>>>>>>>>> rhstatus >>>>>>>>>>> ;; >>>>>>>>>>> condrestart|try-restart) >>>>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>>>> restart >>>>>>>>>>> ;; >>>>>>>>>>> *) >>>>>>>>>>> echo $"Usage: $0 >>>>>>>>>>> {start|stop|restart|******condrestart|try-restart|****** >>>>>>>>>>> reload|force- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> reload|status}" >>>>>>>>>>> exit 2 >>>>>>>>>>> esac >>>>>>>>>>> >>>>>>>>>>> exit $? >>>>>>>>>>> >>>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> >>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.******com< >>>>>>>>>>>>> rsyslog-bounces at lists.**adisco**n.com < >>>>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> [mailto: >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog- >>>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> David: thanks - got it working with permission dropping, by far >>>>>>>>>>>>> my >>>>>>>>>>>>> prefered >>>>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>>>>>> dropping: >>>>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works >>>>>>>>>>>>> now >>>>>>>>>>>>> >>>>>>>>>>>>> - >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> but >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. >>>>>>>>>>>> From >>>>>>>>>>>> the >>>>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>>>> looks >>>>>>>>>>>> >>>>>>>>>>>> like >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>>> >>>>>>>>>>>> know. I >>>>>>>>>>>> suggest >>>>>>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>>>>>> this >>>>>>>>>>>> happens. >>>>>>>>>>>> >>>>>>>>>>>> Sorry I have no better answer... >>>>>>>>>>>> Rainer >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>> >>>>>>>>>>>>> ~maymann >>>>>>>>>>>>> >>>>>>>>>>>>> 2012/2/1 >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> fine >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> running >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> as root. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> located >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> on NFS >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>> DYNmessages,"/%******** >>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>>>>>>> **** >>>>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNsecure,"/%******** >>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ** >>>>>>>>>>>>> >>>>>>>>>>>>> **$MONTH%_secure" >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNmaillog,"/%******** >>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%*** >>>>>>>>>>>>>>> >>>>>>>>>>>>>> *** >>>>>>>>>>>>> >>>>>>>>>>>>> **$MONTH%_maillo >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> g" >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNcron,"/%FROMHOST%/** >>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>> >>>>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> cron" >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNspooler,"/%******** >>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%*** >>>>>>>>>>>>>>> >>>>>>>>>>>>>> *** >>>>>>>>>>>>> >>>>>>>>>>>>> **$MONTH%_spoole >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> r" >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNboot,"/%FROMHOST%/** >>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>> >>>>>>>>>>>>>> MONTH%_** >>>>>>>>>>>>> >>>>>>>>>>>>> **boot.log" >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> $template >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> DYNtraps,"/%FROMHOST%** >>>>>>>>>>>>>>> ******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>> >>>>>>>>>>>>>> MONTH%** >>>>>>>>>>>>>> >>>>>>>>>>>>>> _** >>>>>>>>>>>>> >>>>>>>>>>>>> traps" >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text >>>>>>>>>>>>>>> == >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> user: >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> 2012-01-31T15:45:52.997693+02:********00 >>>>>>>>>>> rsyslogd: >>>>>>>>>>> >>>>>>>>>>>> [origin >>>>>>>>>>>> >>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:********00 >>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> denied >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:********00 >>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> denied >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:********00 >>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>> No UDP >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> listen >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> socket >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> disabled. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> 2012-01-31T15:45:52.997376+02:********00 rsyslogd: >>>>>>>>>>>>> >>>>>>>>>>>>>> imudp: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> no >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> listeners >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:********00 >>>>>>>>>>>>>>> rsyslogd3: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> activation >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> of >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> module >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:********00 >>>>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Could >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> not >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> create >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> ] >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user >>>>>>>>>>>>>>> (without >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> making >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> some >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a >>>>>>>>>>>>>> non-root >>>>>>>>>>>>>> >>>>>>>>>>>>>> user >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> - if >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> permission drop features >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to >>>>>>>>>>>>>> run >>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslog >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>>>>>> >>>>>>>>>>>>>> chkconfig do >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>>>>>> >>>>>>>>>>>>>> permission >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> David Lang >>>>>>>>>>>>>> >>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> n.net/mailman/listinfo/****rsyslog** >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> http://www.rsyslog.com/********professional- >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> services/>>>>>>>>>>>>> ***com/professional-services/<**ht >>>>>>>>>>>>>> >>>>>>>>>>>>> **tp://www.rsyslog.com/****professional-services/ >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>> >>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>> >>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>> >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________******_________________ >>>>>>>>> >>>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>>> >>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> ______________________________******_________________ >>>>>>>> >>>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>> > >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>> > >>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>> > >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>> > >>>> >>>> >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Sat Feb 4 09:09:49 2012 From: michael at maymann.org (Michael Maymann) Date: Sat, 4 Feb 2012 09:09:49 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: Hi, SOLVED... got it working...:-) ! I enabled debugging (David: thanks for the hint) and this was one of the entries: --- Debug line with all properties: FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' --- The from the last line was ofcause the same as in the the logfiles... I confuse this to be a client of a rsyslog-client twice... :-o ! I could hereafter easily edit my /etc/rsyslog.conf respectively: --- #SET PRIVILEGES $PreserveFQDN on $PrivDropToGroup $PrivDropToUser $DirCreateMode 0750 $FileCreateMode 0640 $UMASK 0027 #LOAD MODULES $ModLoad imudp $UDPServerRun 514 $UDPServerAddress 127.0.0.1 $ModLoad imtcp $InputTCPServerRun 514 #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to enable...) #*.info;mail.none;authpriv.none;cron.none /var/log/messages-debug;RSYSLOG_DebugFormat #SET DESTINATION FOR LOGS $template DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" $template DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" $template DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" $template DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" $template DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" $template DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" $template DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" $template DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages" $template DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" $template DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" $template DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" $template DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" $template DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" $template DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" #SET LOGGING CONDITIONS if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' and $fromhost != '???' then ?DYNtraps if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' and $fromhost == '???' then ?DYNIPtraps --- David+Rainer: thanks for your help... much appreciated...:-) ! Br. ~maymann 2012/2/4 > I was actually meaning for you to do this on the server where you are > seeing the ??? show up. > > but this does show that the sending machine thinks it's doing everythig > correcty (assuming the you put in the message below is actually > correct) > > what I would want to see from the server log is one of the messages with > the ??? in it that you are trying to fix. > > > David Lang > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > Hi, >> >> David: thanks for you reply...:-) ! >> >> This is not a known client causing the "???" entries - I don't know the >> ip(s)/hostname(s), and this is why i would like to log IP instead of >> hostname - as my guess is it is a network device without DNS entry...:-( ! >> >> Can I troubleshoot on the server somehow similar... or was that the >> intention all along...:-o ! >> >> Here is the client-debug output anyways...: >> # cat messages-debug >> Debug line with all properties: >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', >> PRI: 6, >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: >> '-', MSGID: '-', >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' >> >> Debug line with all properties: >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', >> PRI: 46, >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', >> PROCID: '-', MSGID: '-', >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >> x-info=" >> http://www.rsyslog.com"] (re)start' >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >> x-info="http://www.rsyslog.com**"] (re)start' >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >> x-info="http://www.rsyslog.com**"] (re)start' >> >> Debug line with all properties: >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', >> PRI: 13, >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', >> MSGID: '-', >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', >> msg: ' hej' >> escaped msg: ' hej' >> rawmsg: '<13>Feb 3 11:14:30 root: hej' >> >> >> Thanks in advance :-) ! >> ~maymann >> >> >> 2012/2/3 >> >> oops, that should have been RSYSLOG_DebugFormat template. >>> >>> David Lang >>> >>> On Thu, 2 Feb 2012, david at lang.hm wrote: >>> >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >>> >>>> From: david at lang.hm >>>> >>>> Reply-To: rsyslog-users >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>> >>>> what does one of these messages look like if you write it out with the >>>> RSYSLOG_DEBUG template? >>>> >>>> David Lang >>>> >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>> >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 >>>> >>>>> From: Michael Maymann >>>>> Reply-To: rsyslog-users >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>>> >>>>> Please... Anyone? >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: >>>>> >>>>> Hi, >>>>> >>>>>> >>>>>> got it started... but still ??? dir+logfiles are showing up... >>>>>> This is now my rsyslog.conf: >>>>>> #SET PRIVILEGES >>>>>> $PreserveFQDN on >>>>>> $PrivDropToGroup >>>>>> $PrivDropToUser >>>>>> $DirCreateMode 0750 >>>>>> $FileCreateMode 0640 >>>>>> $UMASK 0027 >>>>>> >>>>>> #LOAD MODULES >>>>>> $ModLoad imudp >>>>>> $UDPServerRun 514 >>>>>> $UDPServerAddress 127.0.0.1 >>>>>> $ModLoad imtcp >>>>>> $InputTCPServerRun 514 >>>>>> >>>>>> #SET DESTINATION FOR LOGS >>>>>> $template >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>> $MONTH%_messages" >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** >>>>>> *secure" >>>>>> $template >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>> _**maillog" >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>> cron" >>>>>> $template >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>> _**spooler" >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>> boot.log" >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>> traps" >>>>>> >>>>>> $template >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>> YEAR%.%$MONTH%_messages" >>>>>> $template >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>> YEAR%.%$MONTH%_secure" >>>>>> $template >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>> YEAR%.%$MONTH%_maillog" >>>>>> $template >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>> MONTH%_cron" >>>>>> $template >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>> YEAR%.%$MONTH%_spooler" >>>>>> $template >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>> MONTH%_boot.log" >>>>>> $template >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>> MONTH%_traps" >>>>>> >>>>>> #SET LOGGING CONDITIONS >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >>>>>> ?DYNsecure >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >>>>>> ?DYNmaillog >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >>>>>> ?DYNspooler >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then >>>>>> ?DYNboot >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>> 'WARNING' >>>>>> and $fromhost != '???' then ?DYNtraps >>>>>> >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>>>>> ?DYNIPsecure >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>>>>> ?DYNIPmaillog >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then >>>>>> ?DYNIPcron >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>>>>> ?DYNIPspooler >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >>>>>> ?DYNIPboot >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>> 'WARNING' >>>>>> and $fromhost == '???' then ?DYNIPtraps >>>>>> >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all >>>>>> creates >>>>>> ??? dir+files... >>>>>> What variable should I use to handle this properly ? >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>> ~maymann >>>>>> >>>>>> 2012/2/2 Michael Maymann >>>>>> >>>>>> Hi, >>>>>> >>>>>>> >>>>>>> David: thanks for your reply... >>>>>>> Here is my new rsyslog.conf: >>>>>>> #SET PRIVILEGES >>>>>>> $PreserveFQDN on >>>>>>> $PrivDropToGroup >>>>>>> $PrivDropToUser >>>>>>> $DirCreateMode 0750 >>>>>>> $FileCreateMode 0640 >>>>>>> $UMASK 0027 >>>>>>> >>>>>>> #LOAD MODULES >>>>>>> $ModLoad imudp >>>>>>> $UDPServerRun 514 >>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>> $ModLoad imtcp >>>>>>> $InputTCPServerRun 514 >>>>>>> >>>>>>> #SET DESTINATION FOR LOGS >>>>>>> $template >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>> $MONTH%_messages" >>>>>>> $template >>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>> **secure" >>>>>>> >>>>>>> $template >>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>> maillog" >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>> cron" >>>>>>> $template >>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>> spooler" >>>>>>> $template >>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>> boot.log" >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* >>>>>>> *traps" >>>>>>> >>>>>>> $template >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_messages" >>>>>>> $template >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_secure" >>>>>>> $template >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>> $template >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>> MONTH%_cron" >>>>>>> $template >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>> $template >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>> MONTH%_boot.log" >>>>>>> $template >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>> MONTH%_traps" >>>>>>> >>>>>>> #SET LOGGING CONDITIONS >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>>>>>> ?DYNsecure >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>>>>> ?DYNmaillog >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then >>>>>>> ?DYNcron >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>>>>> ?DYNspooler >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then >>>>>>> ?DYNboot >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>> 'WARNING' >>>>>>> and %FROMHOST% != '???' then ?DYNtraps >>>>>>> >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>>>>>> ?DYNIPsecure >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>>>>> ?DYNIPmaillog >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >>>>>>> ?DYNIPcron >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>>>>> ?DYNIPspooler >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>>>>>> ?DYNIPboot >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>> 'WARNING' >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>>>>> >>>>>>> but it fails...: >>>>>>> # service rsyslog start >>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>>>> number >>>>>>> means) >>>>>>> [ OK ] >>>>>>> >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or >>>>>>> how >>>>>>> is this done... >>>>>>> >>>>>>> >>>>>>> Thanks in advance :-) ! >>>>>>> ~maymann >>>>>>> >>>>>>> >>>>>>> 2012/2/1 >>>>>>> >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>>>> >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>>> I want to log information about hosts that are not logging with >>>>>>>>> correct >>>>>>>>> HOSTNAME. >>>>>>>>> In my current setup, I get a dir "???" where these host(s) are >>>>>>>>> logging >>>>>>>>> to... >>>>>>>>> >>>>>>>>> I would like to change this to the hosts IP instead, something >>>>>>>>> like: >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>>>>> >>>>>>>>> >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a value to >>>>>>>> a >>>>>>>> property. >>>>>>>> >>>>>>>> what you can do is to setup a different template and then if >>>>>>>> %fromhost% >>>>>>>> is your special pattern you can log with this different template. >>>>>>>> >>>>>>>> David Lang >>>>>>>> ______________________________******_________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>>> >>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>>> > >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>> > >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>> > >>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>> > >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>> > >>>> >>>> ______________________________****_________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>> >>> > >>> http://www.rsyslog.com/****professional-services/ >>> >>> > >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From david at lang.hm Sat Feb 4 09:21:12 2012 From: david at lang.hm (david at lang.hm) Date: Sat, 4 Feb 2012 00:21:12 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: the thing that you still aren't recognizing is that for most distros, nothing does need to be done, just the -c 6 option is all that's needed. I don't understand what Red Hat has done to make this not work and since I don't have any RHEL 6.1 systems I can't even try to troubleshoot this. I'm glad that you finally got it working, but I would suggest that you send a note to Red Hat so that they can figure out what's up with their startup script. David Lang On Sat, 4 Feb 2012, Michael Maymann wrote: > Hi David, > > thanks for your reply. > Now I got it working... :-) ! > > I'm running on RHEL6.1_x64 and my /etc/init.d/rsyslog is standard, only > thing changed is: > #exec=/sbin/rsyslogd > exec=/usr/sbin/rsyslogd > > I have now the following in my /etc/sysconfig/rsyslog: > SYSLOGD_OPTIONS="-c 6 &" > > so without the "-n" option but with the "&" the startup script now works > perfectly, and the motherproccess also lives for the first 5 minuted (As > Rainer was so kind to find in the code - thanks !) as it should, to make > sure everything starts up properly. > > The "-n &" made the startup-script work, but killed the motherproccess > right away. > The "-n" made the startup-script fail after 5 minutes (when motherproccess > died), but rsyslog worked as it should. > > I still think that when using this behaviour should be > enforced from within rsyslog code itself (as users then didn't have to add > anything to their /etc/sysconfig/rsyslog), but I leave it up to others to > decide this...! > > > David+Rainer: Thanks for you help on this...much appreciated...:-) ! > ~maymann > > > 2012/2/4 > >> Ok, looking through this script, one thing I see is that there is a >> comment character before the debug flag and the redirect of the output. >> >> as part of just general troubleshooting 101, I would want to capture the >> stdout and stderr of the process that's not working, so could you remove >> the "#-d" from the line and add "2>&1" to the line and see if anything >> interesting shows up in the log? >> >> the second thing is that this script is not starting rsyslog directly, >> it's using the command "daemon" to start rsyslog. It's possible that having >> rsyslog background itself and let the parent exit is confusing "daemon" >> (because daemon is monitoring the child process and when it exits, daemon >> assumes that something is wrong). If that's the case then it should work >> with the -n option to tell rsyslog not to background itself. The fact that >> adding it causes the startup script to never complete makes me think that >> daemon isn't doing it's job properly. >> >> you say that this is /etc/init.d/rsyslog.conf, but then the first line is >> referring to /etc/init.d/rsyslog, which is it? if this is a config file >> that some other script is using, the problem may be in that other script. >> >> I think you mentioned somewhere along the line, but I don't remember, what >> distro is this? >> >> In any case, this file has a bunch of stuff at the top that makes me think >> this is not a standard init file. >> >> this looks similar to an upstart file, but doesn't match my Ubuntu systems. >> >> David Lang >> >> >> >> On Fri, 3 Feb 2012, Michael Maymann wrote: >> >> Date: Fri, 3 Feb 2012 22:21:45 +0100 >>> From: Michael Maymann >>> Reply-To: rsyslog-users >>> To: rsyslog-users >>> >>> Subject: Re: [rsyslog] rsyslog as non-root user >>> >>> Hi, >>> >>> starting it manually doesn't return the prompt either...:-( ! >>> >>> here is my current /etc/init.d/rsyslog.conf anyway...: >>> # cat /etc/init.d/rsyslog >>> #!/bin/bash >>> #set -x >>> # >>> # rsyslog Starts rsyslogd/rklogd. >>> # >>> # >>> # chkconfig: 2345 12 88 >>> # description: Syslog is the facility by which many daemons use to log \ >>> # messages to various system log files. It is a good idea to always \ >>> # run rsyslog. >>> ### BEGIN INIT INFO >>> # Provides: $syslog >>> # Required-Start: $local_fs >>> # Required-Stop: $local_fs >>> # Default-Start: 2 3 4 5 >>> # Default-Stop: 0 1 6 >>> # Short-Description: Enhanced system logging and kernel message trapping >>> daemons >>> # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, >>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>> # sender lists, filtering on any message part, and fine >>> # grain output format control. >>> ### END INIT INFO >>> # Source function library. >>> . /etc/init.d/functions >>> RETVAL=0 >>> PIDFILE=/var/run/syslogd.pid >>> #PIDFILE=/tmp/syslogd.pid >>> prog=rsyslogd >>> #exec=/sbin/rsyslogd >>> exec=/usr/sbin/rsyslogd >>> lockfile=/var/lock/subsys/$**prog >>> #lockfile=/tmp/$prog >>> start() { >>> [ -x $exec ] || exit 5 >>> # Source config >>> if [ -f /etc/sysconfig/rsyslog ] ; then >>> . /etc/sysconfig/rsyslog >>> fi >>> umask 077 >>> echo -n $"Starting system logger: " >>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> >>> /tmp/rsyslog.log >>> RETVAL=$? >>> echo >>> [ $RETVAL -eq 0 ] && touch $lockfile >>> return $RETVAL >>> } >>> stop() { >>> echo -n $"Shutting down system logger: " >>> killproc $prog >>> RETVAL=$? >>> echo >>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>> return $RETVAL >>> } >>> reload() { >>> RETVAL=1 >>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>> echo -n "Reloading system logger..." >>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>> kill -HUP "$syslog"; >>> RETVAL=$? >>> fi >>> if [ $RETVAL -ne 0 ]; then >>> failure >>> else >>> success >>> fi >>> echo >>> return $RETVAL >>> } >>> rhstatus() { >>> status -p "${PIDFILE}" $prog >>> } >>> restart() { >>> stop >>> start >>> } >>> case "$1" in >>> start) >>> start >>> ;; >>> stop) >>> stop >>> ;; >>> restart) >>> restart >>> ;; >>> reload|force-reload) >>> reload >>> ;; >>> status) >>> rhstatus >>> ;; >>> condrestart|try-restart) >>> rhstatus >/dev/null 2>&1 || exit 0 >>> restart >>> ;; >>> *) >>> echo $"Usage: $0 >>> {start|stop|restart|**condrestart|try-restart|** >>> reload|force-reload|status}" >>> exit 2 >>> esac >>> exit $? >>> >>> >>> Please anyone who can help with this ? >>> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> 2012/2/3 Michael Maymann >>> >>> Hi, >>>> >>>> Yes I have, and now set them to /tmp just for testing, but same thing...: >>>> PIDFILE=/tmp/syslogd.pi >>>> lockfile=/tmp/$prog >>>> >>>> When started manually, it seems to be working just fine... also after 5 >>>> minutes...:-) !: >>>> root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd >>>> root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 >>>> root 14131 14128 0 09:04 pts/0 00:00:00 -bash >>>> 15442 14131 0 11:51 pts/0 00:00:00 >>>> /usr/sbin/rsyslogd -c 6 -n >>>> >>>> How can I implement similar behaviour to >>>> /etc/init.d/rsyslog+/etc/**sysconfig/rsyslog...? >>>> >>>> >>>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/3 >>>> >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>> >>>>> >>>>> Hi, >>>>> >>>>>> >>>>>> David: unfortunately this was not the case...: >>>>>> # cat /etc/sysconfig/selinux >>>>>> # This file controls the state of SELinux on the system. >>>>>> # SELINUX= can take one of these three values: >>>>>> # enforcing - SELinux security policy is enforced. >>>>>> # permissive - SELinux prints warnings instead of enforcing. >>>>>> # disabled - SELinux is fully disabled. >>>>>> SELINUX=disabled >>>>>> # SELINUXTYPE= type of policy in use. Possible values are: >>>>>> # targeted - Only targeted network daemons are protected. >>>>>> # strict - Full SELinux protection. >>>>>> SELINUXTYPE=targeted >>>>>> >>>>>> What else could cause this problem ? >>>>>> >>>>>> >>>>> possibly a silly question, but have you verified that the user you are >>>>> dropping privileges to has write permission on the directories that you >>>>> write logs (and any queue files) to? >>>>> >>>>> David Lang >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>>> ~maymann >>>>>> >>>>>> 2012/2/2 Michael Maymann >>>>>> >>>>>> Hi, >>>>>> >>>>>>> >>>>>>> David: Thanks for your reply - sounds possible... I will try this >>>>>>> first >>>>>>> thing tomorrow morning and report back with findings... >>>>>>> >>>>>>> Br. >>>>>>> ~maymann >>>>>>> >>>>>>> 2012/2/2 >>>>>>> >>>>>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>>>>> >>>>>>> >>>>>>>> Hi Rainer, >>>>>>>> >>>>>>>> >>>>>>>>> I really have my doubts it has something to do with my startup >>>>>>>>> script: >>>>>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>>>>> >>>>>>>>> I'm running on RHEL6.1_x64. >>>>>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>>>>> test...? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> my guess is that this is a SELINUX related problem. >>>>>>>> >>>>>>>> what happens if you try to start rsyslog manually (not by running the >>>>>>>> startup script, but just running 'rsyslogd -c 6' " >>>>>>>> >>>>>>>> David Lang >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks in advance :-) ! >>>>>>>> >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> 2012/2/2 Michael Maymann >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> >>>>>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything >>>>>>>>>> about >>>>>>>>>> failing in the logs... and it actually doesn't fail... it works and >>>>>>>>>> after >>>>>>>>>> the timeout+failed notice only the proccess owned by >>>>>>>>>> PrivDropToUser-USER is >>>>>>>>>> present, but now owned by the init-proccess (mother proccess dies): >>>>>>>>>> >>>>>>>>>> # service rsyslog start >>>>>>>>>> Starting system logger: [FAILED] >>>>>>>>>> >>>>>>>>>> BEFORE failed status: >>>>>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 /usr/sbin/rsyslogd >>>>>>>>>> -c 6 >>>>>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>> >>>>>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>>>>> PrivDropToUser-USER >>>>>>>>>> owned proccess is therefore gets owned by init: >>>>>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>> >>>>>>>>>> Anyone who can help with this...?: >>>>>>>>>> here is the debug output when starting running the init-script: >>>>>>>>>> #/etc/init.d/rsyslog start >>>>>>>>>> + . /etc/init.d/functions >>>>>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>>>>> ++ umask 022 >>>>>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/******usr/bin >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ++ export PATH >>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>> ++ COLUMNS=80 >>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>> +++ /sbin/consoletype >>>>>>>>>> ++ CONSOLETYPE=pty >>>>>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>>>>> ++ unset LANGSH_SOURCED >>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>>>>> ++ . /etc/sysconfig/init >>>>>>>>>> +++ BOOTUP=color >>>>>>>>>> +++ RES_COL=60 >>>>>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>>>>> +++ PROMPT=yes >>>>>>>>>> +++ AUTOSWAP=no >>>>>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]******' >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> +++ SINGLE=/sbin/sushell >>>>>>>>>> ++ '[' pty = serial ']' >>>>>>>>>> ++ >>>>>>>>>> __sed_discard_ignored_files='/******\(~\|\.bak\|\.orig\|\.**** >>>>>>>>>> rpmnew\|** >>>>>>>>>> >>>>>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>>>>> + RETVAL=0 >>>>>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>>>>> + prog=rsyslogd >>>>>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>>>>> + lockfile=/var/lock/subsys/******rsyslogd >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> + case "$1" in >>>>>>>>>> + start >>>>>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>>>>> + . /etc/sysconfig/rsyslog >>>>>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>>>>> + umask 077 >>>>>>>>>> + echo -n 'Starting system logger: ' >>>>>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>>>>> + local cgroup= >>>>>>>>>> + nicelevel=0 >>>>>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>>>>> ']' >>>>>>>>>> + case $1 in >>>>>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>>>>> + shift >>>>>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>>>>> + '[' -z '' ']' >>>>>>>>>> + base=rsyslogd >>>>>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>>>>> + local base=rsyslogd >>>>>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>>>>> + pid= >>>>>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>>>>> + return 3 >>>>>>>>>> + '[' -n '' -a -z '' ']' >>>>>>>>>> + corelimit='ulimit -S -c 0' >>>>>>>>>> + '[' -n '' ']' >>>>>>>>>> + '[' -n '' ']' >>>>>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>>>>> + '[' -z '' ']' >>>>>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/rsyslogd >>>>>>>>>> -c >>>>>>>>>> 6' >>>>>>>>>> ... >>>>>>>>>> (hangs here for a long time) >>>>>>>>>> ... >>>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>>> + failure 'rsyslogd startup' >>>>>>>>>> + local rc=1 >>>>>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>>>>> + echo_failure >>>>>>>>>> + '[' color = color ']' >>>>>>>>>> + echo -en '\033[60G' >>>>>>>>>> + echo -n >>>>>>>>>> '[' >>>>>>>>>> [+ '[' color = color ']' >>>>>>>>>> + echo -en '\033[0;31m' >>>>>>>>>> + echo -n FAILED >>>>>>>>>> FAILED+ '[' color = color ']' >>>>>>>>>> + echo -en '\033[0;39m' >>>>>>>>>> + echo -n ']' >>>>>>>>>> ]+ echo -ne '\r' >>>>>>>>>> + return 1 >>>>>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>>>>> + /usr/bin/plymouth --details >>>>>>>>>> + return 1 >>>>>>>>>> + RETVAL=1 >>>>>>>>>> + echo >>>>>>>>>> >>>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>>> + return 1 >>>>>>>>>> + exit 1 >>>>>>>>>> >>>>>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys - >>>>>>>>>> but >>>>>>>>>> same thing happens... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>> >>>>>>>>>> Br. >>>>>>>>>> ~maymann >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>> >>>>>>>>>> I can only help you with that part if you point me to why exactly >>>>>>>>>> the >>>>>>>>>> >>>>>>>>>> script >>>>>>>>>>> claims what it does. So you may want to try find someone who can >>>>>>>>>>> do >>>>>>>>>>> that. >>>>>>>>>>> I >>>>>>>>>>> know this is probably a trivial question, but I don't know >>>>>>>>>>> anything >>>>>>>>>>> ;) >>>>>>>>>>> >>>>>>>>>>> Sry, rainer >>>>>>>>>>> >>>>>>>>>>> -----Original Message----- >>>>>>>>>>> >>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.** >>>>>>>>>>>> ****com>>>>>>>>>>> **adiscon.com >>>>>>>>>>>>>> [mailto: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> rsyslog- >>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>> >>>>>>>>>>>> Here is my startup script... only thing changed is the path to >>>>>>>>>>>> the >>>>>>>>>>>> new >>>>>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but failes >>>>>>>>>>>> if i >>>>>>>>>>>> have >>>>>>>>>>>> both or one of the entries...: >>>>>>>>>>>> #!/bin/bash >>>>>>>>>>>> # >>>>>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>>>>> # >>>>>>>>>>>> # >>>>>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>>>>> # description: Syslog is the facility by which many daemons use >>>>>>>>>>>> to >>>>>>>>>>>> log >>>>>>>>>>>> \ >>>>>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>>>>> always \ >>>>>>>>>>>> # run rsyslog. >>>>>>>>>>>> ### BEGIN INIT INFO >>>>>>>>>>>> # Provides: $syslog >>>>>>>>>>>> # Required-Start: $local_fs >>>>>>>>>>>> # Required-Stop: $local_fs >>>>>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>>>>> trapping >>>>>>>>>>>> daemons >>>>>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>>>>> supporting, >>>>>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, >>>>>>>>>>>> permitted >>>>>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>>>>> fine >>>>>>>>>>>> # grain output format control. >>>>>>>>>>>> ### END INIT INFO >>>>>>>>>>>> >>>>>>>>>>>> # Source function library. >>>>>>>>>>>> . /etc/init.d/functions >>>>>>>>>>>> >>>>>>>>>>>> RETVAL=0 >>>>>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>>>>> >>>>>>>>>>>> prog=rsyslogd >>>>>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>>>>> lockfile=/var/lock/subsys/$******prog >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> start() { >>>>>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>>>>> >>>>>>>>>>>> # Source config >>>>>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>>>>> fi >>>>>>>>>>>> umask 077 >>>>>>>>>>>> >>>>>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>> echo >>>>>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>>>>> return $RETVAL >>>>>>>>>>>> } >>>>>>>>>>>> stop() { >>>>>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>>>>> killproc $prog >>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>> echo >>>>>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>>>>> return $RETVAL >>>>>>>>>>>> } >>>>>>>>>>>> reload() { >>>>>>>>>>>> RETVAL=1 >>>>>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>>>>> kill -HUP "$syslog"; >>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>> fi >>>>>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>>>>> failure >>>>>>>>>>>> else >>>>>>>>>>>> success >>>>>>>>>>>> fi >>>>>>>>>>>> echo >>>>>>>>>>>> return $RETVAL >>>>>>>>>>>> } >>>>>>>>>>>> rhstatus() { >>>>>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>>>>> } >>>>>>>>>>>> restart() { >>>>>>>>>>>> stop >>>>>>>>>>>> start >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> case "$1" in >>>>>>>>>>>> start) >>>>>>>>>>>> start >>>>>>>>>>>> ;; >>>>>>>>>>>> stop) >>>>>>>>>>>> stop >>>>>>>>>>>> ;; >>>>>>>>>>>> restart) >>>>>>>>>>>> restart >>>>>>>>>>>> ;; >>>>>>>>>>>> reload|force-reload) >>>>>>>>>>>> reload >>>>>>>>>>>> ;; >>>>>>>>>>>> status) >>>>>>>>>>>> rhstatus >>>>>>>>>>>> ;; >>>>>>>>>>>> condrestart|try-restart) >>>>>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>>>>> restart >>>>>>>>>>>> ;; >>>>>>>>>>>> *) >>>>>>>>>>>> echo $"Usage: $0 >>>>>>>>>>>> {start|stop|restart|******condrestart|try-restart|****** >>>>>>>>>>>> reload|force- >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> reload|status}" >>>>>>>>>>>> exit 2 >>>>>>>>>>>> esac >>>>>>>>>>>> >>>>>>>>>>>> exit $? >>>>>>>>>>>> >>>>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>> >>>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.******com< >>>>>>>>>>>>>> rsyslog-bounces at lists.**adisco**n.com < >>>>>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> [mailto: >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslog- >>>>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> David: thanks - got it working with permission dropping, by far >>>>>>>>>>>>>> my >>>>>>>>>>>>>> prefered >>>>>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>>>>> Rainer: please let us know if the debug info of the "permission >>>>>>>>>>>>>> dropping: >>>>>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it works >>>>>>>>>>>>>> now >>>>>>>>>>>>>> >>>>>>>>>>>>>> - >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> but >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. >>>>>>>>>>>>> From >>>>>>>>>>>>> the >>>>>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>>>>> looks >>>>>>>>>>>>> >>>>>>>>>>>>> like >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>>>> >>>>>>>>>>>>> know. I >>>>>>>>>>>>> suggest >>>>>>>>>>>>> to ask what the FAILED status is caused by. We can then look why >>>>>>>>>>>>> this >>>>>>>>>>>>> happens. >>>>>>>>>>>>> >>>>>>>>>>>>> Sorry I have no better answer... >>>>>>>>>>>>> Rainer >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>>> >>>>>>>>>>>>>> ~maymann >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012/2/1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is working >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> fine >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> running >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> as root. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> located >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> on NFS >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>> DYNmessages,"/%******** >>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>>>>>>>> **** >>>>>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNsecure,"/%******** >>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ** >>>>>>>>>>>>>> >>>>>>>>>>>>>> **$MONTH%_secure" >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNmaillog,"/%******** >>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%*** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *** >>>>>>>>>>>>>> >>>>>>>>>>>>>> **$MONTH%_maillo >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> g" >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNcron,"/%FROMHOST%/** >>>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> cron" >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNspooler,"/%******** >>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%*** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *** >>>>>>>>>>>>>> >>>>>>>>>>>>>> **$MONTH%_spoole >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> r" >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNboot,"/%FROMHOST%/** >>>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> MONTH%_** >>>>>>>>>>>>>> >>>>>>>>>>>>>> **boot.log" >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> $template >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> DYNtraps,"/%FROMHOST%** >>>>>>>>>>>>>>>> ******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> MONTH%** >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _** >>>>>>>>>>>>>> >>>>>>>>>>>>>> traps" >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text >>>>>>>>>>>>>>>> == >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a non-root >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> user: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997693+02:********00 >>>>>>>>>>>> rsyslogd: >>>>>>>>>>>> >>>>>>>>>>>>> [origin >>>>>>>>>>>>> >>>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:********00 >>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> denied >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:********00 >>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> denied >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:********00 >>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>> No UDP >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> listen >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> socket >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> could successfully be initialized, message reception via UDP >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> disabled. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012-01-31T15:45:52.997376+02:********00 rsyslogd: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> imudp: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> listeners >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:********00 >>>>>>>>>>>>>>>> rsyslogd3: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> activation >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> of >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> module >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:********00 >>>>>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Could >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> not >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> create >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ] >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> So permissions to bind and sockets seems to be the problem... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user >>>>>>>>>>>>>>>> (without >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> making >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> some >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a >>>>>>>>>>>>>>> non-root >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> user >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> - if >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> yes: how ? >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> permission drop features >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to >>>>>>>>>>>>>>> run >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - can >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> chkconfig do >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> although as Rainer points out, you may just be looking for the >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> permission >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> David Lang >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> n.net/mailman/listinfo/****rsyslog** >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/********professional- >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> services/>>>>>>>>>>>>>> ***com/professional-services/<**ht >>>>>>>>>>>>>>> >>>>>>>>>>>>>> **tp://www.rsyslog.com/****professional-services/ >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>>> >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ______________________________******_________________ >>>>>>>>>> >>>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> ______________________________******_________________ >>>>>>>>> >>>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ______________________________****_________________ >>>>>>> >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>>> >>>>>> http://www.rsyslog.com/****professional-services/ >>>>>> >>>>>>> >>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>>> >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>>> >>>>> >>>>> >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From david at lang.hm Sat Feb 4 09:27:16 2012 From: david at lang.hm (david at lang.hm) Date: Sat, 4 Feb 2012 00:27:16 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: If Rainer creates the instramented version it would still be good to see what's going on. I would say that for fromhost-ip to be '???' is always a bug, and if a failed DNS lookup makes the fromhost be '???' instead of the IP address, I would also consider that a bug. It would be good to track down what's actually happening here. David Lang On Sat, 4 Feb 2012, Michael Maymann wrote: > Hi, > > SOLVED... > > got it working...:-) ! > > I enabled debugging (David: thanks for the hint) and this was one of the > entries: > --- > Debug line with all properties: > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-', > MSGID: '-', > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID > unknown)(769216)' > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > 2(VID unknown)(769216)' > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID > mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' > --- > The from the last line was ofcause the same as in the the logfiles... > I confuse this to be a client of a rsyslog-client twice... :-o ! > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > --- > #SET PRIVILEGES > $PreserveFQDN on > $PrivDropToGroup > $PrivDropToUser > $DirCreateMode 0750 > $FileCreateMode 0640 > $UMASK 0027 > > #LOAD MODULES > $ModLoad imudp > $UDPServerRun 514 > $UDPServerAddress 127.0.0.1 > $ModLoad imtcp > $InputTCPServerRun 514 > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to > enable...) > #*.info;mail.none;authpriv.none;cron.none > /var/log/messages-debug;RSYSLOG_DebugFormat > > #SET DESTINATION FOR LOGS > $template > DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > $template > DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > $template > DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > $template DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > $template > DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > $template > DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > $template DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > $template > DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages" > $template > DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > $template > DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > $template DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > $template > DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > $template > DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > $template > DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > #SET LOGGING CONDITIONS > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure > if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron > if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler > if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > and $fromhost != '???' then ?DYNtraps > > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > ?DYNIPsecure > if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog > if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron > if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler > if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' > and $fromhost == '???' then ?DYNIPtraps > --- > > David+Rainer: thanks for your help... much appreciated...:-) ! > > Br. > ~maymann > > 2012/2/4 > >> I was actually meaning for you to do this on the server where you are >> seeing the ??? show up. >> >> but this does show that the sending machine thinks it's doing everythig >> correcty (assuming the you put in the message below is actually >> correct) >> >> what I would want to see from the server log is one of the messages with >> the ??? in it that you are trying to fix. >> >> >> David Lang >> >> On Fri, 3 Feb 2012, Michael Maymann wrote: >> >> Hi, >>> >>> David: thanks for you reply...:-) ! >>> >>> This is not a known client causing the "???" entries - I don't know the >>> ip(s)/hostname(s), and this is why i would like to log IP instead of >>> hostname - as my guess is it is a network device without DNS entry...:-( ! >>> >>> Can I troubleshoot on the server somehow similar... or was that the >>> intention all along...:-o ! >>> >>> Here is the client-debug output anyways...: >>> # cat messages-debug >>> Debug line with all properties: >>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', >>> PRI: 6, >>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: >>> '-', MSGID: '-', >>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>> >>> Debug line with all properties: >>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', >>> PRI: 46, >>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', >>> PROCID: '-', MSGID: '-', >>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >>> x-info=" >>> http://www.rsyslog.com"] (re)start' >>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >>> x-info="http://www.rsyslog.com**"] (re)start' >>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >>> x-info="http://www.rsyslog.com**"] (re)start' >>> >>> Debug line with all properties: >>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: '', >>> PRI: 13, >>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', >>> MSGID: '-', >>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', >>> msg: ' hej' >>> escaped msg: ' hej' >>> rawmsg: '<13>Feb 3 11:14:30 root: hej' >>> >>> >>> Thanks in advance :-) ! >>> ~maymann >>> >>> >>> 2012/2/3 >>> >>> oops, that should have been RSYSLOG_DebugFormat template. >>>> >>>> David Lang >>>> >>>> On Thu, 2 Feb 2012, david at lang.hm wrote: >>>> >>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >>>> >>>>> From: david at lang.hm >>>>> >>>>> Reply-To: rsyslog-users >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>>> >>>>> what does one of these messages look like if you write it out with the >>>>> RSYSLOG_DEBUG template? >>>>> >>>>> David Lang >>>>> >>>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>>> >>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 >>>>> >>>>>> From: Michael Maymann >>>>>> Reply-To: rsyslog-users >>>>>> To: rsyslog-users >>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>>>> >>>>>> Please... Anyone? >>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>>> >>>>>>> got it started... but still ??? dir+logfiles are showing up... >>>>>>> This is now my rsyslog.conf: >>>>>>> #SET PRIVILEGES >>>>>>> $PreserveFQDN on >>>>>>> $PrivDropToGroup >>>>>>> $PrivDropToUser >>>>>>> $DirCreateMode 0750 >>>>>>> $FileCreateMode 0640 >>>>>>> $UMASK 0027 >>>>>>> >>>>>>> #LOAD MODULES >>>>>>> $ModLoad imudp >>>>>>> $UDPServerRun 514 >>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>> $ModLoad imtcp >>>>>>> $InputTCPServerRun 514 >>>>>>> >>>>>>> #SET DESTINATION FOR LOGS >>>>>>> $template >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>> $MONTH%_messages" >>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** >>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** >>>>>>> *secure" >>>>>>> $template >>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>> _**maillog" >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>> cron" >>>>>>> $template >>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>> _**spooler" >>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>> boot.log" >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>> traps" >>>>>>> >>>>>>> $template >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_messages" >>>>>>> $template >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_secure" >>>>>>> $template >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>> $template >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>> MONTH%_cron" >>>>>>> $template >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>> $template >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>> MONTH%_boot.log" >>>>>>> $template >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>> MONTH%_traps" >>>>>>> >>>>>>> #SET LOGGING CONDITIONS >>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >>>>>>> ?DYNsecure >>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >>>>>>> ?DYNmaillog >>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >>>>>>> ?DYNspooler >>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then >>>>>>> ?DYNboot >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>> 'WARNING' >>>>>>> and $fromhost != '???' then ?DYNtraps >>>>>>> >>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>>>>>> ?DYNIPsecure >>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>>>>>> ?DYNIPmaillog >>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then >>>>>>> ?DYNIPcron >>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>>>>>> ?DYNIPspooler >>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >>>>>>> ?DYNIPboot >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>> 'WARNING' >>>>>>> and $fromhost == '???' then ?DYNIPtraps >>>>>>> >>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all >>>>>>> creates >>>>>>> ??? dir+files... >>>>>>> What variable should I use to handle this properly ? >>>>>>> >>>>>>> >>>>>>> Thanks in advance :-) ! >>>>>>> ~maymann >>>>>>> >>>>>>> 2012/2/2 Michael Maymann >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> >>>>>>>> David: thanks for your reply... >>>>>>>> Here is my new rsyslog.conf: >>>>>>>> #SET PRIVILEGES >>>>>>>> $PreserveFQDN on >>>>>>>> $PrivDropToGroup >>>>>>>> $PrivDropToUser >>>>>>>> $DirCreateMode 0750 >>>>>>>> $FileCreateMode 0640 >>>>>>>> $UMASK 0027 >>>>>>>> >>>>>>>> #LOAD MODULES >>>>>>>> $ModLoad imudp >>>>>>>> $UDPServerRun 514 >>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>> $ModLoad imtcp >>>>>>>> $InputTCPServerRun 514 >>>>>>>> >>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>> $template >>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>> $MONTH%_messages" >>>>>>>> $template >>>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>> **secure" >>>>>>>> >>>>>>>> $template >>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>>> maillog" >>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** >>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>> cron" >>>>>>>> $template >>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>>> spooler" >>>>>>>> $template >>>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>>> boot.log" >>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** >>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* >>>>>>>> *traps" >>>>>>>> >>>>>>>> $template >>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>> YEAR%.%$MONTH%_messages" >>>>>>>> $template >>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>> YEAR%.%$MONTH%_secure" >>>>>>>> $template >>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>>> $template >>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>>> MONTH%_cron" >>>>>>>> $template >>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>>> $template >>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>>> MONTH%_boot.log" >>>>>>>> $template >>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$**** >>>>>>>> MONTH%_traps" >>>>>>>> >>>>>>>> #SET LOGGING CONDITIONS >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>>>>>>> ?DYNsecure >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>>>>>> ?DYNmaillog >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then >>>>>>>> ?DYNcron >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>>>>>> ?DYNspooler >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then >>>>>>>> ?DYNboot >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>> 'WARNING' >>>>>>>> and %FROMHOST% != '???' then ?DYNtraps >>>>>>>> >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>>>>>>> ?DYNIPsecure >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>>>>>> ?DYNIPmaillog >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >>>>>>>> ?DYNIPcron >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>>>>>> ?DYNIPspooler >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>>>>>>> ?DYNIPboot >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>> 'WARNING' >>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>>>>>> >>>>>>>> but it fails...: >>>>>>>> # service rsyslog start >>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>>>>> number >>>>>>>> means) >>>>>>>> [ OK ] >>>>>>>> >>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or >>>>>>>> how >>>>>>>> is this done... >>>>>>>> >>>>>>>> >>>>>>>> Thanks in advance :-) ! >>>>>>>> ~maymann >>>>>>>> >>>>>>>> >>>>>>>> 2012/2/1 >>>>>>>> >>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> >>>>>>>>>> I want to log information about hosts that are not logging with >>>>>>>>>> correct >>>>>>>>>> HOSTNAME. >>>>>>>>>> In my current setup, I get a dir "???" where these host(s) are >>>>>>>>>> logging >>>>>>>>>> to... >>>>>>>>>> >>>>>>>>>> I would like to change this to the hosts IP instead, something >>>>>>>>>> like: >>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a value to >>>>>>>>> a >>>>>>>>> property. >>>>>>>>> >>>>>>>>> what you can do is to setup a different template and then if >>>>>>>>> %fromhost% >>>>>>>>> is your special pattern you can log with this different template. >>>>>>>>> >>>>>>>>> David Lang >>>>>>>>> ______________________________******_________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> ______________________________****_________________ >>>>>>> >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>>> >>>>>>> >>>>>> http://www.rsyslog.com/****professional-services/ >>>>>> >>>>>>> >>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>>> >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>>> >>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>>> >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>>> >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Sat Feb 4 09:36:36 2012 From: michael at maymann.org (Michael Maymann) Date: Sat, 4 Feb 2012 09:36:36 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: Hi, sure, lets give it a go...:-) ! ~maymann 2012/2/4 > If Rainer creates the instramented version it would still be good to see > what's going on. I would say that for fromhost-ip to be '???' is always a > bug, and if a failed DNS lookup makes the fromhost be '???' instead of the > IP address, I would also consider that a bug. > > It would be good to track down what's actually happening here. > > David Lang > > > On Sat, 4 Feb 2012, Michael Maymann wrote: > > Hi, >> >> SOLVED... >> >> got it working...:-) ! >> >> I enabled debugging (David: thanks for the hint) and this was one of the >> entries: >> --- >> Debug line with all properties: >> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, >> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-', >> MSGID: '-', >> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', >> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID >> unknown)(769216)' >> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port >> 2(VID unknown)(769216)' >> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID >> mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' >> --- >> The from the last line was ofcause the same as in the the logfiles... >> I confuse this to be a client of a rsyslog-client twice... :-o ! >> >> I could hereafter easily edit my /etc/rsyslog.conf respectively: >> --- >> #SET PRIVILEGES >> $PreserveFQDN on >> $PrivDropToGroup >> $PrivDropToUser >> $DirCreateMode 0750 >> $FileCreateMode 0640 >> $UMASK 0027 >> >> #LOAD MODULES >> $ModLoad imudp >> $UDPServerRun 514 >> $UDPServerAddress 127.0.0.1 >> $ModLoad imtcp >> $InputTCPServerRun 514 >> >> #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to >> enable...) >> #*.info;mail.none;authpriv.**none;cron.none >> /var/log/messages-debug;**RSYSLOG_DebugFormat >> >> #SET DESTINATION FOR LOGS >> $template >> DYNmessages,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%** >> $MONTH%_messages" >> $template >> DYNsecure,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure" >> $template >> DYNmaillog,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillog" >> $template DYNcron,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_** >> cron" >> $template >> DYNspooler,"/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spooler" >> $template >> DYNboot,"/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log" >> $template DYNtraps,"/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_** >> traps" >> >> $template >> DYNIPmessages,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%** >> $MONTH%_messages" >> $template >> DYNIPsecure,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**$MONTH%_secure" >> $template >> DYNIPmaillog,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%** >> $MONTH%_maillog" >> $template DYNIPcron,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%** >> $MONTH%_cron" >> $template >> DYNIPspooler,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%** >> $MONTH%_spooler" >> $template >> DYNIPboot,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**$MONTH%_boot.log" >> $template >> DYNIPtraps,"/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**$MONTH%_traps" >> >> #SET LOGGING CONDITIONS >> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >> ?DYNsecure >> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog >> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron >> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler >> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> and $fromhost != '???' then ?DYNtraps >> >> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >> ?DYNIPsecure >> if $syslogfacility-text == 'mail' and $fromhost == '???' then >> ?DYNIPmaillog >> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron >> if $syslogseverity-text == 'crit' and $fromhost == '???' then >> ?DYNIPspooler >> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot >> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING' >> and $fromhost == '???' then ?DYNIPtraps >> --- >> >> David+Rainer: thanks for your help... much appreciated...:-) ! >> >> Br. >> ~maymann >> >> 2012/2/4 >> >> I was actually meaning for you to do this on the server where you are >>> seeing the ??? show up. >>> >>> but this does show that the sending machine thinks it's doing everythig >>> correcty (assuming the you put in the message below is >>> actually >>> correct) >>> >>> what I would want to see from the server log is one of the messages with >>> the ??? in it that you are trying to fix. >>> >>> >>> David Lang >>> >>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>> >>> Hi, >>> >>>> >>>> David: thanks for you reply...:-) ! >>>> >>>> This is not a known client causing the "???" entries - I don't know the >>>> ip(s)/hostname(s), and this is why i would like to log IP instead of >>>> hostname - as my guess is it is a network device without DNS >>>> entry...:-( ! >>>> >>>> Can I troubleshoot on the server somehow similar... or was that the >>>> intention all along...:-o ! >>>> >>>> Here is the client-debug output anyways...: >>>> # cat messages-debug >>>> Debug line with all properties: >>>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >>>> '', >>>> PRI: 6, >>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: >>>> '-', MSGID: '-', >>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >>>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>>> >>>> Debug line with all properties: >>>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >>>> '', >>>> PRI: 46, >>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd', >>>> PROCID: '-', MSGID: '-', >>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >>>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >>>> x-info=" >>>> http://www.rsyslog.com"] (re)start' >>>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" >>>> x-pid="13432" >>>> x-info="http://www.rsyslog.com****"] (re)start' >>>> >>>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >>>> x-info="http://www.rsyslog.com****"] (re)start' >>>> >>>> >>>> Debug line with all properties: >>>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >>>> '', >>>> PRI: 13, >>>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', >>>> MSGID: '-', >>>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', >>>> msg: ' hej' >>>> escaped msg: ' hej' >>>> rawmsg: '<13>Feb 3 11:14:30 root: hej' >>>> >>>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> >>>> 2012/2/3 >>>> >>>> oops, that should have been RSYSLOG_DebugFormat template. >>>> >>>>> >>>>> David Lang >>>>> >>>>> On Thu, 2 Feb 2012, david at lang.hm wrote: >>>>> >>>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >>>>> >>>>> From: david at lang.hm >>>>>> >>>>>> Reply-To: rsyslog-users >>>>>> To: rsyslog-users >>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>>>> >>>>>> what does one of these messages look like if you write it out with the >>>>>> RSYSLOG_DEBUG template? >>>>>> >>>>>> David Lang >>>>>> >>>>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>>>> >>>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 >>>>>> >>>>>> From: Michael Maymann >>>>>>> Reply-To: rsyslog-users >>>>>>> To: rsyslog-users >>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >>>>>>> >>>>>>> Please... Anyone? >>>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" >>>>>>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>>> got it started... but still ??? dir+logfiles are showing up... >>>>>>>> This is now my rsyslog.conf: >>>>>>>> #SET PRIVILEGES >>>>>>>> $PreserveFQDN on >>>>>>>> $PrivDropToGroup >>>>>>>> $PrivDropToUser >>>>>>>> $DirCreateMode 0750 >>>>>>>> $FileCreateMode 0640 >>>>>>>> $UMASK 0027 >>>>>>>> >>>>>>>> #LOAD MODULES >>>>>>>> $ModLoad imudp >>>>>>>> $UDPServerRun 514 >>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>> $ModLoad imtcp >>>>>>>> $InputTCPServerRun 514 >>>>>>>> >>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>> $template >>>>>>>> DYNmessages,"PATH_TO/%******FROMHOST%/%FROMHOST%_%$YEAR%.%****** >>>>>>>> $MONTH%_messages" >>>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**** >>>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***** >>>>>>>> *secure" >>>>>>>> $template >>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>> MONTH%** >>>>>>>> _**maillog" >>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***** >>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>> cron" >>>>>>>> $template >>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>> MONTH%** >>>>>>>> _**spooler" >>>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***** >>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>> boot.log" >>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**** >>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****** >>>>>>>> traps" >>>>>>>> >>>>>>>> $template >>>>>>>> DYNIPmessages,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>> YEAR%.%$MONTH%_messages" >>>>>>>> $template >>>>>>>> DYNIPsecure,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>> YEAR%.%$MONTH%_secure" >>>>>>>> $template >>>>>>>> DYNIPmaillog,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>>> $template >>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%** >>>>>>>> $**** >>>>>>>> MONTH%_cron" >>>>>>>> $template >>>>>>>> DYNIPspooler,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>>> $template >>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%** >>>>>>>> $**** >>>>>>>> MONTH%_boot.log" >>>>>>>> $template >>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.** >>>>>>>> %$**** >>>>>>>> >>>>>>>> MONTH%_traps" >>>>>>>> >>>>>>>> #SET LOGGING CONDITIONS >>>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >>>>>>>> ?DYNsecure >>>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >>>>>>>> ?DYNmaillog >>>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then >>>>>>>> ?DYNcron >>>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >>>>>>>> ?DYNspooler >>>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then >>>>>>>> ?DYNboot >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>> 'WARNING' >>>>>>>> and $fromhost != '???' then ?DYNtraps >>>>>>>> >>>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>>>>>>> ?DYNIPsecure >>>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>>>>>>> ?DYNIPmaillog >>>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then >>>>>>>> ?DYNIPcron >>>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>>>>>>> ?DYNIPspooler >>>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >>>>>>>> ?DYNIPboot >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>> 'WARNING' >>>>>>>> and $fromhost == '???' then ?DYNIPtraps >>>>>>>> >>>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all >>>>>>>> creates >>>>>>>> ??? dir+files... >>>>>>>> What variable should I use to handle this properly ? >>>>>>>> >>>>>>>> >>>>>>>> Thanks in advance :-) ! >>>>>>>> ~maymann >>>>>>>> >>>>>>>> 2012/2/2 Michael Maymann >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>>> David: thanks for your reply... >>>>>>>>> Here is my new rsyslog.conf: >>>>>>>>> #SET PRIVILEGES >>>>>>>>> $PreserveFQDN on >>>>>>>>> $PrivDropToGroup >>>>>>>>> $PrivDropToUser >>>>>>>>> $DirCreateMode 0750 >>>>>>>>> $FileCreateMode 0640 >>>>>>>>> $UMASK 0027 >>>>>>>>> >>>>>>>>> #LOAD MODULES >>>>>>>>> $ModLoad imudp >>>>>>>>> $UDPServerRun 514 >>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>> $ModLoad imtcp >>>>>>>>> $InputTCPServerRun 514 >>>>>>>>> >>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>> $template >>>>>>>>> DYNmessages,"PATH_TO/%******FROMHOST%/%FROMHOST%_%$YEAR%.%****** >>>>>>>>> $MONTH%_messages" >>>>>>>>> $template >>>>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$** >>>>>>>>> MONTH%_** >>>>>>>>> **secure" >>>>>>>>> >>>>>>>>> $template >>>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>> MONTH%**_** >>>>>>>>> maillog" >>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***** >>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>> cron" >>>>>>>>> $template >>>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>> MONTH%**_** >>>>>>>>> spooler" >>>>>>>>> $template >>>>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%******FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>> **** >>>>>>>>> boot.log" >>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**** >>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* >>>>>>>>> *traps" >>>>>>>>> >>>>>>>>> $template >>>>>>>>> DYNIPmessages,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>>> YEAR%.%$MONTH%_messages" >>>>>>>>> $template >>>>>>>>> DYNIPsecure,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>>> YEAR%.%$MONTH%_secure" >>>>>>>>> $template >>>>>>>>> DYNIPmaillog,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>>>> $template >>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%** >>>>>>>>> $**** >>>>>>>>> MONTH%_cron" >>>>>>>>> $template >>>>>>>>> DYNIPspooler,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$****** >>>>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>>>> $template >>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%** >>>>>>>>> $**** >>>>>>>>> MONTH%_boot.log" >>>>>>>>> $template >>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.** >>>>>>>>> %$**** >>>>>>>>> >>>>>>>>> MONTH%_traps" >>>>>>>>> >>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages >>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then >>>>>>>>> ?DYNsecure >>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>>>>>>> ?DYNmaillog >>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then >>>>>>>>> ?DYNcron >>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>>>>>>> ?DYNspooler >>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then >>>>>>>>> ?DYNboot >>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>> 'WARNING' >>>>>>>>> and %FROMHOST% != '???' then ?DYNtraps >>>>>>>>> >>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then >>>>>>>>> ?DYNIPmessages >>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then >>>>>>>>> ?DYNIPsecure >>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>>>>>>> ?DYNIPmaillog >>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >>>>>>>>> ?DYNIPcron >>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>>>>>>> ?DYNIPspooler >>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then >>>>>>>>> ?DYNIPboot >>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>> 'WARNING' >>>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>>>>>>> >>>>>>>>> but it fails...: >>>>>>>>> # service rsyslog start >>>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>>>>>> number >>>>>>>>> means) >>>>>>>>> [ OK ] >>>>>>>>> >>>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct >>>>>>>>> or >>>>>>>>> how >>>>>>>>> is this done... >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> >>>>>>>>> 2012/2/1 >>>>>>>>> >>>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I want to log information about hosts that are not logging with >>>>>>>>>>> correct >>>>>>>>>>> HOSTNAME. >>>>>>>>>>> In my current setup, I get a dir "???" where these host(s) are >>>>>>>>>>> logging >>>>>>>>>>> to... >>>>>>>>>>> >>>>>>>>>>> I would like to change this to the hosts IP instead, something >>>>>>>>>>> like: >>>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a value >>>>>>>>>>> to >>>>>>>>>>> >>>>>>>>>> a >>>>>>>>>> property. >>>>>>>>>> >>>>>>>>>> what you can do is to setup a different template and then if >>>>>>>>>> %fromhost% >>>>>>>>>> is your special pattern you can log with this different template. >>>>>>>>>> >>>>>>>>>> David Lang >>>>>>>>>> ______________________________********_________________ >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> ______________________________******_________________ >>>>>>>>> >>>>>>>> >>>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ______________________________******_________________ >>>>>>> >>>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>> >>>>>> > >>>>>> >>>>>> >>>>>> > >>>>>> >>>>>>> >>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>> >>>>>> > >>>>>> >>>>>> >>>>>> > >>>>>> >>>>>>> >>>>>>> >>>>>> ______________________________******_________________ >>>>>> >>>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>>> >>>>>> http://www.rsyslog.com/******professional-services/ >>>>> >>>>> > >>>>> >>>>> >>>>> > >>>>> >>>>>> >>>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>> > >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>> > >>>> >>>> ______________________________****_________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>> >>> > >>> http://www.rsyslog.com/****professional-services/ >>> >>> > >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Sat Feb 4 09:47:04 2012 From: michael at maymann.org (Michael Maymann) Date: Sat, 4 Feb 2012 09:47:04 +0100 Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA728183E@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: Hi David, I don't say that you are wrong..., But rsyslog is working just fine then it is started without the /-n. Anly when this is enabled "the trouble" starts... Wouldn't the right thing be to change rsyslog to handle the RHEL-diffenrence(s) if this a platform that you wish it should be "supported" on ? Anyway, that's just my 5c... (don't kill me...) :-) ! Br. ~maymann 2012/2/4 > the thing that you still aren't recognizing is that for most distros, > nothing does need to be done, just the -c 6 option is all that's needed. > > I don't understand what Red Hat has done to make this not work and since I > don't have any RHEL 6.1 systems I can't even try to troubleshoot this. > > I'm glad that you finally got it working, but I would suggest that you > send a note to Red Hat so that they can figure out what's up with their > startup script. > > David Lang > > > On Sat, 4 Feb 2012, Michael Maymann wrote: > > Hi David, >> >> thanks for your reply. >> Now I got it working... :-) ! >> >> I'm running on RHEL6.1_x64 and my /etc/init.d/rsyslog is standard, only >> thing changed is: >> #exec=/sbin/rsyslogd >> exec=/usr/sbin/rsyslogd >> >> I have now the following in my /etc/sysconfig/rsyslog: >> SYSLOGD_OPTIONS="-c 6 &" >> >> so without the "-n" option but with the "&" the startup script now works >> perfectly, and the motherproccess also lives for the first 5 minuted (As >> Rainer was so kind to find in the code - thanks !) as it should, to make >> sure everything starts up properly. >> >> The "-n &" made the startup-script work, but killed the motherproccess >> right away. >> The "-n" made the startup-script fail after 5 minutes (when motherproccess >> died), but rsyslog worked as it should. >> >> I still think that when using this behaviour should be >> enforced from within rsyslog code itself (as users then didn't have to add >> anything to their /etc/sysconfig/rsyslog), but I leave it up to others to >> decide this...! >> >> >> David+Rainer: Thanks for you help on this...much appreciated...:-) ! >> ~maymann >> >> >> 2012/2/4 >> >> Ok, looking through this script, one thing I see is that there is a >>> comment character before the debug flag and the redirect of the output. >>> >>> as part of just general troubleshooting 101, I would want to capture the >>> stdout and stderr of the process that's not working, so could you remove >>> the "#-d" from the line and add "2>&1" to the line and see if anything >>> interesting shows up in the log? >>> >>> the second thing is that this script is not starting rsyslog directly, >>> it's using the command "daemon" to start rsyslog. It's possible that >>> having >>> rsyslog background itself and let the parent exit is confusing "daemon" >>> (because daemon is monitoring the child process and when it exits, daemon >>> assumes that something is wrong). If that's the case then it should work >>> with the -n option to tell rsyslog not to background itself. The fact >>> that >>> adding it causes the startup script to never complete makes me think that >>> daemon isn't doing it's job properly. >>> >>> you say that this is /etc/init.d/rsyslog.conf, but then the first line is >>> referring to /etc/init.d/rsyslog, which is it? if this is a config file >>> that some other script is using, the problem may be in that other script. >>> >>> I think you mentioned somewhere along the line, but I don't remember, >>> what >>> distro is this? >>> >>> In any case, this file has a bunch of stuff at the top that makes me >>> think >>> this is not a standard init file. >>> >>> this looks similar to an upstart file, but doesn't match my Ubuntu >>> systems. >>> >>> David Lang >>> >>> >>> >>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>> >>> Date: Fri, 3 Feb 2012 22:21:45 +0100 >>> >>>> From: Michael Maymann >>>> Reply-To: rsyslog-users >>>> To: rsyslog-users >>>> >>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>> >>>> Hi, >>>> >>>> starting it manually doesn't return the prompt either...:-( ! >>>> >>>> here is my current /etc/init.d/rsyslog.conf anyway...: >>>> # cat /etc/init.d/rsyslog >>>> #!/bin/bash >>>> #set -x >>>> # >>>> # rsyslog Starts rsyslogd/rklogd. >>>> # >>>> # >>>> # chkconfig: 2345 12 88 >>>> # description: Syslog is the facility by which many daemons use to log \ >>>> # messages to various system log files. It is a good idea to always \ >>>> # run rsyslog. >>>> ### BEGIN INIT INFO >>>> # Provides: $syslog >>>> # Required-Start: $local_fs >>>> # Required-Stop: $local_fs >>>> # Default-Start: 2 3 4 5 >>>> # Default-Stop: 0 1 6 >>>> # Short-Description: Enhanced system logging and kernel message trapping >>>> daemons >>>> # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, >>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>> # sender lists, filtering on any message part, and fine >>>> # grain output format control. >>>> ### END INIT INFO >>>> # Source function library. >>>> . /etc/init.d/functions >>>> RETVAL=0 >>>> PIDFILE=/var/run/syslogd.pid >>>> #PIDFILE=/tmp/syslogd.pid >>>> prog=rsyslogd >>>> #exec=/sbin/rsyslogd >>>> exec=/usr/sbin/rsyslogd >>>> lockfile=/var/lock/subsys/$****prog >>>> >>>> #lockfile=/tmp/$prog >>>> start() { >>>> [ -x $exec ] || exit 5 >>>> # Source config >>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>> . /etc/sysconfig/rsyslog >>>> fi >>>> umask 077 >>>> echo -n $"Starting system logger: " >>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> >>>> /tmp/rsyslog.log >>>> RETVAL=$? >>>> echo >>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>> return $RETVAL >>>> } >>>> stop() { >>>> echo -n $"Shutting down system logger: " >>>> killproc $prog >>>> RETVAL=$? >>>> echo >>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>> return $RETVAL >>>> } >>>> reload() { >>>> RETVAL=1 >>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>> echo -n "Reloading system logger..." >>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>> kill -HUP "$syslog"; >>>> RETVAL=$? >>>> fi >>>> if [ $RETVAL -ne 0 ]; then >>>> failure >>>> else >>>> success >>>> fi >>>> echo >>>> return $RETVAL >>>> } >>>> rhstatus() { >>>> status -p "${PIDFILE}" $prog >>>> } >>>> restart() { >>>> stop >>>> start >>>> } >>>> case "$1" in >>>> start) >>>> start >>>> ;; >>>> stop) >>>> stop >>>> ;; >>>> restart) >>>> restart >>>> ;; >>>> reload|force-reload) >>>> reload >>>> ;; >>>> status) >>>> rhstatus >>>> ;; >>>> condrestart|try-restart) >>>> rhstatus >/dev/null 2>&1 || exit 0 >>>> restart >>>> ;; >>>> *) >>>> echo $"Usage: $0 >>>> {start|stop|restart|****condrestart|try-restart|** >>>> >>>> reload|force-reload|status}" >>>> exit 2 >>>> esac >>>> exit $? >>>> >>>> >>>> Please anyone who can help with this ? >>>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> >>>> 2012/2/3 Michael Maymann >>>> >>>> Hi, >>>> >>>>> >>>>> Yes I have, and now set them to /tmp just for testing, but same >>>>> thing...: >>>>> PIDFILE=/tmp/syslogd.pi >>>>> lockfile=/tmp/$prog >>>>> >>>>> When started manually, it seems to be working just fine... also after 5 >>>>> minutes...:-) !: >>>>> root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd >>>>> root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 >>>>> root 14131 14128 0 09:04 pts/0 00:00:00 -bash >>>>> 15442 14131 0 11:51 pts/0 00:00:00 >>>>> /usr/sbin/rsyslogd -c 6 -n >>>>> >>>>> How can I implement similar behaviour to >>>>> /etc/init.d/rsyslog+/etc/****sysconfig/rsyslog...? >>>>> >>>>> >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> 2012/2/3 >>>>> >>>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>>> David: unfortunately this was not the case...: >>>>>>> # cat /etc/sysconfig/selinux >>>>>>> # This file controls the state of SELinux on the system. >>>>>>> # SELINUX= can take one of these three values: >>>>>>> # enforcing - SELinux security policy is enforced. >>>>>>> # permissive - SELinux prints warnings instead of enforcing. >>>>>>> # disabled - SELinux is fully disabled. >>>>>>> SELINUX=disabled >>>>>>> # SELINUXTYPE= type of policy in use. Possible values are: >>>>>>> # targeted - Only targeted network daemons are protected. >>>>>>> # strict - Full SELinux protection. >>>>>>> SELINUXTYPE=targeted >>>>>>> >>>>>>> What else could cause this problem ? >>>>>>> >>>>>>> >>>>>>> possibly a silly question, but have you verified that the user you >>>>>> are >>>>>> dropping privileges to has write permission on the directories that >>>>>> you >>>>>> write logs (and any queue files) to? >>>>>> >>>>>> David Lang >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>> >>>>>>> ~maymann >>>>>>> >>>>>>> 2012/2/2 Michael Maymann >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>>> David: Thanks for your reply - sounds possible... I will try this >>>>>>>> first >>>>>>>> thing tomorrow morning and report back with findings... >>>>>>>> >>>>>>>> Br. >>>>>>>> ~maymann >>>>>>>> >>>>>>>> 2012/2/2 >>>>>>>> >>>>>>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hi Rainer, >>>>>>>>> >>>>>>>>> >>>>>>>>> I really have my doubts it has something to do with my startup >>>>>>>>>> script: >>>>>>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>>>>>> >>>>>>>>>> I'm running on RHEL6.1_x64. >>>>>>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>>>>>> test...? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> my guess is that this is a SELINUX related problem. >>>>>>>>> >>>>>>>>> what happens if you try to start rsyslog manually (not by running >>>>>>>>> the >>>>>>>>> startup script, but just running 'rsyslogd -c 6' " >>>>>>>>> >>>>>>>>> David Lang >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>> >>>>>>>>> ~maymann >>>>>>>>>> >>>>>>>>>> 2012/2/2 Michael Maymann >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything >>>>>>>>>>> about >>>>>>>>>>> failing in the logs... and it actually doesn't fail... it works >>>>>>>>>>> and >>>>>>>>>>> after >>>>>>>>>>> the timeout+failed notice only the proccess owned by >>>>>>>>>>> PrivDropToUser-USER is >>>>>>>>>>> present, but now owned by the init-proccess (mother proccess >>>>>>>>>>> dies): >>>>>>>>>>> >>>>>>>>>>> # service rsyslog start >>>>>>>>>>> Starting system logger: >>>>>>>>>>> [FAILED] >>>>>>>>>>> >>>>>>>>>>> BEFORE failed status: >>>>>>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 >>>>>>>>>>> /usr/sbin/rsyslogd >>>>>>>>>>> -c 6 >>>>>>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>>> >>>>>>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>>>>>> PrivDropToUser-USER >>>>>>>>>>> owned proccess is therefore gets owned by init: >>>>>>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>>> >>>>>>>>>>> Anyone who can help with this...?: >>>>>>>>>>> here is the debug output when starting running the init-script: >>>>>>>>>>> #/etc/init.d/rsyslog start >>>>>>>>>>> + . /etc/init.d/functions >>>>>>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>>>>>> ++ umask 022 >>>>>>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/********usr/bin >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ++ export PATH >>>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>>> ++ COLUMNS=80 >>>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>>> +++ /sbin/consoletype >>>>>>>>>>> ++ CONSOLETYPE=pty >>>>>>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>>>>>> ++ unset LANGSH_SOURCED >>>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>>>>>> ++ . /etc/sysconfig/init >>>>>>>>>>> +++ BOOTUP=color >>>>>>>>>>> +++ RES_COL=60 >>>>>>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>>>>>> +++ PROMPT=yes >>>>>>>>>>> +++ AUTOSWAP=no >>>>>>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]********' >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> +++ SINGLE=/sbin/sushell >>>>>>>>>>> ++ '[' pty = serial ']' >>>>>>>>>>> ++ >>>>>>>>>>> __sed_discard_ignored_files='/********\(~\|\.bak\|\.orig\|\.**** >>>>>>>>>>> ** >>>>>>>>>>> >>>>>>>>>>> rpmnew\|** >>>>>>>>>>> >>>>>>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>>>>>> + RETVAL=0 >>>>>>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>>>>>> + prog=rsyslogd >>>>>>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>>>>>> + lockfile=/var/lock/subsys/********rsyslogd >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> + case "$1" in >>>>>>>>>>> + start >>>>>>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>>>>>> + . /etc/sysconfig/rsyslog >>>>>>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>>>>>> + umask 077 >>>>>>>>>>> + echo -n 'Starting system logger: ' >>>>>>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>>>>>> + local cgroup= >>>>>>>>>>> + nicelevel=0 >>>>>>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>>>>>> ']' >>>>>>>>>>> + case $1 in >>>>>>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>>>>>> + shift >>>>>>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>>>>>> + '[' -z '' ']' >>>>>>>>>>> + base=rsyslogd >>>>>>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>>>>>> + local base=rsyslogd >>>>>>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>>>>>> + pid= >>>>>>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>>>>>> + return 3 >>>>>>>>>>> + '[' -n '' -a -z '' ']' >>>>>>>>>>> + corelimit='ulimit -S -c 0' >>>>>>>>>>> + '[' -n '' ']' >>>>>>>>>>> + '[' -n '' ']' >>>>>>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>>>>>> + '[' -z '' ']' >>>>>>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; >>>>>>>>>>> /usr/sbin/rsyslogd >>>>>>>>>>> -c >>>>>>>>>>> 6' >>>>>>>>>>> ... >>>>>>>>>>> (hangs here for a long time) >>>>>>>>>>> ... >>>>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>>>> + failure 'rsyslogd startup' >>>>>>>>>>> + local rc=1 >>>>>>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>>>>>> + echo_failure >>>>>>>>>>> + '[' color = color ']' >>>>>>>>>>> + echo -en '\033[60G' >>>>>>>>>>> + echo -n >>>>>>>>>>> '[' >>>>>>>>>>> [+ '[' color = color ']' >>>>>>>>>>> + echo -en '\033[0;31m' >>>>>>>>>>> + echo -n FAILED >>>>>>>>>>> FAILED+ '[' color = color ']' >>>>>>>>>>> + echo -en '\033[0;39m' >>>>>>>>>>> + echo -n ']' >>>>>>>>>>> ]+ echo -ne '\r' >>>>>>>>>>> + return 1 >>>>>>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>>>>>> + /usr/bin/plymouth --details >>>>>>>>>>> + return 1 >>>>>>>>>>> + RETVAL=1 >>>>>>>>>>> + echo >>>>>>>>>>> >>>>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>>>> + return 1 >>>>>>>>>>> + exit 1 >>>>>>>>>>> >>>>>>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys >>>>>>>>>>> - >>>>>>>>>>> but >>>>>>>>>>> same thing happens... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>> >>>>>>>>>>> Br. >>>>>>>>>>> ~maymann >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>>> >>>>>>>>>>> I can only help you with that part if you point me to why >>>>>>>>>>> exactly >>>>>>>>>>> the >>>>>>>>>>> >>>>>>>>>>> script >>>>>>>>>>> >>>>>>>>>>>> claims what it does. So you may want to try find someone who can >>>>>>>>>>>> do >>>>>>>>>>>> that. >>>>>>>>>>>> I >>>>>>>>>>>> know this is probably a trivial question, but I don't know >>>>>>>>>>>> anything >>>>>>>>>>>> ;) >>>>>>>>>>>> >>>>>>>>>>>> Sry, rainer >>>>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> >>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.**** >>>>>>>>>>>> >>>>>>>>>>>>> ****com>>>>>>>>>>>> **adiscon.com >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> [mailto: >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog- >>>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>>> >>>>>>>>>>>>> Here is my startup script... only thing changed is the path to >>>>>>>>>>>>> the >>>>>>>>>>>>> new >>>>>>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but >>>>>>>>>>>>> failes >>>>>>>>>>>>> if i >>>>>>>>>>>>> have >>>>>>>>>>>>> both or one of the entries...: >>>>>>>>>>>>> #!/bin/bash >>>>>>>>>>>>> # >>>>>>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>>>>>> # >>>>>>>>>>>>> # >>>>>>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>>>>>> # description: Syslog is the facility by which many daemons use >>>>>>>>>>>>> to >>>>>>>>>>>>> log >>>>>>>>>>>>> \ >>>>>>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>>>>>> always \ >>>>>>>>>>>>> # run rsyslog. >>>>>>>>>>>>> ### BEGIN INIT INFO >>>>>>>>>>>>> # Provides: $syslog >>>>>>>>>>>>> # Required-Start: $local_fs >>>>>>>>>>>>> # Required-Stop: $local_fs >>>>>>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>>>>>> trapping >>>>>>>>>>>>> daemons >>>>>>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>>>>>> supporting, >>>>>>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, >>>>>>>>>>>>> permitted >>>>>>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>>>>>> fine >>>>>>>>>>>>> # grain output format control. >>>>>>>>>>>>> ### END INIT INFO >>>>>>>>>>>>> >>>>>>>>>>>>> # Source function library. >>>>>>>>>>>>> . /etc/init.d/functions >>>>>>>>>>>>> >>>>>>>>>>>>> RETVAL=0 >>>>>>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>>>>>> >>>>>>>>>>>>> prog=rsyslogd >>>>>>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>>>>>> lockfile=/var/lock/subsys/$********prog >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> start() { >>>>>>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>>>>>> >>>>>>>>>>>>> # Source config >>>>>>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>>>>>> fi >>>>>>>>>>>>> umask 077 >>>>>>>>>>>>> >>>>>>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>>> echo >>>>>>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>>>>>> return $RETVAL >>>>>>>>>>>>> } >>>>>>>>>>>>> stop() { >>>>>>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>>>>>> killproc $prog >>>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>>> echo >>>>>>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>>>>>> return $RETVAL >>>>>>>>>>>>> } >>>>>>>>>>>>> reload() { >>>>>>>>>>>>> RETVAL=1 >>>>>>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>>>>>> kill -HUP "$syslog"; >>>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>>> fi >>>>>>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>>>>>> failure >>>>>>>>>>>>> else >>>>>>>>>>>>> success >>>>>>>>>>>>> fi >>>>>>>>>>>>> echo >>>>>>>>>>>>> return $RETVAL >>>>>>>>>>>>> } >>>>>>>>>>>>> rhstatus() { >>>>>>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>>>>>> } >>>>>>>>>>>>> restart() { >>>>>>>>>>>>> stop >>>>>>>>>>>>> start >>>>>>>>>>>>> } >>>>>>>>>>>>> >>>>>>>>>>>>> case "$1" in >>>>>>>>>>>>> start) >>>>>>>>>>>>> start >>>>>>>>>>>>> ;; >>>>>>>>>>>>> stop) >>>>>>>>>>>>> stop >>>>>>>>>>>>> ;; >>>>>>>>>>>>> restart) >>>>>>>>>>>>> restart >>>>>>>>>>>>> ;; >>>>>>>>>>>>> reload|force-reload) >>>>>>>>>>>>> reload >>>>>>>>>>>>> ;; >>>>>>>>>>>>> status) >>>>>>>>>>>>> rhstatus >>>>>>>>>>>>> ;; >>>>>>>>>>>>> condrestart|try-restart) >>>>>>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>>>>>> restart >>>>>>>>>>>>> ;; >>>>>>>>>>>>> *) >>>>>>>>>>>>> echo $"Usage: $0 >>>>>>>>>>>>> {start|stop|restart|********condrestart|try-restart|****** >>>>>>>>>>>>> >>>>>>>>>>>>> reload|force- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> reload|status}" >>>>>>>>>>>>> exit 2 >>>>>>>>>>>>> esac >>>>>>>>>>>>> >>>>>>>>>>>>> exit $? >>>>>>>>>>>>> >>>>>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.********com< >>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog-bounces at lists.****adisco**n.com >>>>>>>>>>>>>> >< >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog-bounces at lists.**adisco**n.com < >>>>>>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [mailto: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog- >>>>>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> David: thanks - got it working with permission dropping, by >>>>>>>>>>>>>>> far >>>>>>>>>>>>>>> my >>>>>>>>>>>>>>> prefered >>>>>>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>>>>>> Rainer: please let us know if the debug info of the >>>>>>>>>>>>>>> "permission >>>>>>>>>>>>>>> dropping: >>>>>>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it >>>>>>>>>>>>>>> works >>>>>>>>>>>>>>> now >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> but >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> From >>>>>>>>>>>>>> the >>>>>>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>>>>>> looks >>>>>>>>>>>>>> >>>>>>>>>>>>>> like >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>>>>> >>>>>>>>>>>>> know. I >>>>>>>>>>>>>> suggest >>>>>>>>>>>>>> to ask what the FAILED status is caused by. We can then look >>>>>>>>>>>>>> why >>>>>>>>>>>>>> this >>>>>>>>>>>>>> happens. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Sorry I have no better answer... >>>>>>>>>>>>>> Rainer >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>>>> >>>>>>>>>>>>>> ~maymann >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2012/2/1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is >>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> fine >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> running >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> as root. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> located >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> on NFS >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>>> DYNmessages,"/%********** >>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%****** >>>>>>>>>>>>>>>>> **** >>>>>>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> DYNsecure,"/%******** >>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%****** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> **$MONTH%_secure" >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNmaillog,"/%********** >>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%***** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> *** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> **$MONTH%_maillo >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> g" >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNcron,"/%FROMHOST%/**** >>>>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> cron" >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> DYNspooler,"/%********** >>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%***** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> *** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> **$MONTH%_spoole >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> r" >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> DYNboot,"/%FROMHOST%/**** >>>>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> MONTH%_** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> **boot.log" >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> $template >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> DYNtraps,"/%FROMHOST%**** >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> MONTH%** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> traps" >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>>>>>> if $syslogfacility-text == 'local6' and >>>>>>>>>>>>>>>>> $syslogseverity-text >>>>>>>>>>>>>>>>> == >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a >>>>>>>>>>>>>>>>> non-root >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> user: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997693+02:**********00 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>> >>>>>>>>>>>>> [origin >>>>>>>>>>>>>> >>>>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:**********00 >>>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> denied >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:**********00 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> denied >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:**********00 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>>> No UDP >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> listen >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> socket >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> could successfully be initialized, message reception via >>>>>>>>>>>>>>>> UDP >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> disabled. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997376+02:**********00 >>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> imudp: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> listeners >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:**********00 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> rsyslogd3: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> activation >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> module >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:**********00 >>>>>>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Could >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> create >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> So permissions to bind and sockets seems to be the >>>>>>>>>>>>>>> problem... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user >>>>>>>>>>>>>>>>> (without >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> making >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> some >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a >>>>>>>>>>>>>>>> non-root >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> user >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - if >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> yes: how ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> permission drop features >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to >>>>>>>>>>>>>>>> run >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rsyslog >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - >>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> chkconfig do >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> although as Rainer points out, you may just be looking for >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> permission >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> David Lang >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ______________________________**********_________________ >>>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://lists.adiscon.net/******* >>>>>>>>>>>>>>>> ***mailman/listinfo/rsyslog >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> mailman/listinfo/rsyslog >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ****mailman/listinfo/rsyslog >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> **mailman/**listinfo/rsyslog >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> n.net/mailman/listinfo/******rsyslog** >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> **> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/**********professional- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> services/>>>>>>>>>>>>>>> ***com/professional-services/<****ht >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> **tp://www.rsyslog.com/******professional-services/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> mailman/**listinfo/rsyslog >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>> >>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>> >>>>>>>>>>>>>> > >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>> >>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>> >>>>>>>>>>>>> > >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> >>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ______________________________********_________________ >>>>>>>>>> >>>>>>>>>> rsyslog mailing list >>>>>>>>>> >>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>> >>>>>>>>> > >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> ______________________________******_________________ >>>>>>>> >>>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>> >>>>>>> > >>>>>>> >>>>>>> >>>>>>> > >>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ______________________________******_________________ >>>>>>> >>>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>> >>>>>> > >>>>>> >>>>>> >>>>>> > >>>>>> >>>>>>> >>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>> >>>>>> > >>>>>> >>>>>> >>>>>> > >>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>> > >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>> > >>>> >>>> ______________________________****_________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>> >>> > >>> http://www.rsyslog.com/****professional-services/ >>> >>> > >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From david at lang.hm Sat Feb 4 09:55:44 2012 From: david at lang.hm (david at lang.hm) Date: Sat, 4 Feb 2012 00:55:44 -0800 (PST) Subject: [rsyslog] rsyslog as non-root user In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA7281841@GRFEXC.intern.adiscon.com> Message-ID: someone first needs to identify those differences, and the best people to do that are Red Hat. David Lang On Sat, 4 Feb 2012, Michael Maymann wrote: > Date: Sat, 4 Feb 2012 09:47:04 +0100 > From: Michael Maymann > Reply-To: rsyslog-users > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog as non-root user > > Hi David, > > I don't say that you are wrong..., > > But rsyslog is working just fine then it is started without the > /-n. Anly when this is enabled "the trouble" starts... > Wouldn't the right thing be to change rsyslog to handle the > RHEL-diffenrence(s) if this a platform that you wish it should be > "supported" on ? > > Anyway, that's just my 5c... (don't kill me...) :-) ! > > Br. > ~maymann > > > 2012/2/4 > >> the thing that you still aren't recognizing is that for most distros, >> nothing does need to be done, just the -c 6 option is all that's needed. >> >> I don't understand what Red Hat has done to make this not work and since I >> don't have any RHEL 6.1 systems I can't even try to troubleshoot this. >> >> I'm glad that you finally got it working, but I would suggest that you >> send a note to Red Hat so that they can figure out what's up with their >> startup script. >> >> David Lang >> >> >> On Sat, 4 Feb 2012, Michael Maymann wrote: >> >> Hi David, >>> >>> thanks for your reply. >>> Now I got it working... :-) ! >>> >>> I'm running on RHEL6.1_x64 and my /etc/init.d/rsyslog is standard, only >>> thing changed is: >>> #exec=/sbin/rsyslogd >>> exec=/usr/sbin/rsyslogd >>> >>> I have now the following in my /etc/sysconfig/rsyslog: >>> SYSLOGD_OPTIONS="-c 6 &" >>> >>> so without the "-n" option but with the "&" the startup script now works >>> perfectly, and the motherproccess also lives for the first 5 minuted (As >>> Rainer was so kind to find in the code - thanks !) as it should, to make >>> sure everything starts up properly. >>> >>> The "-n &" made the startup-script work, but killed the motherproccess >>> right away. >>> The "-n" made the startup-script fail after 5 minutes (when motherproccess >>> died), but rsyslog worked as it should. >>> >>> I still think that when using this behaviour should be >>> enforced from within rsyslog code itself (as users then didn't have to add >>> anything to their /etc/sysconfig/rsyslog), but I leave it up to others to >>> decide this...! >>> >>> >>> David+Rainer: Thanks for you help on this...much appreciated...:-) ! >>> ~maymann >>> >>> >>> 2012/2/4 >>> >>> Ok, looking through this script, one thing I see is that there is a >>>> comment character before the debug flag and the redirect of the output. >>>> >>>> as part of just general troubleshooting 101, I would want to capture the >>>> stdout and stderr of the process that's not working, so could you remove >>>> the "#-d" from the line and add "2>&1" to the line and see if anything >>>> interesting shows up in the log? >>>> >>>> the second thing is that this script is not starting rsyslog directly, >>>> it's using the command "daemon" to start rsyslog. It's possible that >>>> having >>>> rsyslog background itself and let the parent exit is confusing "daemon" >>>> (because daemon is monitoring the child process and when it exits, daemon >>>> assumes that something is wrong). If that's the case then it should work >>>> with the -n option to tell rsyslog not to background itself. The fact >>>> that >>>> adding it causes the startup script to never complete makes me think that >>>> daemon isn't doing it's job properly. >>>> >>>> you say that this is /etc/init.d/rsyslog.conf, but then the first line is >>>> referring to /etc/init.d/rsyslog, which is it? if this is a config file >>>> that some other script is using, the problem may be in that other script. >>>> >>>> I think you mentioned somewhere along the line, but I don't remember, >>>> what >>>> distro is this? >>>> >>>> In any case, this file has a bunch of stuff at the top that makes me >>>> think >>>> this is not a standard init file. >>>> >>>> this looks similar to an upstart file, but doesn't match my Ubuntu >>>> systems. >>>> >>>> David Lang >>>> >>>> >>>> >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>> >>>> Date: Fri, 3 Feb 2012 22:21:45 +0100 >>>> >>>>> From: Michael Maymann >>>>> Reply-To: rsyslog-users >>>>> To: rsyslog-users >>>>> >>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>> >>>>> Hi, >>>>> >>>>> starting it manually doesn't return the prompt either...:-( ! >>>>> >>>>> here is my current /etc/init.d/rsyslog.conf anyway...: >>>>> # cat /etc/init.d/rsyslog >>>>> #!/bin/bash >>>>> #set -x >>>>> # >>>>> # rsyslog Starts rsyslogd/rklogd. >>>>> # >>>>> # >>>>> # chkconfig: 2345 12 88 >>>>> # description: Syslog is the facility by which many daemons use to log \ >>>>> # messages to various system log files. It is a good idea to always \ >>>>> # run rsyslog. >>>>> ### BEGIN INIT INFO >>>>> # Provides: $syslog >>>>> # Required-Start: $local_fs >>>>> # Required-Stop: $local_fs >>>>> # Default-Start: 2 3 4 5 >>>>> # Default-Stop: 0 1 6 >>>>> # Short-Description: Enhanced system logging and kernel message trapping >>>>> daemons >>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, >>>>> # among others, MySQL, syslog/tcp, RFC 3195, permitted >>>>> # sender lists, filtering on any message part, and fine >>>>> # grain output format control. >>>>> ### END INIT INFO >>>>> # Source function library. >>>>> . /etc/init.d/functions >>>>> RETVAL=0 >>>>> PIDFILE=/var/run/syslogd.pid >>>>> #PIDFILE=/tmp/syslogd.pid >>>>> prog=rsyslogd >>>>> #exec=/sbin/rsyslogd >>>>> exec=/usr/sbin/rsyslogd >>>>> lockfile=/var/lock/subsys/$****prog >>>>> >>>>> #lockfile=/tmp/$prog >>>>> start() { >>>>> [ -x $exec ] || exit 5 >>>>> # Source config >>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>> . /etc/sysconfig/rsyslog >>>>> fi >>>>> umask 077 >>>>> echo -n $"Starting system logger: " >>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS #-d &> >>>>> /tmp/rsyslog.log >>>>> RETVAL=$? >>>>> echo >>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>> return $RETVAL >>>>> } >>>>> stop() { >>>>> echo -n $"Shutting down system logger: " >>>>> killproc $prog >>>>> RETVAL=$? >>>>> echo >>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>> return $RETVAL >>>>> } >>>>> reload() { >>>>> RETVAL=1 >>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>> echo -n "Reloading system logger..." >>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>> kill -HUP "$syslog"; >>>>> RETVAL=$? >>>>> fi >>>>> if [ $RETVAL -ne 0 ]; then >>>>> failure >>>>> else >>>>> success >>>>> fi >>>>> echo >>>>> return $RETVAL >>>>> } >>>>> rhstatus() { >>>>> status -p "${PIDFILE}" $prog >>>>> } >>>>> restart() { >>>>> stop >>>>> start >>>>> } >>>>> case "$1" in >>>>> start) >>>>> start >>>>> ;; >>>>> stop) >>>>> stop >>>>> ;; >>>>> restart) >>>>> restart >>>>> ;; >>>>> reload|force-reload) >>>>> reload >>>>> ;; >>>>> status) >>>>> rhstatus >>>>> ;; >>>>> condrestart|try-restart) >>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>> restart >>>>> ;; >>>>> *) >>>>> echo $"Usage: $0 >>>>> {start|stop|restart|****condrestart|try-restart|** >>>>> >>>>> reload|force-reload|status}" >>>>> exit 2 >>>>> esac >>>>> exit $? >>>>> >>>>> >>>>> Please anyone who can help with this ? >>>>> >>>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> 2012/2/3 Michael Maymann >>>>> >>>>> Hi, >>>>> >>>>>> >>>>>> Yes I have, and now set them to /tmp just for testing, but same >>>>>> thing...: >>>>>> PIDFILE=/tmp/syslogd.pi >>>>>> lockfile=/tmp/$prog >>>>>> >>>>>> When started manually, it seems to be working just fine... also after 5 >>>>>> minutes...:-) !: >>>>>> root 1498 1 0 Feb01 ? 00:00:00 /usr/sbin/sshd >>>>>> root 14128 1498 0 09:03 ? 00:00:00 sshd: root at pts/0 >>>>>> root 14131 14128 0 09:04 pts/0 00:00:00 -bash >>>>>> 15442 14131 0 11:51 pts/0 00:00:00 >>>>>> /usr/sbin/rsyslogd -c 6 -n >>>>>> >>>>>> How can I implement similar behaviour to >>>>>> /etc/init.d/rsyslog+/etc/****sysconfig/rsyslog...? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thanks in advance :-) ! >>>>>> ~maymann >>>>>> >>>>>> 2012/2/3 >>>>>> >>>>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>>> David: unfortunately this was not the case...: >>>>>>>> # cat /etc/sysconfig/selinux >>>>>>>> # This file controls the state of SELinux on the system. >>>>>>>> # SELINUX= can take one of these three values: >>>>>>>> # enforcing - SELinux security policy is enforced. >>>>>>>> # permissive - SELinux prints warnings instead of enforcing. >>>>>>>> # disabled - SELinux is fully disabled. >>>>>>>> SELINUX=disabled >>>>>>>> # SELINUXTYPE= type of policy in use. Possible values are: >>>>>>>> # targeted - Only targeted network daemons are protected. >>>>>>>> # strict - Full SELinux protection. >>>>>>>> SELINUXTYPE=targeted >>>>>>>> >>>>>>>> What else could cause this problem ? >>>>>>>> >>>>>>>> >>>>>>>> possibly a silly question, but have you verified that the user you >>>>>>> are >>>>>>> dropping privileges to has write permission on the directories that >>>>>>> you >>>>>>> write logs (and any queue files) to? >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> >>>>>>> Thanks in advance :-) ! >>>>>>> >>>>>>>> ~maymann >>>>>>>> >>>>>>>> 2012/2/2 Michael Maymann >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>>> David: Thanks for your reply - sounds possible... I will try this >>>>>>>>> first >>>>>>>>> thing tomorrow morning and report back with findings... >>>>>>>>> >>>>>>>>> Br. >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> 2012/2/2 >>>>>>>>> >>>>>>>>> On Thu, 2 Feb 2012, Michael Maymann wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Rainer, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I really have my doubts it has something to do with my startup >>>>>>>>>>> script: >>>>>>>>>>> 1. I only changed the exec=/usr/sbin/rsyslogd from default >>>>>>>>>>> 2. It works perfectly when PrivDropTo is not used in rsyslog.conf. >>>>>>>>>>> >>>>>>>>>>> I'm running on RHEL6.1_x64. >>>>>>>>>>> Do you have a working /etc/init.d/rsyslog what you can share/I can >>>>>>>>>>> test...? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> my guess is that this is a SELINUX related problem. >>>>>>>>>> >>>>>>>>>> what happens if you try to start rsyslog manually (not by running >>>>>>>>>> the >>>>>>>>>> startup script, but just running 'rsyslogd -c 6' " >>>>>>>>>> >>>>>>>>>> David Lang >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>> >>>>>>>>>> ~maymann >>>>>>>>>>> >>>>>>>>>>> 2012/2/2 Michael Maymann >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Rainer: Sorry... forgot to mention that it doesn't say anything >>>>>>>>>>>> about >>>>>>>>>>>> failing in the logs... and it actually doesn't fail... it works >>>>>>>>>>>> and >>>>>>>>>>>> after >>>>>>>>>>>> the timeout+failed notice only the proccess owned by >>>>>>>>>>>> PrivDropToUser-USER is >>>>>>>>>>>> present, but now owned by the init-proccess (mother proccess >>>>>>>>>>>> dies): >>>>>>>>>>>> >>>>>>>>>>>> # service rsyslog start >>>>>>>>>>>> Starting system logger: >>>>>>>>>>>> [FAILED] >>>>>>>>>>>> >>>>>>>>>>>> BEFORE failed status: >>>>>>>>>>>> root 9126 9125 0 11:07 pts/1 00:00:00 >>>>>>>>>>>> /usr/sbin/rsyslogd >>>>>>>>>>>> -c 6 >>>>>>>>>>>> 9131 9126 0 11:07 ? 00:00:00 >>>>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>>>> >>>>>>>>>>>> AFTER failed status root-owned proccess is killed and >>>>>>>>>>>> PrivDropToUser-USER >>>>>>>>>>>> owned proccess is therefore gets owned by init: >>>>>>>>>>>> 9131 1 0 11:07 ? 00:00:00 >>>>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>>>> >>>>>>>>>>>> Anyone who can help with this...?: >>>>>>>>>>>> here is the debug output when starting running the init-script: >>>>>>>>>>>> #/etc/init.d/rsyslog start >>>>>>>>>>>> + . /etc/init.d/functions >>>>>>>>>>>> ++ TEXTDOMAIN=initscripts >>>>>>>>>>>> ++ umask 022 >>>>>>>>>>>> ++ PATH=/sbin:/usr/sbin:/bin:/********usr/bin >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ++ export PATH >>>>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>>>> ++ COLUMNS=80 >>>>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>>>> +++ /sbin/consoletype >>>>>>>>>>>> ++ CONSOLETYPE=pty >>>>>>>>>>>> ++ '[' -f /etc/sysconfig/i18n -a -z '' -a -z '' ']' >>>>>>>>>>>> ++ . /etc/profile.d/lang.sh >>>>>>>>>>>> ++ unset LANGSH_SOURCED >>>>>>>>>>>> ++ '[' -z '' ']' >>>>>>>>>>>> ++ '[' -f /etc/sysconfig/init ']' >>>>>>>>>>>> ++ . /etc/sysconfig/init >>>>>>>>>>>> +++ BOOTUP=color >>>>>>>>>>>> +++ RES_COL=60 >>>>>>>>>>>> +++ MOVE_TO_COL='echo -en \033[60G' >>>>>>>>>>>> +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' >>>>>>>>>>>> +++ SETCOLOR_FAILURE='echo -en \033[0;31m' >>>>>>>>>>>> +++ SETCOLOR_WARNING='echo -en \033[0;33m' >>>>>>>>>>>> +++ SETCOLOR_NORMAL='echo -en \033[0;39m' >>>>>>>>>>>> +++ PROMPT=yes >>>>>>>>>>>> +++ AUTOSWAP=no >>>>>>>>>>>> +++ ACTIVE_CONSOLES='/dev/tty[1-6]********' >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> +++ SINGLE=/sbin/sushell >>>>>>>>>>>> ++ '[' pty = serial ']' >>>>>>>>>>>> ++ >>>>>>>>>>>> __sed_discard_ignored_files='/********\(~\|\.bak\|\.orig\|\.**** >>>>>>>>>>>> ** >>>>>>>>>>>> >>>>>>>>>>>> rpmnew\|** >>>>>>>>>>>> >>>>>>>>>>>> \.rpmorig\|\.rpmsave\)$/d' >>>>>>>>>>>> + RETVAL=0 >>>>>>>>>>>> + PIDFILE=/var/run/syslogd.pid >>>>>>>>>>>> + prog=rsyslogd >>>>>>>>>>>> + exec=/usr/sbin/rsyslogd >>>>>>>>>>>> + lockfile=/var/lock/subsys/********rsyslogd >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> + case "$1" in >>>>>>>>>>>> + start >>>>>>>>>>>> + '[' -x /usr/sbin/rsyslogd ']' >>>>>>>>>>>> + '[' -f /etc/sysconfig/rsyslog ']' >>>>>>>>>>>> + . /etc/sysconfig/rsyslog >>>>>>>>>>>> ++ SYSLOGD_OPTIONS='-c 6' >>>>>>>>>>>> + umask 077 >>>>>>>>>>>> + echo -n 'Starting system logger: ' >>>>>>>>>>>> Starting system logger: + daemon --pidfile=/var/run/syslogd.pid >>>>>>>>>>>> /usr/sbin/rsyslogd -c 6 >>>>>>>>>>>> + local gotbase= force= nicelevel corelimit >>>>>>>>>>>> + local pid base= user= nice= bg= pid_file= >>>>>>>>>>>> + local cgroup= >>>>>>>>>>>> + nicelevel=0 >>>>>>>>>>>> + '[' --pidfile=/var/run/syslogd.pid '!=' >>>>>>>>>>>> -pidfile=/var/run/syslogd.pid >>>>>>>>>>>> ']' >>>>>>>>>>>> + case $1 in >>>>>>>>>>>> + pid_file=/var/run/syslogd.pid >>>>>>>>>>>> + shift >>>>>>>>>>>> + '[' /usr/sbin/rsyslogd '!=' /usr/sbin/rsyslogd ']' >>>>>>>>>>>> + '[' -z '' ']' >>>>>>>>>>>> + base=rsyslogd >>>>>>>>>>>> + __pids_var_run rsyslogd /var/run/syslogd.pid >>>>>>>>>>>> + local base=rsyslogd >>>>>>>>>>>> + local pid_file=/var/run/syslogd.pid >>>>>>>>>>>> + pid= >>>>>>>>>>>> + '[' -f /var/run/syslogd.pid ']' >>>>>>>>>>>> + return 3 >>>>>>>>>>>> + '[' -n '' -a -z '' ']' >>>>>>>>>>>> + corelimit='ulimit -S -c 0' >>>>>>>>>>>> + '[' -n '' ']' >>>>>>>>>>>> + '[' -n '' ']' >>>>>>>>>>>> + '[' color = verbose -a -z '' ']' >>>>>>>>>>>> + '[' -z '' ']' >>>>>>>>>>>> + /bin/bash -c 'ulimit -S -c 0 >/dev/null 2>&1 ; >>>>>>>>>>>> /usr/sbin/rsyslogd >>>>>>>>>>>> -c >>>>>>>>>>>> 6' >>>>>>>>>>>> ... >>>>>>>>>>>> (hangs here for a long time) >>>>>>>>>>>> ... >>>>>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>>>>> + failure 'rsyslogd startup' >>>>>>>>>>>> + local rc=1 >>>>>>>>>>>> + '[' color '!=' verbose -a -z '' ']' >>>>>>>>>>>> + echo_failure >>>>>>>>>>>> + '[' color = color ']' >>>>>>>>>>>> + echo -en '\033[60G' >>>>>>>>>>>> + echo -n >>>>>>>>>>>> '[' >>>>>>>>>>>> [+ '[' color = color ']' >>>>>>>>>>>> + echo -en '\033[0;31m' >>>>>>>>>>>> + echo -n FAILED >>>>>>>>>>>> FAILED+ '[' color = color ']' >>>>>>>>>>>> + echo -en '\033[0;39m' >>>>>>>>>>>> + echo -n ']' >>>>>>>>>>>> ]+ echo -ne '\r' >>>>>>>>>>>> + return 1 >>>>>>>>>>>> + '[' -x /usr/bin/plymouth ']' >>>>>>>>>>>> + /usr/bin/plymouth --details >>>>>>>>>>>> + return 1 >>>>>>>>>>>> + RETVAL=1 >>>>>>>>>>>> + echo >>>>>>>>>>>> >>>>>>>>>>>> + '[' 1 -eq 0 ']' >>>>>>>>>>>> + return 1 >>>>>>>>>>>> + exit 1 >>>>>>>>>>>> >>>>>>>>>>>> I have tried to give 777-access to /var/run and /var/lock/subsys >>>>>>>>>>>> - >>>>>>>>>>>> but >>>>>>>>>>>> same thing happens... >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>> >>>>>>>>>>>> Br. >>>>>>>>>>>> ~maymann >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>>>> >>>>>>>>>>>> I can only help you with that part if you point me to why >>>>>>>>>>>> exactly >>>>>>>>>>>> the >>>>>>>>>>>> >>>>>>>>>>>> script >>>>>>>>>>>> >>>>>>>>>>>>> claims what it does. So you may want to try find someone who can >>>>>>>>>>>>> do >>>>>>>>>>>>> that. >>>>>>>>>>>>> I >>>>>>>>>>>>> know this is probably a trivial question, but I don't know >>>>>>>>>>>>> anything >>>>>>>>>>>>> ;) >>>>>>>>>>>>> >>>>>>>>>>>>> Sry, rainer >>>>>>>>>>>>> >>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>> >>>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.**** >>>>>>>>>>>>> >>>>>>>>>>>>>> ****com>>>>>>>>>>>>> **adiscon.com >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> [mailto: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslog- >>>>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>>>> Sent: Thursday, February 02, 2012 10:03 AM >>>>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is my startup script... only thing changed is the path to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> new >>>>>>>>>>>>>> 6.3.6-rsyslog-devel binary. >>>>>>>>>>>>>> The startup-scripts works also perfectly when i comment out the >>>>>>>>>>>>>> PrivDropToUser+PrivDropToGroup in /etc/rsyslog.conf - but >>>>>>>>>>>>>> failes >>>>>>>>>>>>>> if i >>>>>>>>>>>>>> have >>>>>>>>>>>>>> both or one of the entries...: >>>>>>>>>>>>>> #!/bin/bash >>>>>>>>>>>>>> # >>>>>>>>>>>>>> # rsyslog Starts rsyslogd/rklogd. >>>>>>>>>>>>>> # >>>>>>>>>>>>>> # >>>>>>>>>>>>>> # chkconfig: 2345 12 88 >>>>>>>>>>>>>> # description: Syslog is the facility by which many daemons use >>>>>>>>>>>>>> to >>>>>>>>>>>>>> log >>>>>>>>>>>>>> \ >>>>>>>>>>>>>> # messages to various system log files. It is a good idea to >>>>>>>>>>>>>> always \ >>>>>>>>>>>>>> # run rsyslog. >>>>>>>>>>>>>> ### BEGIN INIT INFO >>>>>>>>>>>>>> # Provides: $syslog >>>>>>>>>>>>>> # Required-Start: $local_fs >>>>>>>>>>>>>> # Required-Stop: $local_fs >>>>>>>>>>>>>> # Default-Start: 2 3 4 5 >>>>>>>>>>>>>> # Default-Stop: 0 1 6 >>>>>>>>>>>>>> # Short-Description: Enhanced system logging and kernel message >>>>>>>>>>>>>> trapping >>>>>>>>>>>>>> daemons >>>>>>>>>>>>>> # Description: Rsyslog is an enhanced multi-threaded syslogd >>>>>>>>>>>>>> supporting, >>>>>>>>>>>>>> # among others, MySQL, syslog/tcp, RFC 3195, >>>>>>>>>>>>>> permitted >>>>>>>>>>>>>> # sender lists, filtering on any message part, and >>>>>>>>>>>>>> fine >>>>>>>>>>>>>> # grain output format control. >>>>>>>>>>>>>> ### END INIT INFO >>>>>>>>>>>>>> >>>>>>>>>>>>>> # Source function library. >>>>>>>>>>>>>> . /etc/init.d/functions >>>>>>>>>>>>>> >>>>>>>>>>>>>> RETVAL=0 >>>>>>>>>>>>>> PIDFILE=/var/run/syslogd.pid >>>>>>>>>>>>>> >>>>>>>>>>>>>> prog=rsyslogd >>>>>>>>>>>>>> #exec=/sbin/rsyslogd >>>>>>>>>>>>>> exec=/usr/sbin/rsyslogd >>>>>>>>>>>>>> lockfile=/var/lock/subsys/$********prog >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> start() { >>>>>>>>>>>>>> [ -x $exec ] || exit 5 >>>>>>>>>>>>>> >>>>>>>>>>>>>> # Source config >>>>>>>>>>>>>> if [ -f /etc/sysconfig/rsyslog ] ; then >>>>>>>>>>>>>> . /etc/sysconfig/rsyslog >>>>>>>>>>>>>> fi >>>>>>>>>>>>>> umask 077 >>>>>>>>>>>>>> >>>>>>>>>>>>>> echo -n $"Starting system logger: " >>>>>>>>>>>>>> daemon --pidfile="${PIDFILE}" $exec $SYSLOGD_OPTIONS >>>>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>>>> echo >>>>>>>>>>>>>> [ $RETVAL -eq 0 ] && touch $lockfile >>>>>>>>>>>>>> return $RETVAL >>>>>>>>>>>>>> } >>>>>>>>>>>>>> stop() { >>>>>>>>>>>>>> echo -n $"Shutting down system logger: " >>>>>>>>>>>>>> killproc $prog >>>>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>>>> echo >>>>>>>>>>>>>> [ $RETVAL -eq 0 ] && rm -f $lockfile >>>>>>>>>>>>>> return $RETVAL >>>>>>>>>>>>>> } >>>>>>>>>>>>>> reload() { >>>>>>>>>>>>>> RETVAL=1 >>>>>>>>>>>>>> syslog=$(cat "${PIDFILE}" 2>/dev/null) >>>>>>>>>>>>>> echo -n "Reloading system logger..." >>>>>>>>>>>>>> if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then >>>>>>>>>>>>>> kill -HUP "$syslog"; >>>>>>>>>>>>>> RETVAL=$? >>>>>>>>>>>>>> fi >>>>>>>>>>>>>> if [ $RETVAL -ne 0 ]; then >>>>>>>>>>>>>> failure >>>>>>>>>>>>>> else >>>>>>>>>>>>>> success >>>>>>>>>>>>>> fi >>>>>>>>>>>>>> echo >>>>>>>>>>>>>> return $RETVAL >>>>>>>>>>>>>> } >>>>>>>>>>>>>> rhstatus() { >>>>>>>>>>>>>> status -p "${PIDFILE}" $prog >>>>>>>>>>>>>> } >>>>>>>>>>>>>> restart() { >>>>>>>>>>>>>> stop >>>>>>>>>>>>>> start >>>>>>>>>>>>>> } >>>>>>>>>>>>>> >>>>>>>>>>>>>> case "$1" in >>>>>>>>>>>>>> start) >>>>>>>>>>>>>> start >>>>>>>>>>>>>> ;; >>>>>>>>>>>>>> stop) >>>>>>>>>>>>>> stop >>>>>>>>>>>>>> ;; >>>>>>>>>>>>>> restart) >>>>>>>>>>>>>> restart >>>>>>>>>>>>>> ;; >>>>>>>>>>>>>> reload|force-reload) >>>>>>>>>>>>>> reload >>>>>>>>>>>>>> ;; >>>>>>>>>>>>>> status) >>>>>>>>>>>>>> rhstatus >>>>>>>>>>>>>> ;; >>>>>>>>>>>>>> condrestart|try-restart) >>>>>>>>>>>>>> rhstatus >/dev/null 2>&1 || exit 0 >>>>>>>>>>>>>> restart >>>>>>>>>>>>>> ;; >>>>>>>>>>>>>> *) >>>>>>>>>>>>>> echo $"Usage: $0 >>>>>>>>>>>>>> {start|stop|restart|********condrestart|try-restart|****** >>>>>>>>>>>>>> >>>>>>>>>>>>>> reload|force- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> reload|status}" >>>>>>>>>>>>>> exit 2 >>>>>>>>>>>>>> esac >>>>>>>>>>>>>> >>>>>>>>>>>>>> exit $? >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2012/2/2 Rainer Gerhards >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> From: rsyslog-bounces at lists.adiscon.********com< >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rsyslog-bounces at lists.****adisco**n.com >>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rsyslog-bounces at lists.**adisco**n.com < >>>>>>>>>>>>>>>> rsyslog-bounces at lists.**adiscon.com >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [mailto: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rsyslog- >>>>>>>>>>>>>>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>>>>>>>>>>>>>> Sent: Wednesday, February 01, 2012 9:08 AM >>>>>>>>>>>>>>>> To: rsyslog-users >>>>>>>>>>>>>>>> Subject: Re: [rsyslog] rsyslog as non-root user >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> David: thanks - got it working with permission dropping, by >>>>>>>>>>>>>>>> far >>>>>>>>>>>>>>>> my >>>>>>>>>>>>>>>> prefered >>>>>>>>>>>>>>>> configuration... just didn't know of it...:-) ! >>>>>>>>>>>>>>>> Rainer: please let us know if the debug info of the >>>>>>>>>>>>>>>> "permission >>>>>>>>>>>>>>>> dropping: >>>>>>>>>>>>>>>> hang+timeout" I send you can solve anything... anyway it >>>>>>>>>>>>>>>> works >>>>>>>>>>>>>>>> now >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> but >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> not optimal if other people have to service my setup...:-) ! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have reviewed the debug log and I see nothing unexpected. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> From >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> timestamps I also see that there is no hang whatsoever. So it >>>>>>>>>>>>>>> looks >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> like >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> there is some problem with the startup script, which I don't >>>>>>>>>>>>>> >>>>>>>>>>>>>> know. I >>>>>>>>>>>>>>> suggest >>>>>>>>>>>>>>> to ask what the FAILED status is caused by. We can then look >>>>>>>>>>>>>>> why >>>>>>>>>>>>>>> this >>>>>>>>>>>>>>> happens. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Sorry I have no better answer... >>>>>>>>>>>>>>> Rainer >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ~maymann >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2012/2/1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Tue, 31 Jan 2012, Michael Maymann wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have now setup a 6.3.6-devel rsyslog server that is >>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> fine >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> running >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> as root. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I would like to run it as non-root user as my logfiles are >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> located >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> on NFS >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> (and root export of NFS is generally not a good idea !). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Here is my rsyslog.conf: >>>>>>>>>>>>>>>>>> #LOAD MODULES >>>>>>>>>>>>>>>>>> $ModLoad imudp >>>>>>>>>>>>>>>>>> $UDPServerRun 514 >>>>>>>>>>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>>>>>>>>>> $ModLoad imtcp >>>>>>>>>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>>>> DYNmessages,"/%********** >>>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%****** >>>>>>>>>>>>>>>>>> **** >>>>>>>>>>>>>>>>>> $MONTH%_messages" >>>>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> DYNsecure,"/%******** >>>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%****** >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> **$MONTH%_secure" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> DYNmaillog,"/%********** >>>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%***** >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> *** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> **$MONTH%_maillo >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> g" >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> DYNcron,"/%FROMHOST%/**** >>>>>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> MONTH%_**** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> cron" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> DYNspooler,"/%********** >>>>>>>>>>>>>>>>>> FROMHOST%/%FROMHOST%_%$YEAR%.%***** >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> *** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> **$MONTH%_spoole >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> r" >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> $template >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> DYNboot,"/%FROMHOST%/**** >>>>>>>>>>>>>>>>>> ******%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> MONTH%_** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> **boot.log" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> $template >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DYNtraps,"/%FROMHOST%**** >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ******/%FROMHOST%_%$YEAR%.%$** >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> MONTH%** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _** >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> traps" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> if $syslogseverity <= '6' then ?DYNmessages >>>>>>>>>>>>>>>>>> if $syslogfacility-text == 'authpriv' then ?DYNsecure >>>>>>>>>>>>>>>>>> if $syslogfacility-text == 'mail' then ?DYNmaillog >>>>>>>>>>>>>>>>>> if $syslogfacility-text == 'cron' then ?DYNcron >>>>>>>>>>>>>>>>>> if $syslogseverity-text == 'crit' then ?DYNspooler >>>>>>>>>>>>>>>>>> if $syslogfacility-text == 'local7' then ?DYNboot >>>>>>>>>>>>>>>>>> if $syslogfacility-text == 'local6' and >>>>>>>>>>>>>>>>>> $syslogseverity-text >>>>>>>>>>>>>>>>>> == >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 'WARNING' >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> then ?DYNtraps >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Here is my logfile when I try to start rsyslog as a >>>>>>>>>>>>>>>>>> non-root >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> user: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997693+02:**********00 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [origin >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> software="rsyslogd" swVersion="6.3.6" x-pid="26185" x-info=" >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://www.rsyslog.com"] start >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997294+02:**********00 >>>>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> denied >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997369+02:**********00 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>>>> bind: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Permission >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> denied >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997374+02:**********00 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>>>> No UDP >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> listen >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> socket >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> could successfully be initialized, message reception via >>>>>>>>>>>>>>>>> UDP >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> disabled. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997376+02:**********00 >>>>>>>>>>>>>>>> rsyslogd: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> imudp: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> listeners >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> could be started, input not activated. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997379+02:**********00 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> rsyslogd3: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> activation >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> module >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> imudp failed [try http://www.rsyslog.com/e/-3 ] >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 2012-01-31T15:45:52.997643+02:**********00 >>>>>>>>>>>>>>>>>> rsyslogd-2077: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Could >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> create >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> tcp listener, ignoring port 514. [try >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> http://www.rsyslog.com/e/2077 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So permissions to bind and sockets seems to be the >>>>>>>>>>>>>>>> problem... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> yes, you cannot bind to ports <1024 as a normal user >>>>>>>>>>>>>>>>>> (without >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> making >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> some >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> other non-standard changes through sysctl) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 1. Is it possible to make rsyslog write logfiles as a >>>>>>>>>>>>>>>>> non-root >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> user >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - if >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> yes: how ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> permission drop features >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2a. Is it possible to add permissions for non-root user to >>>>>>>>>>>>>>>>> run >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> rsyslog >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> server - if yes: how ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> pick a listening port > 1024 and it should work. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2b. How do I start rsyslog during boot as non-root user - >>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> chkconfig do >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> this ? do I need to edit /etc/init.d/rsyslog - if yes: how ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> su can run a command as a different user. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> although as Rainer points out, you may just be looking for >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> permission >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> dropping features that are already in rsyslog. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> David Lang >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ______________________________**********_________________ >>>>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> http://lists.adiscon.net/******* >>>>>>>>>>>>>>>>> ***mailman/listinfo/rsyslog >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> mailman/listinfo/rsyslog >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ****mailman/listinfo/rsyslog >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> **mailman/**listinfo/rsyslog >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> n.net/mailman/listinfo/******rsyslog** >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> **> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com/**********professional- >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> services/>>>>>>>>>>>>>>>> ***com/professional-services/<****ht >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> **tp://www.rsyslog.com/******professional-services/ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> mailman/**listinfo/rsyslog >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>>>> >>>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>>> >>>>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> rsyslog mailing list >>>>>>>>>>>> >>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ______________________________********_________________ >>>>>>>>>>> >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> >>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> http://www.rsyslog.com/********professional-services/ >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________******_________________ >>>>>>>>> >>>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> ______________________________******_________________ >>>>>>>> >>>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog >>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>>> http://www.rsyslog.com/******professional-services/ >>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> ______________________________****_________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>>> >>>>>> >>>>> http://www.rsyslog.com/****professional-services/ >>>>> >>>>>> >>>>> >>>>> ______________________________****_________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>>> >>>>> >>>> http://www.rsyslog.com/****professional-services/ >>>> >>>>> >>>> >>>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Mon Feb 6 13:54:31 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 6 Feb 2012 13:54:31 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281865@GRFEXC.intern.adiscon.com> Please note that HOSTNAME stems back to the message and as such is a different property than FROMHOST. It is definitely not the case that when FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence in your current environment. rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Saturday, February 04, 2012 9:10 AM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Hi, > > SOLVED... > > got it working...:-) ! > > I enabled debugging (David: thanks for the hint) and this was one of > the > entries: > --- > Debug line with all properties: > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '- > ', > MSGID: '-', > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > 2(VID > unknown)(769216)' > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device > port > 2(VID unknown)(769216)' > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID > mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' > --- > The from the last line was ofcause the same as in the the > logfiles... > I confuse this to be a client of a rsyslog-client twice... :-o ! > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > --- > #SET PRIVILEGES > $PreserveFQDN on > $PrivDropToGroup > $PrivDropToUser > $DirCreateMode 0750 > $FileCreateMode 0640 > $UMASK 0027 > > #LOAD MODULES > $ModLoad imudp > $UDPServerRun 514 > $UDPServerAddress 127.0.0.1 > $ModLoad imtcp > $InputTCPServerRun 514 > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to > enable...) > #*.info;mail.none;authpriv.none;cron.none > /var/log/messages-debug;RSYSLOG_DebugFormat > > #SET DESTINATION FOR LOGS > $template > DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > $template > DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > $template > DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > $template > DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > $template > DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > $template > DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > $template > DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > $template > DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message > s" > $template > DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > $template > DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > $template > DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > $template > DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > $template > DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > $template > DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > #SET LOGGING CONDITIONS > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > ?DYNsecure > if $syslogfacility-text == 'mail' and $fromhost != '???' then > ?DYNmaillog > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron > if $syslogseverity-text == 'crit' and $fromhost != '???' then > ?DYNspooler > if $syslogfacility-text == 'local7' and $fromhost != '???' then > ?DYNboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > and $fromhost != '???' then ?DYNtraps > > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > ?DYNIPsecure > if $syslogfacility-text == 'mail' and $fromhost == '???' then > ?DYNIPmaillog > if $syslogfacility-text == 'cron' and $fromhost == '???' then > ?DYNIPcron > if $syslogseverity-text == 'crit' and $fromhost == '???' then > ?DYNIPspooler > if $syslogfacility-text == 'local7' and $fromhost == '???' then > ?DYNIPboot > if $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > and $fromhost == '???' then ?DYNIPtraps > --- > > David+Rainer: thanks for your help... much appreciated...:-) ! > > Br. > ~maymann > > 2012/2/4 > > > I was actually meaning for you to do this on the server where you are > > seeing the ??? show up. > > > > but this does show that the sending machine thinks it's doing > everythig > > correcty (assuming the you put in the message below is > actually > > correct) > > > > what I would want to see from the server log is one of the messages > with > > the ??? in it that you are trying to fix. > > > > > > David Lang > > > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > > > Hi, > >> > >> David: thanks for you reply...:-) ! > >> > >> This is not a known client causing the "???" entries - I don't know > the > >> ip(s)/hostname(s), and this is why i would like to log IP instead of > >> hostname - as my guess is it is a network device without DNS > entry...:-( ! > >> > >> Can I troubleshoot on the server somehow similar... or was that the > >> intention all along...:-o ! > >> > >> Here is the client-debug output anyways...: > >> # cat messages-debug > >> Debug line with all properties: > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > >> PRI: 6, > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > PROCID: > >> '-', MSGID: '-', > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >> > >> Debug line with all properties: > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > >> PRI: 46, > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > 'rsyslogd', > >> PROCID: '-', MSGID: '-', > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > >> x-info=" > >> http://www.rsyslog.com"] (re)start' > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > pid="13432" > >> x-info="http://www.rsyslog.com**"] (re)start' > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > pid="13432" > >> x-info="http://www.rsyslog.com**"] (re)start' > >> > >> Debug line with all properties: > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > >> PRI: 13, > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '- > ', > >> MSGID: '-', > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > >> msg: ' hej' > >> escaped msg: ' hej' > >> rawmsg: '<13>Feb 3 11:14:30 root: hej' > >> > >> > >> Thanks in advance :-) ! > >> ~maymann > >> > >> > >> 2012/2/3 > >> > >> oops, that should have been RSYSLOG_DebugFormat template. > >>> > >>> David Lang > >>> > >>> On Thu, 2 Feb 2012, david at lang.hm wrote: > >>> > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > >>> > >>>> From: david at lang.hm > >>>> > >>>> Reply-To: rsyslog-users > >>>> To: rsyslog-users > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > >>>> > >>>> what does one of these messages look like if you write it out with > the > >>>> RSYSLOG_DEBUG template? > >>>> > >>>> David Lang > >>>> > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: > >>>> > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 > >>>> > >>>>> From: Michael Maymann > >>>>> Reply-To: rsyslog-users > >>>>> To: rsyslog-users > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > >>>>> > >>>>> Please... Anyone? > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > wrote: > >>>>> > >>>>> Hi, > >>>>> > >>>>>> > >>>>>> got it started... but still ??? dir+logfiles are showing up... > >>>>>> This is now my rsyslog.conf: > >>>>>> #SET PRIVILEGES > >>>>>> $PreserveFQDN on > >>>>>> $PrivDropToGroup > >>>>>> $PrivDropToUser > >>>>>> $DirCreateMode 0750 > >>>>>> $FileCreateMode 0640 > >>>>>> $UMASK 0027 > >>>>>> > >>>>>> #LOAD MODULES > >>>>>> $ModLoad imudp > >>>>>> $UDPServerRun 514 > >>>>>> $UDPServerAddress 127.0.0.1 > >>>>>> $ModLoad imtcp > >>>>>> $InputTCPServerRun 514 > >>>>>> > >>>>>> #SET DESTINATION FOR LOGS > >>>>>> $template > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > >>>>>> $MONTH%_messages" > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** > >>>>>> *secure" > >>>>>> $template > >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > >>>>>> _**maillog" > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>> cron" > >>>>>> $template > >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > >>>>>> _**spooler" > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>> boot.log" > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** > >>>>>> traps" > >>>>>> > >>>>>> $template > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>> YEAR%.%$MONTH%_messages" > >>>>>> $template > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>> YEAR%.%$MONTH%_secure" > >>>>>> $template > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>> YEAR%.%$MONTH%_maillog" > >>>>>> $template > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>> MONTH%_cron" > >>>>>> $template > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>> YEAR%.%$MONTH%_spooler" > >>>>>> $template > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>> MONTH%_boot.log" > >>>>>> $template > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>> MONTH%_traps" > >>>>>> > >>>>>> #SET LOGGING CONDITIONS > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then > ?DYNmessages > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' > then > >>>>>> ?DYNsecure > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then > >>>>>> ?DYNmaillog > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then > ?DYNcron > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then > >>>>>> ?DYNspooler > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then > >>>>>> ?DYNboot > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > >>>>>> 'WARNING' > >>>>>> and $fromhost != '???' then ?DYNtraps > >>>>>> > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then > ?DYNIPmessages > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' > then > >>>>>> ?DYNIPsecure > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then > >>>>>> ?DYNIPmaillog > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then > >>>>>> ?DYNIPcron > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then > >>>>>> ?DYNIPspooler > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then > >>>>>> ?DYNIPboot > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > >>>>>> 'WARNING' > >>>>>> and $fromhost == '???' then ?DYNIPtraps > >>>>>> > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > all > >>>>>> creates > >>>>>> ??? dir+files... > >>>>>> What variable should I use to handle this properly ? > >>>>>> > >>>>>> > >>>>>> Thanks in advance :-) ! > >>>>>> ~maymann > >>>>>> > >>>>>> 2012/2/2 Michael Maymann > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>>> > >>>>>>> David: thanks for your reply... > >>>>>>> Here is my new rsyslog.conf: > >>>>>>> #SET PRIVILEGES > >>>>>>> $PreserveFQDN on > >>>>>>> $PrivDropToGroup > >>>>>>> $PrivDropToUser > >>>>>>> $DirCreateMode 0750 > >>>>>>> $FileCreateMode 0640 > >>>>>>> $UMASK 0027 > >>>>>>> > >>>>>>> #LOAD MODULES > >>>>>>> $ModLoad imudp > >>>>>>> $UDPServerRun 514 > >>>>>>> $UDPServerAddress 127.0.0.1 > >>>>>>> $ModLoad imtcp > >>>>>>> $InputTCPServerRun 514 > >>>>>>> > >>>>>>> #SET DESTINATION FOR LOGS > >>>>>>> $template > >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > >>>>>>> $MONTH%_messages" > >>>>>>> $template > >>>>>>> > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>> **secure" > >>>>>>> > >>>>>>> $template > >>>>>>> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > >>>>>>> maillog" > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>> cron" > >>>>>>> $template > >>>>>>> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > >>>>>>> spooler" > >>>>>>> $template > >>>>>>> > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** > >>>>>>> boot.log" > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* > >>>>>>> *traps" > >>>>>>> > >>>>>>> $template > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_messages" > >>>>>>> $template > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_secure" > >>>>>>> $template > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_maillog" > >>>>>>> $template > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>> MONTH%_cron" > >>>>>>> $template > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_spooler" > >>>>>>> $template > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>> MONTH%_boot.log" > >>>>>>> $template > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>> MONTH%_traps" > >>>>>>> > >>>>>>> #SET LOGGING CONDITIONS > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > ?DYNmessages > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' > then > >>>>>>> ?DYNsecure > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then > >>>>>>> ?DYNmaillog > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > >>>>>>> ?DYNcron > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then > >>>>>>> ?DYNspooler > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' > then > >>>>>>> ?DYNboot > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > >>>>>>> 'WARNING' > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps > >>>>>>> > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > ?DYNIPmessages > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' > then > >>>>>>> ?DYNIPsecure > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then > >>>>>>> ?DYNIPmaillog > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > >>>>>>> ?DYNIPcron > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then > >>>>>>> ?DYNIPspooler > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' > then > >>>>>>> ?DYNIPboot > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > >>>>>>> 'WARNING' > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps > >>>>>>> > >>>>>>> but it fails...: > >>>>>>> # service rsyslog start > >>>>>>> Starting system logger: rsyslogd: run failed with error -2207 > (see > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what > that > >>>>>>> number > >>>>>>> means) > >>>>>>> [ OK > ] > >>>>>>> > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format > correct or > >>>>>>> how > >>>>>>> is this done... > >>>>>>> > >>>>>>> > >>>>>>> Thanks in advance :-) ! > >>>>>>> ~maymann > >>>>>>> > >>>>>>> > >>>>>>> 2012/2/1 > >>>>>>> > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > >>>>>>> > >>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> > >>>>>>>>> I want to log information about hosts that are not logging > with > >>>>>>>>> correct > >>>>>>>>> HOSTNAME. > >>>>>>>>> In my current setup, I get a dir "???" where these host(s) > are > >>>>>>>>> logging > >>>>>>>>> to... > >>>>>>>>> > >>>>>>>>> I would like to change this to the hosts IP instead, > something > >>>>>>>>> like: > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a > value to > >>>>>>>> a > >>>>>>>> property. > >>>>>>>> > >>>>>>>> what you can do is to setup a different template and then if > >>>>>>>> %fromhost% > >>>>>>>> is your special pattern you can log with this different > template. > >>>>>>>> > >>>>>>>> David Lang > >>>>>>>> ______________________________******_________________ > >>>>>>>> rsyslog mailing list > >>>>>>>> > http://lists.adiscon.net/******mailman/listinfo/rsyslog iscon.net/****mailman/listinfo/rsyslog> > >>>>>>>> > discon.net/**mailman/listinfo/rsyslog> > >>>>>>>> > > >>>>>>>> > discon.net/mailman/**listinfo/rsyslog> > >>>>>>>> > scon.net/mailman/listinfo/rsyslog> > >>>>>>>> > > >>>>>>>> > >>>>>>>>> > >>>>>>>>> http://www.rsyslog.com/******professional- > services/ > >>>>>>>> services/ > >>>>>>>> > > >>>>>>>> **services/ > >>>>>>>> services/ > >>>>>>>> > > >>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> ______________________________****_________________ > >>>>>> > >>>>> rsyslog mailing list > >>>>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>>>> > scon.net/mailman/listinfo/rsyslog> > >>>>> > > >>>>> http://www.rsyslog.com/****professional- > services/ > >>>>> **services/ > >>>>> > > >>>>> > >>>>> ______________________________****_________________ > >>>>> > >>>> rsyslog mailing list > >>>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>>> > scon.net/mailman/listinfo/rsyslog> > >>>> > > >>>> http://www.rsyslog.com/****professional- > services/ > >>>> **services/ > >>>> > > >>>> > >>>> ______________________________****_________________ > >>>> > >>> rsyslog mailing list > >>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>> > scon.net/mailman/listinfo/rsyslog> > >>> > > >>> http://www.rsyslog.com/****professional- > services/ > >>> **services/ > >>> > > >>> > >>> ______________________________**_________________ > >> rsyslog mailing list > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional- > services/ > >> > >> ______________________________**_________________ > > rsyslog mailing list > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional- > services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From rgerhards at hq.adiscon.com Mon Feb 6 14:03:43 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 6 Feb 2012 14:03:43 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281867@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of david at lang.hm > Sent: Saturday, February 04, 2012 9:27 AM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > If Rainer creates the instramented version it would still be good to > see > what's going on. I would say that for fromhost-ip to be '???' is always > a > bug, and if a failed DNS lookup makes the fromhost be '???' instead of > the > IP address, I would also consider that a bug. Yup, I agree here. It's most probably a bug, at least if no message indicating something malicious goes along with the problem. Rsyslog checks if it can trust the IP and prefers not to write it if there is proof something malicious goes on - the ??? then indicate we do not know the actual IP and is probably the best to be done in that case. See [1], especially the comments, for details. I have audited the code and do not see anything obviously wrong. I noticed that there is already a lot of good debug instrumentation present, so I just added one additional output, which makes it somewhat easier to scan for failures inside the log file. It also provides the ultimate proof of why the function indicates failure. @Michael: You can obtain the new version via the git master branch (let me know if you have problems obtaining it). Please try it out. We need to see at least one occurrence of ??? in order to track down what is going on. > It would be good to track down what's actually happening here. Indeed, especially as this is the prime reason for making separate devel and stable branches available. ;-) Rainer [1] http://git.adiscon.com/?p=rsyslog.git;a=blob;f=runtime/dnscache.c;h=549bcd932 8d53c4da484ac0c7dbd01c6aa2db415;hb=HEAD#l147 > > David Lang > > On Sat, 4 Feb 2012, Michael > Maymann wrote: > > > Hi, > > > > SOLVED... > > > > got it working...:-) ! > > > > I enabled debugging (David: thanks for the hint) and this was one of > the > > entries: > > --- > > Debug line with all properties: > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, > > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: > '-', > > MSGID: '-', > > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > 2(VID > > unknown)(769216)' > > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device > port > > 2(VID unknown)(769216)' > > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID > > mismatch on port C2(VID 1)with peer device port 2(VID > unknown)(769216)' > > --- > > The from the last line was ofcause the same as in the the > logfiles... > > I confuse this to be a client of a rsyslog-client twice... :-o ! > > > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > > --- > > #SET PRIVILEGES > > $PreserveFQDN on > > $PrivDropToGroup > > $PrivDropToUser > > $DirCreateMode 0750 > > $FileCreateMode 0640 > > $UMASK 0027 > > > > #LOAD MODULES > > $ModLoad imudp > > $UDPServerRun 514 > > $UDPServerAddress 127.0.0.1 > > $ModLoad imtcp > > $InputTCPServerRun 514 > > > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in > to > > enable...) > > #*.info;mail.none;authpriv.none;cron.none > > /var/log/messages-debug;RSYSLOG_DebugFormat > > > > #SET DESTINATION FOR LOGS > > $template > > > DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > > $template > > DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > > $template > > DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > > $template > DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > > $template > > DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > > $template > > DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > > $template > DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > > > $template > > > DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message > s" > > $template > > DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > > $template > > > DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > > $template > DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > > $template > > > DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > > $template > > DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > > $template > > DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > > > #SET LOGGING CONDITIONS > > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > ?DYNsecure > > if $syslogfacility-text == 'mail' and $fromhost != '???' then > ?DYNmaillog > > if $syslogfacility-text == 'cron' and $fromhost != '???' then > ?DYNcron > > if $syslogseverity-text == 'crit' and $fromhost != '???' then > ?DYNspooler > > if $syslogfacility-text == 'local7' and $fromhost != '???' then > ?DYNboot > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > > and $fromhost != '???' then ?DYNtraps > > > > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages > > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > > ?DYNIPsecure > > if $syslogfacility-text == 'mail' and $fromhost == '???' then > ?DYNIPmaillog > > if $syslogfacility-text == 'cron' and $fromhost == '???' then > ?DYNIPcron > > if $syslogseverity-text == 'crit' and $fromhost == '???' then > ?DYNIPspooler > > if $syslogfacility-text == 'local7' and $fromhost == '???' then > ?DYNIPboot > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > 'WARNING' > > and $fromhost == '???' then ?DYNIPtraps > > --- > > > > David+Rainer: thanks for your help... much appreciated...:-) ! > > > > Br. > > ~maymann > > > > 2012/2/4 > > > >> I was actually meaning for you to do this on the server where you > are > >> seeing the ??? show up. > >> > >> but this does show that the sending machine thinks it's doing > everythig > >> correcty (assuming the you put in the message below is > actually > >> correct) > >> > >> what I would want to see from the server log is one of the messages > with > >> the ??? in it that you are trying to fix. > >> > >> > >> David Lang > >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote: > >> > >> Hi, > >>> > >>> David: thanks for you reply...:-) ! > >>> > >>> This is not a known client causing the "???" entries - I don't know > the > >>> ip(s)/hostname(s), and this is why i would like to log IP instead > of > >>> hostname - as my guess is it is a network device without DNS > entry...:-( ! > >>> > >>> Can I troubleshoot on the server somehow similar... or was that the > >>> intention all along...:-o ! > >>> > >>> Here is the client-debug output anyways...: > >>> # cat messages-debug > >>> Debug line with all properties: > >>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > >>> PRI: 6, > >>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > PROCID: > >>> '-', MSGID: '-', > >>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > >>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > >>> > >>> Debug line with all properties: > >>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > >>> PRI: 46, > >>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > 'rsyslogd', > >>> PROCID: '-', MSGID: '-', > >>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > >>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > >>> x-info=" > >>> http://www.rsyslog.com"] (re)start' > >>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > pid="13432" > >>> x-info="http://www.rsyslog.com**"] (re)start' > >>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > pid="13432" > >>> x-info="http://www.rsyslog.com**"] (re)start' > >>> > >>> Debug line with all properties: > >>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > '', > >>> PRI: 13, > >>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: > '-', > >>> MSGID: '-', > >>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > >>> msg: ' hej' > >>> escaped msg: ' hej' > >>> rawmsg: '<13>Feb 3 11:14:30 root: hej' > >>> > >>> > >>> Thanks in advance :-) ! > >>> ~maymann > >>> > >>> > >>> 2012/2/3 > >>> > >>> oops, that should have been RSYSLOG_DebugFormat template. > >>>> > >>>> David Lang > >>>> > >>>> On Thu, 2 Feb 2012, david at lang.hm wrote: > >>>> > >>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > >>>> > >>>>> From: david at lang.hm > >>>>> > >>>>> Reply-To: rsyslog-users > >>>>> To: rsyslog-users > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > >>>>> > >>>>> what does one of these messages look like if you write it out > with the > >>>>> RSYSLOG_DEBUG template? > >>>>> > >>>>> David Lang > >>>>> > >>>>> On Fri, 3 Feb 2012, Michael Maymann wrote: > >>>>> > >>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 > >>>>> > >>>>>> From: Michael Maymann > >>>>>> Reply-To: rsyslog-users > >>>>>> To: rsyslog-users > >>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > >>>>>> > >>>>>> Please... Anyone? > >>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > wrote: > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>>> > >>>>>>> got it started... but still ??? dir+logfiles are showing up... > >>>>>>> This is now my rsyslog.conf: > >>>>>>> #SET PRIVILEGES > >>>>>>> $PreserveFQDN on > >>>>>>> $PrivDropToGroup > >>>>>>> $PrivDropToUser > >>>>>>> $DirCreateMode 0750 > >>>>>>> $FileCreateMode 0640 > >>>>>>> $UMASK 0027 > >>>>>>> > >>>>>>> #LOAD MODULES > >>>>>>> $ModLoad imudp > >>>>>>> $UDPServerRun 514 > >>>>>>> $UDPServerAddress 127.0.0.1 > >>>>>>> $ModLoad imtcp > >>>>>>> $InputTCPServerRun 514 > >>>>>>> > >>>>>>> #SET DESTINATION FOR LOGS > >>>>>>> $template > >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > >>>>>>> $MONTH%_messages" > >>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** > >>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** > >>>>>>> *secure" > >>>>>>> $template > >>>>>>> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > >>>>>>> _**maillog" > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>> cron" > >>>>>>> $template > >>>>>>> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > >>>>>>> _**spooler" > >>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>> boot.log" > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** > >>>>>>> traps" > >>>>>>> > >>>>>>> $template > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_messages" > >>>>>>> $template > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_secure" > >>>>>>> $template > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_maillog" > >>>>>>> $template > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>> MONTH%_cron" > >>>>>>> $template > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>> YEAR%.%$MONTH%_spooler" > >>>>>>> $template > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>> MONTH%_boot.log" > >>>>>>> $template > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>> MONTH%_traps" > >>>>>>> > >>>>>>> #SET LOGGING CONDITIONS > >>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then > ?DYNmessages > >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' > then > >>>>>>> ?DYNsecure > >>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then > >>>>>>> ?DYNmaillog > >>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then > ?DYNcron > >>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then > >>>>>>> ?DYNspooler > >>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then > >>>>>>> ?DYNboot > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > >>>>>>> 'WARNING' > >>>>>>> and $fromhost != '???' then ?DYNtraps > >>>>>>> > >>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then > ?DYNIPmessages > >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' > then > >>>>>>> ?DYNIPsecure > >>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then > >>>>>>> ?DYNIPmaillog > >>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then > >>>>>>> ?DYNIPcron > >>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then > >>>>>>> ?DYNIPspooler > >>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then > >>>>>>> ?DYNIPboot > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > >>>>>>> 'WARNING' > >>>>>>> and $fromhost == '???' then ?DYNIPtraps > >>>>>>> > >>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > all > >>>>>>> creates > >>>>>>> ??? dir+files... > >>>>>>> What variable should I use to handle this properly ? > >>>>>>> > >>>>>>> > >>>>>>> Thanks in advance :-) ! > >>>>>>> ~maymann > >>>>>>> > >>>>>>> 2012/2/2 Michael Maymann > >>>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>>> > >>>>>>>> David: thanks for your reply... > >>>>>>>> Here is my new rsyslog.conf: > >>>>>>>> #SET PRIVILEGES > >>>>>>>> $PreserveFQDN on > >>>>>>>> $PrivDropToGroup > >>>>>>>> $PrivDropToUser > >>>>>>>> $DirCreateMode 0750 > >>>>>>>> $FileCreateMode 0640 > >>>>>>>> $UMASK 0027 > >>>>>>>> > >>>>>>>> #LOAD MODULES > >>>>>>>> $ModLoad imudp > >>>>>>>> $UDPServerRun 514 > >>>>>>>> $UDPServerAddress 127.0.0.1 > >>>>>>>> $ModLoad imtcp > >>>>>>>> $InputTCPServerRun 514 > >>>>>>>> > >>>>>>>> #SET DESTINATION FOR LOGS > >>>>>>>> $template > >>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > >>>>>>>> $MONTH%_messages" > >>>>>>>> $template > >>>>>>>> > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>>> **secure" > >>>>>>>> > >>>>>>>> $template > >>>>>>>> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > >>>>>>>> maillog" > >>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > >>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > >>>>>>>> cron" > >>>>>>>> $template > >>>>>>>> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > >>>>>>>> spooler" > >>>>>>>> $template > >>>>>>>> > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** > >>>>>>>> boot.log" > >>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > >>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* > >>>>>>>> *traps" > >>>>>>>> > >>>>>>>> $template > >>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>>> YEAR%.%$MONTH%_messages" > >>>>>>>> $template > >>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>>> YEAR%.%$MONTH%_secure" > >>>>>>>> $template > >>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>>> YEAR%.%$MONTH%_maillog" > >>>>>>>> $template > >>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>>> MONTH%_cron" > >>>>>>>> $template > >>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > >>>>>>>> YEAR%.%$MONTH%_spooler" > >>>>>>>> $template > >>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>>> MONTH%_boot.log" > >>>>>>>> $template > >>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > IP%_%$YEAR%.%$**** > >>>>>>>> MONTH%_traps" > >>>>>>>> > >>>>>>>> #SET LOGGING CONDITIONS > >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > ?DYNmessages > >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' > then > >>>>>>>> ?DYNsecure > >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then > >>>>>>>> ?DYNmaillog > >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > >>>>>>>> ?DYNcron > >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then > >>>>>>>> ?DYNspooler > >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' > then > >>>>>>>> ?DYNboot > >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text > == > >>>>>>>> 'WARNING' > >>>>>>>> and %FROMHOST% != '???' then ?DYNtraps > >>>>>>>> > >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > ?DYNIPmessages > >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' > then > >>>>>>>> ?DYNIPsecure > >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then > >>>>>>>> ?DYNIPmaillog > >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > >>>>>>>> ?DYNIPcron > >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then > >>>>>>>> ?DYNIPspooler > >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' > then > >>>>>>>> ?DYNIPboot > >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text > == > >>>>>>>> 'WARNING' > >>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps > >>>>>>>> > >>>>>>>> but it fails...: > >>>>>>>> # service rsyslog start > >>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 > (see > >>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what > that > >>>>>>>> number > >>>>>>>> means) > >>>>>>>> [ OK > ] > >>>>>>>> > >>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format > correct or > >>>>>>>> how > >>>>>>>> is this done... > >>>>>>>> > >>>>>>>> > >>>>>>>> Thanks in advance :-) ! > >>>>>>>> ~maymann > >>>>>>>> > >>>>>>>> > >>>>>>>> 2012/2/1 > >>>>>>>> > >>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> I want to log information about hosts that are not logging > with > >>>>>>>>>> correct > >>>>>>>>>> HOSTNAME. > >>>>>>>>>> In my current setup, I get a dir "???" where these host(s) > are > >>>>>>>>>> logging > >>>>>>>>>> to... > >>>>>>>>>> > >>>>>>>>>> I would like to change this to the hosts IP instead, > something > >>>>>>>>>> like: > >>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a > value to > >>>>>>>>> a > >>>>>>>>> property. > >>>>>>>>> > >>>>>>>>> what you can do is to setup a different template and then if > >>>>>>>>> %fromhost% > >>>>>>>>> is your special pattern you can log with this different > template. > >>>>>>>>> > >>>>>>>>> David Lang > >>>>>>>>> ______________________________******_________________ > >>>>>>>>> rsyslog mailing list > >>>>>>>>> > http://lists.adiscon.net/******mailman/listinfo/rsyslog iscon.net/****mailman/listinfo/rsyslog> > >>>>>>>>> > discon.net/**mailman/listinfo/rsyslog> > >>>>>>>>>> > >>>>>>>>> > discon.net/mailman/**listinfo/rsyslog> > >>>>>>>>> > scon.net/mailman/listinfo/rsyslog> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> http://www.rsyslog.com/******professional- > services/ > >>>>>>>>> services/ > >>>>>>>>>> > >>>>>>>>> **services/ > >>>>>>>>> services/ > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> ______________________________****_________________ > >>>>>>> > >>>>>> rsyslog mailing list > >>>>>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>>>>> > scon.net/mailman/listinfo/rsyslog> > >>>>>>> > >>>>>> http://www.rsyslog.com/****professional- > services/ > >>>>>> **services/ > >>>>>>> > >>>>>> > >>>>>> ______________________________****_________________ > >>>>>> > >>>>> rsyslog mailing list > >>>>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>>>> > scon.net/mailman/listinfo/rsyslog> > >>>>>> > >>>>> http://www.rsyslog.com/****professional- > services/ > >>>>> **services/ > >>>>>> > >>>>> > >>>>> ______________________________****_________________ > >>>>> > >>>> rsyslog mailing list > >>>> > http://lists.adiscon.net/****mailman/listinfo/rsyslog con.net/**mailman/listinfo/rsyslog> > >>>> > scon.net/mailman/listinfo/rsyslog> > >>>>> > >>>> http://www.rsyslog.com/****professional- > services/ > >>>> **services/ > >>>>> > >>>> > >>>> ______________________________**_________________ > >>> rsyslog mailing list > >>> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >>> http://www.rsyslog.com/**professional- > services/ > >>> > >>> ______________________________**_________________ > >> rsyslog mailing list > >> > http://lists.adiscon.net/**mailman/listinfo/rsyslog n.net/mailman/listinfo/rsyslog> > >> http://www.rsyslog.com/**professional- > services/ > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From michael at maymann.org Mon Feb 6 14:14:22 2012 From: michael at maymann.org (Michael Maymann) Date: Mon, 6 Feb 2012 14:14:22 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281865@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA7281865@GRFEXC.intern.adiscon.com> Message-ID: Hi Rainer, ok. I have 3 different entries in my debug log: --- FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' inputname: imudp rawmsg: '<14> Feb 4 07:29:40 10.224.110.250 00828 lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6, syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 6 14:11:49', STRUCTURED-DATA: '-', msg: ' Kernel logging (proc) stopped.' escaped msg: ' Kernel logging (proc) stopped.' inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.' FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46, syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 6 14:11:50', STRUCTURED-DATA: '-', msg: ' signal 15' escaped msg: ' signal 15' inputname: imudp rawmsg: '<46>exiting on signal 15' --- I have now setup a rule: $template DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" if $fromhost == '???' and $fromhost-ip == '???' then ?DYNUNKNOWNmessages I would like to still log the hosts where I know the IP... Is is possible to say something like the following ?: --- $template DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages" $template DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" if $fromhost == '???' and $fromhost-ip == '???' and $hostname == '192.168.*' then ?DYNIPmessages if $fromhost == '???' and $fromhost-ip == '???' and $hostname != '192.168.*' then ?DYNUNKNOWNmessages --- Thanks in advance :-) ! ~maymann 2012/2/6 Rainer Gerhards > Please note that HOSTNAME stems back to the message and as such is a > different property than FROMHOST. It is definitely not the case that when > FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence in your > current environment. > > rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Saturday, February 04, 2012 9:10 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > > > Hi, > > > > SOLVED... > > > > got it working...:-) ! > > > > I enabled debugging (David: thanks for the hint) and this was one of > > the > > entries: > > --- > > Debug line with all properties: > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, > > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '- > > ', > > MSGID: '-', > > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > > 2(VID > > unknown)(769216)' > > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device > > port > > 2(VID unknown)(769216)' > > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID > > mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' > > --- > > The from the last line was ofcause the same as in the the > > logfiles... > > I confuse this to be a client of a rsyslog-client twice... :-o ! > > > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > > --- > > #SET PRIVILEGES > > $PreserveFQDN on > > $PrivDropToGroup > > $PrivDropToUser > > $DirCreateMode 0750 > > $FileCreateMode 0640 > > $UMASK 0027 > > > > #LOAD MODULES > > $ModLoad imudp > > $UDPServerRun 514 > > $UDPServerAddress 127.0.0.1 > > $ModLoad imtcp > > $InputTCPServerRun 514 > > > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to > > enable...) > > #*.info;mail.none;authpriv.none;cron.none > > /var/log/messages-debug;RSYSLOG_DebugFormat > > > > #SET DESTINATION FOR LOGS > > $template > > DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > > $template > > DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > > $template > > DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > > $template > > DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > > $template > > DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > > $template > > DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > > $template > > DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > > > $template > > DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message > > s" > > $template > > DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > > $template > > DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > > $template > > DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > > $template > > DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > > $template > > DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > > $template > > DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > > > #SET LOGGING CONDITIONS > > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > > ?DYNsecure > > if $syslogfacility-text == 'mail' and $fromhost != '???' then > > ?DYNmaillog > > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron > > if $syslogseverity-text == 'crit' and $fromhost != '???' then > > ?DYNspooler > > if $syslogfacility-text == 'local7' and $fromhost != '???' then > > ?DYNboot > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > 'WARNING' > > and $fromhost != '???' then ?DYNtraps > > > > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages > > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > > ?DYNIPsecure > > if $syslogfacility-text == 'mail' and $fromhost == '???' then > > ?DYNIPmaillog > > if $syslogfacility-text == 'cron' and $fromhost == '???' then > > ?DYNIPcron > > if $syslogseverity-text == 'crit' and $fromhost == '???' then > > ?DYNIPspooler > > if $syslogfacility-text == 'local7' and $fromhost == '???' then > > ?DYNIPboot > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > 'WARNING' > > and $fromhost == '???' then ?DYNIPtraps > > --- > > > > David+Rainer: thanks for your help... much appreciated...:-) ! > > > > Br. > > ~maymann > > > > 2012/2/4 > > > > > I was actually meaning for you to do this on the server where you are > > > seeing the ??? show up. > > > > > > but this does show that the sending machine thinks it's doing > > everythig > > > correcty (assuming the you put in the message below is > > actually > > > correct) > > > > > > what I would want to see from the server log is one of the messages > > with > > > the ??? in it that you are trying to fix. > > > > > > > > > David Lang > > > > > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > > > > > Hi, > > >> > > >> David: thanks for you reply...:-) ! > > >> > > >> This is not a known client causing the "???" entries - I don't know > > the > > >> ip(s)/hostname(s), and this is why i would like to log IP instead of > > >> hostname - as my guess is it is a network device without DNS > > entry...:-( ! > > >> > > >> Can I troubleshoot on the server somehow similar... or was that the > > >> intention all along...:-o ! > > >> > > >> Here is the client-debug output anyways...: > > >> # cat messages-debug > > >> Debug line with all properties: > > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > '', > > >> PRI: 6, > > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > > PROCID: > > >> '-', MSGID: '-', > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> > > >> Debug line with all properties: > > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > '', > > >> PRI: 46, > > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > > 'rsyslogd', > > >> PROCID: '-', MSGID: '-', > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > > >> x-info=" > > >> http://www.rsyslog.com"] (re)start' > > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > pid="13432" > > >> x-info="http://www.rsyslog.com**"] (re)start' > > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > pid="13432" > > >> x-info="http://www.rsyslog.com**"] (re)start' > > >> > > >> Debug line with all properties: > > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > '', > > >> PRI: 13, > > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '- > > ', > > >> MSGID: '-', > > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > >> msg: ' hej' > > >> escaped msg: ' hej' > > >> rawmsg: '<13>Feb 3 11:14:30 root: hej' > > >> > > >> > > >> Thanks in advance :-) ! > > >> ~maymann > > >> > > >> > > >> 2012/2/3 > > >> > > >> oops, that should have been RSYSLOG_DebugFormat template. > > >>> > > >>> David Lang > > >>> > > >>> On Thu, 2 Feb 2012, david at lang.hm wrote: > > >>> > > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > >>> > > >>>> From: david at lang.hm > > >>>> > > >>>> Reply-To: rsyslog-users > > >>>> To: rsyslog-users > > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > %IP% > > >>>> > > >>>> what does one of these messages look like if you write it out with > > the > > >>>> RSYSLOG_DEBUG template? > > >>>> > > >>>> David Lang > > >>>> > > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: > > >>>> > > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > >>>> > > >>>>> From: Michael Maymann > > >>>>> Reply-To: rsyslog-users > > >>>>> To: rsyslog-users > > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > %IP% > > >>>>> > > >>>>> Please... Anyone? > > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > > wrote: > > >>>>> > > >>>>> Hi, > > >>>>> > > >>>>>> > > >>>>>> got it started... but still ??? dir+logfiles are showing up... > > >>>>>> This is now my rsyslog.conf: > > >>>>>> #SET PRIVILEGES > > >>>>>> $PreserveFQDN on > > >>>>>> $PrivDropToGroup > > >>>>>> $PrivDropToUser > > >>>>>> $DirCreateMode 0750 > > >>>>>> $FileCreateMode 0640 > > >>>>>> $UMASK 0027 > > >>>>>> > > >>>>>> #LOAD MODULES > > >>>>>> $ModLoad imudp > > >>>>>> $UDPServerRun 514 > > >>>>>> $UDPServerAddress 127.0.0.1 > > >>>>>> $ModLoad imtcp > > >>>>>> $InputTCPServerRun 514 > > >>>>>> > > >>>>>> #SET DESTINATION FOR LOGS > > >>>>>> $template > > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > >>>>>> $MONTH%_messages" > > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** > > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** > > >>>>>> *secure" > > >>>>>> $template > > >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > >>>>>> _**maillog" > > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>> cron" > > >>>>>> $template > > >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > >>>>>> _**spooler" > > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>> boot.log" > > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** > > >>>>>> traps" > > >>>>>> > > >>>>>> $template > > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_messages" > > >>>>>> $template > > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_secure" > > >>>>>> $template > > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_maillog" > > >>>>>> $template > > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>> MONTH%_cron" > > >>>>>> $template > > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_spooler" > > >>>>>> $template > > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>> MONTH%_boot.log" > > >>>>>> $template > > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>> MONTH%_traps" > > >>>>>> > > >>>>>> #SET LOGGING CONDITIONS > > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then > > ?DYNmessages > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' > > then > > >>>>>> ?DYNsecure > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then > > >>>>>> ?DYNmaillog > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then > > ?DYNcron > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then > > >>>>>> ?DYNspooler > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then > > >>>>>> ?DYNboot > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>> 'WARNING' > > >>>>>> and $fromhost != '???' then ?DYNtraps > > >>>>>> > > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then > > ?DYNIPmessages > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' > > then > > >>>>>> ?DYNIPsecure > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then > > >>>>>> ?DYNIPmaillog > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then > > >>>>>> ?DYNIPcron > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then > > >>>>>> ?DYNIPspooler > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then > > >>>>>> ?DYNIPboot > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>> 'WARNING' > > >>>>>> and $fromhost == '???' then ?DYNIPtraps > > >>>>>> > > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > > all > > >>>>>> creates > > >>>>>> ??? dir+files... > > >>>>>> What variable should I use to handle this properly ? > > >>>>>> > > >>>>>> > > >>>>>> Thanks in advance :-) ! > > >>>>>> ~maymann > > >>>>>> > > >>>>>> 2012/2/2 Michael Maymann > > >>>>>> > > >>>>>> Hi, > > >>>>>> > > >>>>>>> > > >>>>>>> David: thanks for your reply... > > >>>>>>> Here is my new rsyslog.conf: > > >>>>>>> #SET PRIVILEGES > > >>>>>>> $PreserveFQDN on > > >>>>>>> $PrivDropToGroup > > >>>>>>> $PrivDropToUser > > >>>>>>> $DirCreateMode 0750 > > >>>>>>> $FileCreateMode 0640 > > >>>>>>> $UMASK 0027 > > >>>>>>> > > >>>>>>> #LOAD MODULES > > >>>>>>> $ModLoad imudp > > >>>>>>> $UDPServerRun 514 > > >>>>>>> $UDPServerAddress 127.0.0.1 > > >>>>>>> $ModLoad imtcp > > >>>>>>> $InputTCPServerRun 514 > > >>>>>>> > > >>>>>>> #SET DESTINATION FOR LOGS > > >>>>>>> $template > > >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > >>>>>>> $MONTH%_messages" > > >>>>>>> $template > > >>>>>>> > > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>>> **secure" > > >>>>>>> > > >>>>>>> $template > > >>>>>>> > > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > >>>>>>> maillog" > > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>>> cron" > > >>>>>>> $template > > >>>>>>> > > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > >>>>>>> spooler" > > >>>>>>> $template > > >>>>>>> > > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** > > >>>>>>> boot.log" > > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* > > >>>>>>> *traps" > > >>>>>>> > > >>>>>>> $template > > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_messages" > > >>>>>>> $template > > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_secure" > > >>>>>>> $template > > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_maillog" > > >>>>>>> $template > > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>>> MONTH%_cron" > > >>>>>>> $template > > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_spooler" > > >>>>>>> $template > > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>>> MONTH%_boot.log" > > >>>>>>> $template > > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>>> MONTH%_traps" > > >>>>>>> > > >>>>>>> #SET LOGGING CONDITIONS > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > ?DYNmessages > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' > > then > > >>>>>>> ?DYNsecure > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then > > >>>>>>> ?DYNmaillog > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > > >>>>>>> ?DYNcron > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then > > >>>>>>> ?DYNspooler > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' > > then > > >>>>>>> ?DYNboot > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>>> 'WARNING' > > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps > > >>>>>>> > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > ?DYNIPmessages > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' > > then > > >>>>>>> ?DYNIPsecure > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then > > >>>>>>> ?DYNIPmaillog > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > > >>>>>>> ?DYNIPcron > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then > > >>>>>>> ?DYNIPspooler > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' > > then > > >>>>>>> ?DYNIPboot > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>>> 'WARNING' > > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > >>>>>>> > > >>>>>>> but it fails...: > > >>>>>>> # service rsyslog start > > >>>>>>> Starting system logger: rsyslogd: run failed with error -2207 > > (see > > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what > > that > > >>>>>>> number > > >>>>>>> means) > > >>>>>>> [ OK > > ] > > >>>>>>> > > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format > > correct or > > >>>>>>> how > > >>>>>>> is this done... > > >>>>>>> > > >>>>>>> > > >>>>>>> Thanks in advance :-) ! > > >>>>>>> ~maymann > > >>>>>>> > > >>>>>>> > > >>>>>>> 2012/2/1 > > >>>>>>> > > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > >>>>>>> > > >>>>>>> > > >>>>>>>> Hi, > > >>>>>>>> > > >>>>>>>> > > >>>>>>>>> I want to log information about hosts that are not logging > > with > > >>>>>>>>> correct > > >>>>>>>>> HOSTNAME. > > >>>>>>>>> In my current setup, I get a dir "???" where these host(s) > > are > > >>>>>>>>> logging > > >>>>>>>>> to... > > >>>>>>>>> > > >>>>>>>>> I would like to change this to the hosts IP instead, > > something > > >>>>>>>>> like: > > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a > > value to > > >>>>>>>> a > > >>>>>>>> property. > > >>>>>>>> > > >>>>>>>> what you can do is to setup a different template and then if > > >>>>>>>> %fromhost% > > >>>>>>>> is your special pattern you can log with this different > > template. > > >>>>>>>> > > >>>>>>>> David Lang > > >>>>>>>> ______________________________******_________________ > > >>>>>>>> rsyslog mailing list > > >>>>>>>> > > http://lists.adiscon.net/******mailman/listinfo/rsyslog > iscon.net/****mailman/listinfo/rsyslog> > > >>>>>>>> > > > discon.net/**mailman/listinfo/rsyslog> > > >>>>>>>> > > > >>>>>>>> > > > discon.net/mailman/**listinfo/rsyslog> > > >>>>>>>> > > > scon.net/mailman/listinfo/rsyslog> > > >>>>>>>> > > > >>>>>>>> > > >>>>>>>>> > > >>>>>>>>> http://www.rsyslog.com/******professional- > > services/ > > >>>>>>>> > services/ > > >>>>>>>> > > > >>>>>>>> > **services/ > > >>>>>>>> > services/ > > >>>>>>>> > > > >>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>>> ______________________________****_________________ > > >>>>>> > > >>>>> rsyslog mailing list > > >>>>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > con.net/**mailman/listinfo/rsyslog> > > >>>>> > > > scon.net/mailman/listinfo/rsyslog> > > >>>>> > > > >>>>> http://www.rsyslog.com/****professional- > > services/ > > >>>>> > **services/ > > >>>>> > > > >>>>> > > >>>>> ______________________________****_________________ > > >>>>> > > >>>> rsyslog mailing list > > >>>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > con.net/**mailman/listinfo/rsyslog> > > >>>> > > > scon.net/mailman/listinfo/rsyslog> > > >>>> > > > >>>> http://www.rsyslog.com/****professional- > > services/ > > >>>> > **services/ > > >>>> > > > >>>> > > >>>> ______________________________****_________________ > > >>>> > > >>> rsyslog mailing list > > >>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > con.net/**mailman/listinfo/rsyslog> > > >>> > > > scon.net/mailman/listinfo/rsyslog> > > >>> > > > >>> http://www.rsyslog.com/****professional- > > services/ > > >>> > **services/ > > >>> > > > >>> > > >>> ______________________________**_________________ > > >> rsyslog mailing list > > >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > >> http://www.rsyslog.com/**professional- > > services/ > > >> > > >> ______________________________**_________________ > > > rsyslog mailing list > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > n.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional- > > services/ > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Mon Feb 6 14:17:11 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 6 Feb 2012 14:17:11 +0100 Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA7281865@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281868@GRFEXC.intern.adiscon.com> Let's see where the problem stems back to, *then* we can look for a solution. rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Monday, February 06, 2012 2:14 PM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Hi Rainer, > > ok. > > I have 3 different entries in my debug log: > --- > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '- > ', > MSGID: '-', > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > 2(VID > unknown)(769216)' > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device > port > 2(VID unknown)(769216)' > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 10.224.110.250 00828 > lldp: > PVID mismatch on port C2(VID 1)with peer device port 2(VID > unknown)(769216)' > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6, > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > '-', MSGID: '-', > TIMESTAMP: 'Feb 6 14:11:49', STRUCTURED-DATA: '-', > msg: ' Kernel logging (proc) stopped.' > escaped msg: ' Kernel logging (proc) stopped.' > inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.' > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46, > syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID: > '-', > TIMESTAMP: 'Feb 6 14:11:50', STRUCTURED-DATA: '-', > msg: ' signal 15' > escaped msg: ' signal 15' > inputname: imudp rawmsg: '<46>exiting on signal 15' > --- > > I have now setup a rule: > $template > DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" > if $fromhost == '???' and $fromhost-ip == '???' then > ?DYNUNKNOWNmessages > > > I would like to still log the hosts where I know the IP... > Is is possible to say something like the following ?: > --- > $template > DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages" > $template > DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" > > if $fromhost == '???' and $fromhost-ip == '???' and $hostname == > '192.168.*' then ?DYNIPmessages > if $fromhost == '???' and $fromhost-ip == '???' and $hostname != > '192.168.*' then ?DYNUNKNOWNmessages > --- > > Thanks in advance :-) ! > ~maymann > > > 2012/2/6 Rainer Gerhards > > > Please note that HOSTNAME stems back to the message and as such is a > > different property than FROMHOST. It is definitely not the case that > when > > FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence > in your > > current environment. > > > > rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > > Sent: Saturday, February 04, 2012 9:10 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > > > > > > Hi, > > > > > > SOLVED... > > > > > > got it working...:-) ! > > > > > > I enabled debugging (David: thanks for the hint) and this was one > of > > > the > > > entries: > > > --- > > > Debug line with all properties: > > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, > > > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: > '- > > > ', > > > MSGID: '-', > > > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > > > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > > > 2(VID > > > unknown)(769216)' > > > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer > device > > > port > > > 2(VID unknown)(769216)' > > > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: > PVID > > > mismatch on port C2(VID 1)with peer device port 2(VID > unknown)(769216)' > > > --- > > > The from the last line was ofcause the same as in the the > > > logfiles... > > > I confuse this to be a client of a rsyslog-client twice... :-o ! > > > > > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > > > --- > > > #SET PRIVILEGES > > > $PreserveFQDN on > > > $PrivDropToGroup > > > $PrivDropToUser > > > $DirCreateMode 0750 > > > $FileCreateMode 0640 > > > $UMASK 0027 > > > > > > #LOAD MODULES > > > $ModLoad imudp > > > $UDPServerRun 514 > > > $UDPServerAddress 127.0.0.1 > > > $ModLoad imtcp > > > $InputTCPServerRun 514 > > > > > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment- > in to > > > enable...) > > > #*.info;mail.none;authpriv.none;cron.none > > > /var/log/messages-debug;RSYSLOG_DebugFormat > > > > > > #SET DESTINATION FOR LOGS > > > $template > > > > DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > > > $template > > > DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > > > $template > > > > DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > > > $template > > > DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > > > $template > > > > DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > > > $template > > > DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > > > $template > > > DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > > > > > $template > > > > DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message > > > s" > > > $template > > > > DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > > > $template > > > > DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > > > $template > > > DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > > > $template > > > > DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > > > $template > > > > DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > > > $template > > > DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > > > > > #SET LOGGING CONDITIONS > > > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > > > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > > > ?DYNsecure > > > if $syslogfacility-text == 'mail' and $fromhost != '???' then > > > ?DYNmaillog > > > if $syslogfacility-text == 'cron' and $fromhost != '???' then > ?DYNcron > > > if $syslogseverity-text == 'crit' and $fromhost != '???' then > > > ?DYNspooler > > > if $syslogfacility-text == 'local7' and $fromhost != '???' then > > > ?DYNboot > > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > > 'WARNING' > > > and $fromhost != '???' then ?DYNtraps > > > > > > if $syslogseverity <= '6' and $fromhost == '???' then > ?DYNIPmessages > > > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > > > ?DYNIPsecure > > > if $syslogfacility-text == 'mail' and $fromhost == '???' then > > > ?DYNIPmaillog > > > if $syslogfacility-text == 'cron' and $fromhost == '???' then > > > ?DYNIPcron > > > if $syslogseverity-text == 'crit' and $fromhost == '???' then > > > ?DYNIPspooler > > > if $syslogfacility-text == 'local7' and $fromhost == '???' then > > > ?DYNIPboot > > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > > 'WARNING' > > > and $fromhost == '???' then ?DYNIPtraps > > > --- > > > > > > David+Rainer: thanks for your help... much appreciated...:-) ! > > > > > > Br. > > > ~maymann > > > > > > 2012/2/4 > > > > > > > I was actually meaning for you to do this on the server where you > are > > > > seeing the ??? show up. > > > > > > > > but this does show that the sending machine thinks it's doing > > > everythig > > > > correcty (assuming the you put in the message below is > > > actually > > > > correct) > > > > > > > > what I would want to see from the server log is one of the > messages > > > with > > > > the ??? in it that you are trying to fix. > > > > > > > > > > > > David Lang > > > > > > > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > > > > > > > Hi, > > > >> > > > >> David: thanks for you reply...:-) ! > > > >> > > > >> This is not a known client causing the "???" entries - I don't > know > > > the > > > >> ip(s)/hostname(s), and this is why i would like to log IP > instead of > > > >> hostname - as my guess is it is a network device without DNS > > > entry...:-( ! > > > >> > > > >> Can I troubleshoot on the server somehow similar... or was that > the > > > >> intention all along...:-o ! > > > >> > > > >> Here is the client-debug output anyways...: > > > >> # cat messages-debug > > > >> Debug line with all properties: > > > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '', > > > >> PRI: 6, > > > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > > > PROCID: > > > >> '-', MSGID: '-', > > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > >> > > > >> Debug line with all properties: > > > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '', > > > >> PRI: 46, > > > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > > > 'rsyslogd', > > > >> PROCID: '-', MSGID: '-', > > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > pid="13432" > > > >> x-info=" > > > >> http://www.rsyslog.com"] (re)start' > > > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > > pid="13432" > > > >> x-info="http://www.rsyslog.com**"] (re)start' > > > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > > pid="13432" > > > >> x-info="http://www.rsyslog.com**"] (re)start' > > > >> > > > >> Debug line with all properties: > > > >> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '', > > > >> PRI: 13, > > > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', > PROCID: '- > > > ', > > > >> MSGID: '-', > > > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > > >> msg: ' hej' > > > >> escaped msg: ' hej' > > > >> rawmsg: '<13>Feb 3 11:14:30 root: hej' > > > >> > > > >> > > > >> Thanks in advance :-) ! > > > >> ~maymann > > > >> > > > >> > > > >> 2012/2/3 > > > >> > > > >> oops, that should have been RSYSLOG_DebugFormat template. > > > >>> > > > >>> David Lang > > > >>> > > > >>> On Thu, 2 Feb 2012, david at lang.hm wrote: > > > >>> > > > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > > >>> > > > >>>> From: david at lang.hm > > > >>>> > > > >>>> Reply-To: rsyslog-users > > > >>>> To: rsyslog-users > > > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > > > %IP% > > > >>>> > > > >>>> what does one of these messages look like if you write it out > with > > > the > > > >>>> RSYSLOG_DEBUG template? > > > >>>> > > > >>>> David Lang > > > >>>> > > > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: > > > >>>> > > > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > > >>>> > > > >>>>> From: Michael Maymann > > > >>>>> Reply-To: rsyslog-users > > > >>>>> To: rsyslog-users > > > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > > > %IP% > > > >>>>> > > > >>>>> Please... Anyone? > > > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > > > > wrote: > > > >>>>> > > > >>>>> Hi, > > > >>>>> > > > >>>>>> > > > >>>>>> got it started... but still ??? dir+logfiles are showing > up... > > > >>>>>> This is now my rsyslog.conf: > > > >>>>>> #SET PRIVILEGES > > > >>>>>> $PreserveFQDN on > > > >>>>>> $PrivDropToGroup > > > >>>>>> $PrivDropToUser > > > >>>>>> $DirCreateMode 0750 > > > >>>>>> $FileCreateMode 0640 > > > >>>>>> $UMASK 0027 > > > >>>>>> > > > >>>>>> #LOAD MODULES > > > >>>>>> $ModLoad imudp > > > >>>>>> $UDPServerRun 514 > > > >>>>>> $UDPServerAddress 127.0.0.1 > > > >>>>>> $ModLoad imtcp > > > >>>>>> $InputTCPServerRun 514 > > > >>>>>> > > > >>>>>> #SET DESTINATION FOR LOGS > > > >>>>>> $template > > > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > > >>>>>> $MONTH%_messages" > > > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** > > > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** > > > >>>>>> *secure" > > > >>>>>> $template > > > >>>>>> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > > >>>>>> _**maillog" > > > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>> cron" > > > >>>>>> $template > > > >>>>>> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > > >>>>>> _**spooler" > > > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** > > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>> boot.log" > > > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** > > > >>>>>> traps" > > > >>>>>> > > > >>>>>> $template > > > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_messages" > > > >>>>>> $template > > > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_secure" > > > >>>>>> $template > > > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_maillog" > > > >>>>>> $template > > > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>> MONTH%_cron" > > > >>>>>> $template > > > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_spooler" > > > >>>>>> $template > > > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>> MONTH%_boot.log" > > > >>>>>> $template > > > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>> MONTH%_traps" > > > >>>>>> > > > >>>>>> #SET LOGGING CONDITIONS > > > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then > > > ?DYNmessages > > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' > > > then > > > >>>>>> ?DYNsecure > > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' > then > > > >>>>>> ?DYNmaillog > > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' > then > > > ?DYNcron > > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' > then > > > >>>>>> ?DYNspooler > > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' > then > > > >>>>>> ?DYNboot > > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text > == > > > >>>>>> 'WARNING' > > > >>>>>> and $fromhost != '???' then ?DYNtraps > > > >>>>>> > > > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then > > > ?DYNIPmessages > > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' > > > then > > > >>>>>> ?DYNIPsecure > > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' > then > > > >>>>>> ?DYNIPmaillog > > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' > then > > > >>>>>> ?DYNIPcron > > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' > then > > > >>>>>> ?DYNIPspooler > > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' > then > > > >>>>>> ?DYNIPboot > > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text > == > > > >>>>>> 'WARNING' > > > >>>>>> and $fromhost == '???' then ?DYNIPtraps > > > >>>>>> > > > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - > but > > > all > > > >>>>>> creates > > > >>>>>> ??? dir+files... > > > >>>>>> What variable should I use to handle this properly ? > > > >>>>>> > > > >>>>>> > > > >>>>>> Thanks in advance :-) ! > > > >>>>>> ~maymann > > > >>>>>> > > > >>>>>> 2012/2/2 Michael Maymann > > > >>>>>> > > > >>>>>> Hi, > > > >>>>>> > > > >>>>>>> > > > >>>>>>> David: thanks for your reply... > > > >>>>>>> Here is my new rsyslog.conf: > > > >>>>>>> #SET PRIVILEGES > > > >>>>>>> $PreserveFQDN on > > > >>>>>>> $PrivDropToGroup > > > >>>>>>> $PrivDropToUser > > > >>>>>>> $DirCreateMode 0750 > > > >>>>>>> $FileCreateMode 0640 > > > >>>>>>> $UMASK 0027 > > > >>>>>>> > > > >>>>>>> #LOAD MODULES > > > >>>>>>> $ModLoad imudp > > > >>>>>>> $UDPServerRun 514 > > > >>>>>>> $UDPServerAddress 127.0.0.1 > > > >>>>>>> $ModLoad imtcp > > > >>>>>>> $InputTCPServerRun 514 > > > >>>>>>> > > > >>>>>>> #SET DESTINATION FOR LOGS > > > >>>>>>> $template > > > >>>>>>> > DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > > >>>>>>> $MONTH%_messages" > > > >>>>>>> $template > > > >>>>>>> > > > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>>> **secure" > > > >>>>>>> > > > >>>>>>> $template > > > >>>>>>> > > > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > > >>>>>>> maillog" > > > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>>> cron" > > > >>>>>>> $template > > > >>>>>>> > > > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > > >>>>>>> spooler" > > > >>>>>>> $template > > > >>>>>>> > > > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** > > > >>>>>>> boot.log" > > > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* > > > >>>>>>> *traps" > > > >>>>>>> > > > >>>>>>> $template > > > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_messages" > > > >>>>>>> $template > > > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_secure" > > > >>>>>>> $template > > > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_maillog" > > > >>>>>>> $template > > > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>>> MONTH%_cron" > > > >>>>>>> $template > > > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_spooler" > > > >>>>>>> $template > > > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>>> MONTH%_boot.log" > > > >>>>>>> $template > > > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>>> MONTH%_traps" > > > >>>>>>> > > > >>>>>>> #SET LOGGING CONDITIONS > > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > > ?DYNmessages > > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != > '???' > > > then > > > >>>>>>> ?DYNsecure > > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' > then > > > >>>>>>> ?DYNmaillog > > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' > then > > > >>>>>>> ?DYNcron > > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' > then > > > >>>>>>> ?DYNspooler > > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' > > > then > > > >>>>>>> ?DYNboot > > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity- > text == > > > >>>>>>> 'WARNING' > > > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps > > > >>>>>>> > > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > > ?DYNIPmessages > > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == > '???' > > > then > > > >>>>>>> ?DYNIPsecure > > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' > then > > > >>>>>>> ?DYNIPmaillog > > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' > then > > > >>>>>>> ?DYNIPcron > > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' > then > > > >>>>>>> ?DYNIPspooler > > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' > > > then > > > >>>>>>> ?DYNIPboot > > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity- > text == > > > >>>>>>> 'WARNING' > > > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > > >>>>>>> > > > >>>>>>> but it fails...: > > > >>>>>>> # service rsyslog start > > > >>>>>>> Starting system logger: rsyslogd: run failed with error - > 2207 > > > (see > > > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn > what > > > that > > > >>>>>>> number > > > >>>>>>> means) > > > >>>>>>> [ > OK > > > ] > > > >>>>>>> > > > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format > > > correct or > > > >>>>>>> how > > > >>>>>>> is this done... > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> Thanks in advance :-) ! > > > >>>>>>> ~maymann > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> 2012/2/1 > > > >>>>>>> > > > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>> Hi, > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>>> I want to log information about hosts that are not > logging > > > with > > > >>>>>>>>> correct > > > >>>>>>>>> HOSTNAME. > > > >>>>>>>>> In my current setup, I get a dir "???" where these > host(s) > > > are > > > >>>>>>>>> logging > > > >>>>>>>>> to... > > > >>>>>>>>> > > > >>>>>>>>> I would like to change this to the hosts IP instead, > > > something > > > >>>>>>>>> like: > > > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a > > > value to > > > >>>>>>>> a > > > >>>>>>>> property. > > > >>>>>>>> > > > >>>>>>>> what you can do is to setup a different template and then > if > > > >>>>>>>> %fromhost% > > > >>>>>>>> is your special pattern you can log with this different > > > template. > > > >>>>>>>> > > > >>>>>>>> David Lang > > > >>>>>>>> ______________________________******_________________ > > > >>>>>>>> rsyslog mailing list > > > >>>>>>>> > > > > http://lists.adiscon.net/******mailman/listinfo/rsyslog > > iscon.net/****mailman/listinfo/rsyslog> > > > >>>>>>>> > > > > > > discon.net/**mailman/listinfo/rsyslog> > > > >>>>>>>> > > > > >>>>>>>> > > > > > > discon.net/mailman/**listinfo/rsyslog> > > > >>>>>>>> > > > > > > scon.net/mailman/listinfo/rsyslog> > > > >>>>>>>> > > > > >>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> http://www.rsyslog.com/******professional- > > > services/ > > > >>>>>>>> > > services/ > > > >>>>>>>> > > > > >>>>>>>> > > **services/ > > > >>>>>>>> > > services/ > > > >>>>>>>> > > > > >>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>> > > > >>>>>>> ______________________________****_________________ > > > >>>>>> > > > >>>>> rsyslog mailing list > > > >>>>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > > con.net/**mailman/listinfo/rsyslog> > > > >>>>> > > > > > > scon.net/mailman/listinfo/rsyslog> > > > >>>>> > > > > >>>>> http://www.rsyslog.com/****professional- > > > services/ > > > >>>>> > > **services/ > > > >>>>> > > > > >>>>> > > > >>>>> ______________________________****_________________ > > > >>>>> > > > >>>> rsyslog mailing list > > > >>>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > > con.net/**mailman/listinfo/rsyslog> > > > >>>> > > > > > > scon.net/mailman/listinfo/rsyslog> > > > >>>> > > > > >>>> http://www.rsyslog.com/****professional- > > > services/ > > > >>>> > > **services/ > > > >>>> > > > > >>>> > > > >>>> ______________________________****_________________ > > > >>>> > > > >>> rsyslog mailing list > > > >>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog > > con.net/**mailman/listinfo/rsyslog> > > > >>> > > > > > > scon.net/mailman/listinfo/rsyslog> > > > >>> > > > > >>> http://www.rsyslog.com/****professional- > > > services/ > > > >>> > > **services/ > > > >>> > > > > >>> > > > >>> ______________________________**_________________ > > > >> rsyslog mailing list > > > >> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > >> http://www.rsyslog.com/**professional- > > > services/ > > > >> > > > >> ______________________________**_________________ > > > > rsyslog mailing list > > > > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog > > n.net/mailman/listinfo/rsyslog> > > > > http://www.rsyslog.com/**professional- > > > services/ > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From david at lang.hm Mon Feb 6 20:24:20 2012 From: david at lang.hm (david at lang.hm) Date: Mon, 6 Feb 2012 11:24:20 -0800 (PST) Subject: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281867@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA7281867@GRFEXC.intern.adiscon.com> Message-ID: On Mon, 6 Feb 2012, Rainer Gerhards wrote: >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of david at lang.hm >> Sent: Saturday, February 04, 2012 9:27 AM >> To: rsyslog-users >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% >> >> If Rainer creates the instramented version it would still be good to >> see >> what's going on. I would say that for fromhost-ip to be '???' is always >> a >> bug, and if a failed DNS lookup makes the fromhost be '???' instead of >> the >> IP address, I would also consider that a bug. > > Yup, I agree here. It's most probably a bug, at least if no message > indicating something malicious goes along with the problem. Rsyslog checks if > it can trust the IP and prefers not to write it if there is proof something > malicious goes on - the ??? then indicate we do not know the actual IP and is > probably the best to be done in that case. See [1], especially the comments, > for details. I have audited the code and do not see anything obviously wrong. > I noticed that there is already a lot of good debug instrumentation present, > so I just added one additional output, which makes it somewhat easier to scan > for failures inside the log file. It also provides the ultimate proof of why > the function indicates failure. under what condition would we not be able to get the IP address of the far end of the connection? David Lang > @Michael: You can obtain the new version via the git master branch (let me > know if you have problems obtaining it). Please try it out. We need to see at > least one occurrence of ??? in order to track down what is going on. > >> It would be good to track down what's actually happening here. > Indeed, especially as this is the prime reason for making separate devel and > stable branches available. ;-) > > Rainer > [1] > http://git.adiscon.com/?p=rsyslog.git;a=blob;f=runtime/dnscache.c;h=549bcd932 > 8d53c4da484ac0c7dbd01c6aa2db415;hb=HEAD#l147 >> >> David Lang >> >> On Sat, 4 Feb 2012, Michael >> Maymann wrote: >> >>> Hi, >>> >>> SOLVED... >>> >>> got it working...:-) ! >>> >>> I enabled debugging (David: thanks for the hint) and this was one of >> the >>> entries: >>> --- >>> Debug line with all properties: >>> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '', PRI: 14, >>> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: >> '-', >>> MSGID: '-', >>> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', >>> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port >> 2(VID >>> unknown)(769216)' >>> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device >> port >>> 2(VID unknown)(769216)' >>> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 00828 lldp: PVID >>> mismatch on port C2(VID 1)with peer device port 2(VID >> unknown)(769216)' >>> --- >>> The from the last line was ofcause the same as in the the >> logfiles... >>> I confuse this to be a client of a rsyslog-client twice... :-o ! >>> >>> I could hereafter easily edit my /etc/rsyslog.conf respectively: >>> --- >>> #SET PRIVILEGES >>> $PreserveFQDN on >>> $PrivDropToGroup >>> $PrivDropToUser >>> $DirCreateMode 0750 >>> $FileCreateMode 0640 >>> $UMASK 0027 >>> >>> #LOAD MODULES >>> $ModLoad imudp >>> $UDPServerRun 514 >>> $UDPServerAddress 127.0.0.1 >>> $ModLoad imtcp >>> $InputTCPServerRun 514 >>> >>> #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in >> to >>> enable...) >>> #*.info;mail.none;authpriv.none;cron.none >>> /var/log/messages-debug;RSYSLOG_DebugFormat >>> >>> #SET DESTINATION FOR LOGS >>> $template >>> >> DYNmessages,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" >>> $template >>> DYNsecure,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" >>> $template >>> DYNmaillog,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" >>> $template >> DYNcron,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" >>> $template >>> DYNspooler,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" >>> $template >>> DYNboot,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" >>> $template >> DYNtraps,"/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" >>> >>> $template >>> >> DYNIPmessages,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message >> s" >>> $template >>> DYNIPsecure,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" >>> $template >>> >> DYNIPmaillog,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" >>> $template >> DYNIPcron,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" >>> $template >>> >> DYNIPspooler,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" >>> $template >>> DYNIPboot,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" >>> $template >>> DYNIPtraps,"/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" >>> >>> #SET LOGGING CONDITIONS >>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages >>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then >> ?DYNsecure >>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >> ?DYNmaillog >>> if $syslogfacility-text == 'cron' and $fromhost != '???' then >> ?DYNcron >>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >> ?DYNspooler >>> if $syslogfacility-text == 'local7' and $fromhost != '???' then >> ?DYNboot >>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >> 'WARNING' >>> and $fromhost != '???' then ?DYNtraps >>> >>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages >>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then >>> ?DYNIPsecure >>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >> ?DYNIPmaillog >>> if $syslogfacility-text == 'cron' and $fromhost == '???' then >> ?DYNIPcron >>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >> ?DYNIPspooler >>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >> ?DYNIPboot >>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >> 'WARNING' >>> and $fromhost == '???' then ?DYNIPtraps >>> --- >>> >>> David+Rainer: thanks for your help... much appreciated...:-) ! >>> >>> Br. >>> ~maymann >>> >>> 2012/2/4 >>> >>>> I was actually meaning for you to do this on the server where you >> are >>>> seeing the ??? show up. >>>> >>>> but this does show that the sending machine thinks it's doing >> everythig >>>> correcty (assuming the you put in the message below is >> actually >>>> correct) >>>> >>>> what I would want to see from the server log is one of the messages >> with >>>> the ??? in it that you are trying to fix. >>>> >>>> >>>> David Lang >>>> >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>> >>>> Hi, >>>>> >>>>> David: thanks for you reply...:-) ! >>>>> >>>>> This is not a known client causing the "???" entries - I don't know >> the >>>>> ip(s)/hostname(s), and this is why i would like to log IP instead >> of >>>>> hostname - as my guess is it is a network device without DNS >> entry...:-( ! >>>>> >>>>> Can I troubleshoot on the server somehow similar... or was that the >>>>> intention all along...:-o ! >>>>> >>>>> Here is the client-debug output anyways...: >>>>> # cat messages-debug >>>>> Debug line with all properties: >>>>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >> '', >>>>> PRI: 6, >>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', >> PROCID: >>>>> '-', MSGID: '-', >>>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >>>>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>>>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>>>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' >>>>> >>>>> Debug line with all properties: >>>>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >> '', >>>>> PRI: 46, >>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: >> 'rsyslogd', >>>>> PROCID: '-', MSGID: '-', >>>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', >>>>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" >>>>> x-info=" >>>>> http://www.rsyslog.com"] (re)start' >>>>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- >> pid="13432" >>>>> x-info="http://www.rsyslog.com**"] (re)start' >>>>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- >> pid="13432" >>>>> x-info="http://www.rsyslog.com**"] (re)start' >>>>> >>>>> Debug line with all properties: >>>>> FROMHOST: '', fromhost-ip: '127.0.0.1', HOSTNAME: >> '', >>>>> PRI: 13, >>>>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: >> '-', >>>>> MSGID: '-', >>>>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', >>>>> msg: ' hej' >>>>> escaped msg: ' hej' >>>>> rawmsg: '<13>Feb 3 11:14:30 root: hej' >>>>> >>>>> >>>>> Thanks in advance :-) ! >>>>> ~maymann >>>>> >>>>> >>>>> 2012/2/3 >>>>> >>>>> oops, that should have been RSYSLOG_DebugFormat template. >>>>>> >>>>>> David Lang >>>>>> >>>>>> On Thu, 2 Feb 2012, david at lang.hm wrote: >>>>>> >>>>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) >>>>>> >>>>>>> From: david at lang.hm >>>>>>> >>>>>>> Reply-To: rsyslog-users >>>>>>> To: rsyslog-users >>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == >> %IP% >>>>>>> >>>>>>> what does one of these messages look like if you write it out >> with the >>>>>>> RSYSLOG_DEBUG template? >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> On Fri, 3 Feb 2012, Michael Maymann wrote: >>>>>>> >>>>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 >>>>>>> >>>>>>>> From: Michael Maymann >>>>>>>> Reply-To: rsyslog-users >>>>>>>> To: rsyslog-users >>>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == >> %IP% >>>>>>>> >>>>>>>> Please... Anyone? >>>>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" >> wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>>> >>>>>>>>> got it started... but still ??? dir+logfiles are showing up... >>>>>>>>> This is now my rsyslog.conf: >>>>>>>>> #SET PRIVILEGES >>>>>>>>> $PreserveFQDN on >>>>>>>>> $PrivDropToGroup >>>>>>>>> $PrivDropToUser >>>>>>>>> $DirCreateMode 0750 >>>>>>>>> $FileCreateMode 0640 >>>>>>>>> $UMASK 0027 >>>>>>>>> >>>>>>>>> #LOAD MODULES >>>>>>>>> $ModLoad imudp >>>>>>>>> $UDPServerRun 514 >>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>> $ModLoad imtcp >>>>>>>>> $InputTCPServerRun 514 >>>>>>>>> >>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>> $template >>>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>> $MONTH%_messages" >>>>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** >>>>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** >>>>>>>>> *secure" >>>>>>>>> $template >>>>>>>>> >> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>>>> _**maillog" >>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** >>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>> cron" >>>>>>>>> $template >>>>>>>>> >> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** >>>>>>>>> _**spooler" >>>>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** >>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>> boot.log" >>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** >>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>>>> traps" >>>>>>>>> >>>>>>>>> $template >>>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>> YEAR%.%$MONTH%_messages" >>>>>>>>> $template >>>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>> YEAR%.%$MONTH%_secure" >>>>>>>>> $template >>>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>>>> $template >>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- >> IP%_%$YEAR%.%$**** >>>>>>>>> MONTH%_cron" >>>>>>>>> $template >>>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>>>> $template >>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- >> IP%_%$YEAR%.%$**** >>>>>>>>> MONTH%_boot.log" >>>>>>>>> $template >>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- >> IP%_%$YEAR%.%$**** >>>>>>>>> MONTH%_traps" >>>>>>>>> >>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then >> ?DYNmessages >>>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' >> then >>>>>>>>> ?DYNsecure >>>>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then >>>>>>>>> ?DYNmaillog >>>>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then >> ?DYNcron >>>>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then >>>>>>>>> ?DYNspooler >>>>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then >>>>>>>>> ?DYNboot >>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>> 'WARNING' >>>>>>>>> and $fromhost != '???' then ?DYNtraps >>>>>>>>> >>>>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then >> ?DYNIPmessages >>>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' >> then >>>>>>>>> ?DYNIPsecure >>>>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then >>>>>>>>> ?DYNIPmaillog >>>>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then >>>>>>>>> ?DYNIPcron >>>>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then >>>>>>>>> ?DYNIPspooler >>>>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then >>>>>>>>> ?DYNIPboot >>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == >>>>>>>>> 'WARNING' >>>>>>>>> and $fromhost == '???' then ?DYNIPtraps >>>>>>>>> >>>>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but >> all >>>>>>>>> creates >>>>>>>>> ??? dir+files... >>>>>>>>> What variable should I use to handle this properly ? >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks in advance :-) ! >>>>>>>>> ~maymann >>>>>>>>> >>>>>>>>> 2012/2/2 Michael Maymann >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> >>>>>>>>>> David: thanks for your reply... >>>>>>>>>> Here is my new rsyslog.conf: >>>>>>>>>> #SET PRIVILEGES >>>>>>>>>> $PreserveFQDN on >>>>>>>>>> $PrivDropToGroup >>>>>>>>>> $PrivDropToUser >>>>>>>>>> $DirCreateMode 0750 >>>>>>>>>> $FileCreateMode 0640 >>>>>>>>>> $UMASK 0027 >>>>>>>>>> >>>>>>>>>> #LOAD MODULES >>>>>>>>>> $ModLoad imudp >>>>>>>>>> $UDPServerRun 514 >>>>>>>>>> $UDPServerAddress 127.0.0.1 >>>>>>>>>> $ModLoad imtcp >>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>> >>>>>>>>>> #SET DESTINATION FOR LOGS >>>>>>>>>> $template >>>>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** >>>>>>>>>> $MONTH%_messages" >>>>>>>>>> $template >>>>>>>>>> >> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>>> **secure" >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>> >> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>>>>> maillog" >>>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** >>>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** >>>>>>>>>> cron" >>>>>>>>>> $template >>>>>>>>>> >> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** >>>>>>>>>> spooler" >>>>>>>>>> $template >>>>>>>>>> >> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** >>>>>>>>>> boot.log" >>>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** >>>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* >>>>>>>>>> *traps" >>>>>>>>>> >>>>>>>>>> $template >>>>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>>> YEAR%.%$MONTH%_messages" >>>>>>>>>> $template >>>>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>>> YEAR%.%$MONTH%_secure" >>>>>>>>>> $template >>>>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>>> YEAR%.%$MONTH%_maillog" >>>>>>>>>> $template >>>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- >> IP%_%$YEAR%.%$**** >>>>>>>>>> MONTH%_cron" >>>>>>>>>> $template >>>>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** >>>>>>>>>> YEAR%.%$MONTH%_spooler" >>>>>>>>>> $template >>>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- >> IP%_%$YEAR%.%$**** >>>>>>>>>> MONTH%_boot.log" >>>>>>>>>> $template >>>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- >> IP%_%$YEAR%.%$**** >>>>>>>>>> MONTH%_traps" >>>>>>>>>> >>>>>>>>>> #SET LOGGING CONDITIONS >>>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then >> ?DYNmessages >>>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' >> then >>>>>>>>>> ?DYNsecure >>>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then >>>>>>>>>> ?DYNmaillog >>>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then >>>>>>>>>> ?DYNcron >>>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then >>>>>>>>>> ?DYNspooler >>>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' >> then >>>>>>>>>> ?DYNboot >>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text >> == >>>>>>>>>> 'WARNING' >>>>>>>>>> and %FROMHOST% != '???' then ?DYNtraps >>>>>>>>>> >>>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then >> ?DYNIPmessages >>>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' >> then >>>>>>>>>> ?DYNIPsecure >>>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then >>>>>>>>>> ?DYNIPmaillog >>>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then >>>>>>>>>> ?DYNIPcron >>>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then >>>>>>>>>> ?DYNIPspooler >>>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' >> then >>>>>>>>>> ?DYNIPboot >>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text >> == >>>>>>>>>> 'WARNING' >>>>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps >>>>>>>>>> >>>>>>>>>> but it fails...: >>>>>>>>>> # service rsyslog start >>>>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 >> (see >>>>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what >> that >>>>>>>>>> number >>>>>>>>>> means) >>>>>>>>>> [ OK >> ] >>>>>>>>>> >>>>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format >> correct or >>>>>>>>>> how >>>>>>>>>> is this done... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks in advance :-) ! >>>>>>>>>> ~maymann >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2012/2/1 >>>>>>>>>> >>>>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> I want to log information about hosts that are not logging >> with >>>>>>>>>>>> correct >>>>>>>>>>>> HOSTNAME. >>>>>>>>>>>> In my current setup, I get a dir "???" where these host(s) >> are >>>>>>>>>>>> logging >>>>>>>>>>>> to... >>>>>>>>>>>> >>>>>>>>>>>> I would like to change this to the hosts IP instead, >> something >>>>>>>>>>>> like: >>>>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a >> value to >>>>>>>>>>> a >>>>>>>>>>> property. >>>>>>>>>>> >>>>>>>>>>> what you can do is to setup a different template and then if >>>>>>>>>>> %fromhost% >>>>>>>>>>> is your special pattern you can log with this different >> template. >>>>>>>>>>> >>>>>>>>>>> David Lang >>>>>>>>>>> ______________________________******_________________ >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> >> http://lists.adiscon.net/******mailman/listinfo/rsyslog> iscon.net/****mailman/listinfo/rsyslog> >>>>>>>>>>> >> > discon.net/**mailman/listinfo/rsyslog> >>>>>>>>>>>> >>>>>>>>>>> >> > discon.net/mailman/**listinfo/rsyslog> >>>>>>>>>>> >> > scon.net/mailman/listinfo/rsyslog> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://www.rsyslog.com/******professional- >> services/ >>>>>>>>>>> > services/ >>>>>>>>>>>> >>>>>>>>>>> > **services/ >>>>>>>>>>> > services/ >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ______________________________****_________________ >>>>>>>>> >>>>>>>> rsyslog mailing list >>>>>>>> >> http://lists.adiscon.net/****mailman/listinfo/rsyslog> con.net/**mailman/listinfo/rsyslog> >>>>>>>> >> > scon.net/mailman/listinfo/rsyslog> >>>>>>>>> >>>>>>>> http://www.rsyslog.com/****professional- >> services/ >>>>>>>> > **services/ >>>>>>>>> >>>>>>>> >>>>>>>> ______________________________****_________________ >>>>>>>> >>>>>>> rsyslog mailing list >>>>>>> >> http://lists.adiscon.net/****mailman/listinfo/rsyslog> con.net/**mailman/listinfo/rsyslog> >>>>>>> >> > scon.net/mailman/listinfo/rsyslog> >>>>>>>> >>>>>>> http://www.rsyslog.com/****professional- >> services/ >>>>>>> > **services/ >>>>>>>> >>>>>>> >>>>>>> ______________________________****_________________ >>>>>>> >>>>>> rsyslog mailing list >>>>>> >> http://lists.adiscon.net/****mailman/listinfo/rsyslog> con.net/**mailman/listinfo/rsyslog> >>>>>> >> > scon.net/mailman/listinfo/rsyslog> >>>>>>> >>>>>> http://www.rsyslog.com/****professional- >> services/ >>>>>> > **services/ >>>>>>> >>>>>> >>>>>> ______________________________**_________________ >>>>> rsyslog mailing list >>>>> >> http://lists.adiscon.net/**mailman/listinfo/rsyslog> n.net/mailman/listinfo/rsyslog> >>>>> http://www.rsyslog.com/**professional- >> services/ >>>>> >>>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> >> http://lists.adiscon.net/**mailman/listinfo/rsyslog> n.net/mailman/listinfo/rsyslog> >>>> http://www.rsyslog.com/**professional- >> services/ >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rory at ooma.com Tue Feb 7 02:03:59 2012 From: rory at ooma.com (Rory Toma) Date: Mon, 06 Feb 2012 17:03:59 -0800 Subject: [rsyslog] rsyslog 6.2.0 doesn't pick up LIBEE or LIBESTR values from command line Message-ID: <4F30787F.1020603@ooma.com> I'm setting the values of LIBEE_CFLAGS and LIBESTR_CFLAGS, yet I still get compile failures as below: stringbuf.h:39:21: error: libestr.h: No such file or directory Setting PKG_CONFIG_PATH doesn't work, either. From rgerhards at hq.adiscon.com Tue Feb 7 09:09:16 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Feb 2012 09:09:16 +0100 Subject: [rsyslog] rsyslog 6.2.0 doesn't pick up LIBEE or LIBESTR values from command line In-Reply-To: <4F30787F.1020603@ooma.com> References: <4F30787F.1020603@ooma.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728186D@GRFEXC.intern.adiscon.com> Are you sure the pathes you specify are correct? I ask because this is the number one reason (by far) for these types of errors. Usually all that is requird is the set the --bindir, --libdir and --includedir parameters to the (distro-specific) correct parameters. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rory Toma > Sent: Tuesday, February 07, 2012 2:04 AM > To: rsyslog-users > Subject: [rsyslog] rsyslog 6.2.0 doesn't pick up LIBEE or LIBESTR > values from command line > > I'm setting the values of LIBEE_CFLAGS and LIBESTR_CFLAGS, yet I still > get compile failures as below: > > stringbuf.h:39:21: error: libestr.h: No such file or directory > > Setting PKG_CONFIG_PATH doesn't work, either. > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From rgerhards at hq.adiscon.com Tue Feb 7 09:19:01 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Feb 2012 09:19:01 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: Michael Maymann [mailto:michael at maymann.org] > Sent: Tuesday, February 07, 2012 8:43 AM > To: Rainer Gerhards; david at lang.hm > Subject: Re: rsyslog tarball > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > 9788.497831529:7f639a331700: rsyslogd 6.3.7-postexp1 startup, > compatibility mode 6, module path '', cwd:/var/log > 9788.497969104:7f639a331700: caller requested object 'net', not found [snip] Sorry, this debug info does not contain any of the instrumentation I need (no case occurred) I guess you have cut that off. Please send me a complete file, best as an attachment (working with saved mail messages is far less nice :)). If the debug log is too large to mail, please let me know. I can provide an anonymous upload-only ftp server in that case. Thanks! Rainer From michael at maymann.org Tue Feb 7 09:46:03 2012 From: michael at maymann.org (Michael Maymann) Date: Tue, 7 Feb 2012 09:46:03 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> Message-ID: Hi Rainer, it is 30Mb - please provide ftp-upload... br. ~maymann 2012/2/7 Rainer Gerhards > > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Tuesday, February 07, 2012 8:43 AM > > To: Rainer Gerhards; david at lang.hm > > Subject: Re: rsyslog tarball > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7-postexp1 startup, > > compatibility mode 6, module path '', cwd:/var/log > > 9788.497969104:7f639a331700: caller requested object 'net', not found > [snip] > > Sorry, this debug info does not contain any of the instrumentation I need > (no > case occurred) I guess you have cut that off. Please send me a complete > file, > best as an attachment (working with saved mail messages is far less nice > :)). > > If the debug log is too large to mail, please let me know. I can provide an > anonymous upload-only ftp server in that case. > > Thanks! > Rainer > From rgerhards at hq.adiscon.com Tue Feb 7 10:02:47 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Feb 2012 10:02:47 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: Michael Maymann [mailto:michael at maymann.org] > Sent: Tuesday, February 07, 2012 9:46 AM > To: Rainer Gerhards > Cc: david at lang.hm; rsyslog-users > Subject: Re: rsyslog tarball > > Hi Rainer, > > it is 30Mb - please provide ftp-upload... Zipped or plain? If not zipped, you can probably compress it by 90+%. Anyhow, the FTP server is ftp://custservice.adiscon.com/incoming user anonymous, password whatever you like Note that you can only upload, NOT read. Most importantly, you won't be able to see the file when the upload is done. If you can compress and mail the file, I can possibly faster access it, just if that's an option. Thanks! Rainer > > br. > ~maymann > > > 2012/2/7 Rainer Gerhards > > > > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Tuesday, February 07, 2012 8:43 AM > > To: Rainer Gerhards; david at lang.hm > > Subject: Re: rsyslog tarball > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7-postexp1 startup, > > compatibility mode 6, module path '', cwd:/var/log > > 9788.497969104:7f639a331700: caller requested object 'net', not > found > > [snip] > > Sorry, this debug info does not contain any of the > instrumentation I need (no > case occurred) I guess you have cut that off. Please send me a > complete file, > best as an attachment (working with saved mail messages is far > less nice :)). > > If the debug log is too large to mail, please let me know. I can > provide an > anonymous upload-only ftp server in that case. > > Thanks! > Rainer > > From michael at maymann.org Tue Feb 7 10:21:34 2012 From: michael at maymann.org (Michael Maymann) Date: Tue, 7 Feb 2012 10:21:34 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> Message-ID: Just made a shorter run with same info inside... attached... ~maymann 2012/2/7 Rainer Gerhards > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Tuesday, February 07, 2012 9:46 AM > > To: Rainer Gerhards > > Cc: david at lang.hm; rsyslog-users > > Subject: Re: rsyslog tarball > > > > Hi Rainer, > > > > it is 30Mb - please provide ftp-upload... > Zipped or plain? If not zipped, you can probably compress it by 90+%. > Anyhow, > the FTP server is > > ftp://custservice.adiscon.com/incoming > > user anonymous, password whatever you like > Note that you can only upload, NOT read. Most importantly, you won't be > able > to see the file when the upload is done. > > If you can compress and mail the file, I can possibly faster access it, > just > if that's an option. > > Thanks! > Rainer > > > > > br. > > ~maymann > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > Sent: Tuesday, February 07, 2012 8:43 AM > > > To: Rainer Gerhards; david at lang.hm > > > Subject: Re: rsyslog tarball > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7-postexp1 startup, > > > compatibility mode 6, module path '', cwd:/var/log > > > 9788.497969104:7f639a331700: caller requested object 'net', not > > found > > > > [snip] > > > > Sorry, this debug info does not contain any of the > > instrumentation I need (no > > case occurred) I guess you have cut that off. Please send me a > > complete file, > > best as an attachment (working with saved mail messages is far > > less nice :)). > > > > If the debug log is too large to mail, please let me know. I can > > provide an > > anonymous upload-only ftp server in that case. > > > > Thanks! > > Rainer > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: messages-debug Type: application/octet-stream Size: 155580 bytes Desc: not available URL: From rgerhards at hq.adiscon.com Tue Feb 7 10:23:59 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Feb 2012 10:23:59 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> I guess you mistook files: this was not a debug log but a logfile ;) rainer > -----Original Message----- > From: Michael Maymann [mailto:michael at maymann.org] > Sent: Tuesday, February 07, 2012 10:22 AM > To: Rainer Gerhards > Cc: david at lang.hm; rsyslog-users > Subject: Re: rsyslog tarball > > Just made a shorter run with same info inside... attached... > > ~maymann > > > 2012/2/7 Rainer Gerhards > > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > > Sent: Tuesday, February 07, 2012 9:46 AM > > To: Rainer Gerhards > > Cc: david at lang.hm; rsyslog-users > > Subject: Re: rsyslog tarball > > > > Hi Rainer, > > > > it is 30Mb - please provide ftp-upload... > > Zipped or plain? If not zipped, you can probably compress it by > 90+%. Anyhow, > the FTP server is > > ftp://custservice.adiscon.com/incoming > > user anonymous, password whatever you like > Note that you can only upload, NOT read. Most importantly, you > won't be able > to see the file when the upload is done. > > If you can compress and mail the file, I can possibly faster > access it, just > if that's an option. > > Thanks! > Rainer > > > > > > br. > > ~maymann > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > Sent: Tuesday, February 07, 2012 8:43 AM > > > To: Rainer Gerhards; david at lang.hm > > > Subject: Re: rsyslog tarball > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7-postexp1 > startup, > > > compatibility mode 6, module path '', cwd:/var/log > > > 9788.497969104:7f639a331700: caller requested object > 'net', not > > found > > > > [snip] > > > > Sorry, this debug info does not contain any of the > > instrumentation I need (no > > case occurred) I guess you have cut that off. Please send > me a > > complete file, > > best as an attachment (working with saved mail messages > is far > > less nice :)). > > > > If the debug log is too large to mail, please let me > know. I can > > provide an > > anonymous upload-only ftp server in that case. > > > > Thanks! > > Rainer > > > > > > > From rgerhards at hq.adiscon.com Tue Feb 7 10:32:34 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Feb 2012 10:32:34 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> That's a regular log file [in RSYSLOG_DebugForm], showing the log messages as you received them. That's not a debug log that shows rsyslog processing. To create the later, do the same procedure that you used to create the content of your mail I received at 8:43am today. *That* was a debug log. Look at the content of both of your mails and you will immediately notice the difference. Please also keep the mailing list CCed... Rainer > -----Original Message----- > From: Michael Maymann [mailto:michael at maymann.org] > Sent: Tuesday, February 07, 2012 10:28 AM > To: Rainer Gerhards > Subject: Re: rsyslog tarball > > it states "Debug line with all properties:" all over the logfile... > Please tell me how to run this thing...? > > ~maymann > > > > 2012/2/7 Rainer Gerhards > > > I guess you mistook files: this was not a debug log but a logfile > ;) > > rainer > > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > > Sent: Tuesday, February 07, 2012 10:22 AM > > To: Rainer Gerhards > > Cc: david at lang.hm; rsyslog-users > > Subject: Re: rsyslog tarball > > > > Just made a shorter run with same info inside... attached... > > > > ~maymann > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 9:46 AM > > > To: Rainer Gerhards > > > Cc: david at lang.hm; rsyslog-users > > > Subject: Re: rsyslog tarball > > > > > > Hi Rainer, > > > > > > it is 30Mb - please provide ftp-upload... > > > > Zipped or plain? If not zipped, you can probably compress > it by > > 90+%. Anyhow, > > the FTP server is > > > > ftp://custservice.adiscon.com/incoming > > > > user anonymous, password whatever you like > > Note that you can only upload, NOT read. Most > importantly, you > > won't be able > > to see the file when the upload is done. > > > > If you can compress and mail the file, I can possibly > faster > > access it, just > > if that's an option. > > > > Thanks! > > Rainer > > > > > > > > > > br. > > > ~maymann > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann > [mailto:michael at maymann.org] > > > > Sent: Tuesday, February 07, 2012 8:43 AM > > > > To: Rainer Gerhards; david at lang.hm > > > > Subject: Re: rsyslog tarball > > > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7- > postexp1 > > startup, > > > > compatibility mode 6, module path '', > cwd:/var/log > > > > 9788.497969104:7f639a331700: caller requested > object > > 'net', not > > > found > > > > > > [snip] > > > > > > Sorry, this debug info does not contain any of > the > > > instrumentation I need (no > > > case occurred) I guess you have cut that off. > Please send > > me a > > > complete file, > > > best as an attachment (working with saved mail > messages > > is far > > > less nice :)). > > > > > > If the debug log is too large to mail, please let > me > > know. I can > > > provide an > > > anonymous upload-only ftp server in that case. > > > > > > Thanks! > > > Rainer > > > > > > > > > > > > > > > From rgerhards at hq.adiscon.com Tue Feb 7 11:05:01 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 7 Feb 2012 11:05:01 +0100 Subject: [rsyslog] invalid name resolution to ??? In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com><9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728187C@GRFEXC.intern.adiscon.com> FYI: I got a debug log and it clearly shows an (now even obvious ;)) bug. Will work on a fix. rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards > Sent: Tuesday, February 07, 2012 10:33 AM > To: Michael Maymann > Cc: rsyslog-users > Subject: Re: [rsyslog] rsyslog tarball > > That's a regular log file [in RSYSLOG_DebugForm], showing the log > messages as > you received them. That's not a debug log that shows rsyslog > processing. To > create the later, do the same procedure that you used to create the > content > of your mail I received at 8:43am today. *That* was a debug log. Look > at the > content of both of your mails and you will immediately notice the > difference. > > Please also keep the mailing list CCed... > > Rainer > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Tuesday, February 07, 2012 10:28 AM > > To: Rainer Gerhards > > Subject: Re: rsyslog tarball > > > > it states "Debug line with all properties:" all over the logfile... > > Please tell me how to run this thing...? > > > > ~maymann > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > I guess you mistook files: this was not a debug log but a logfile > > ;) > > > > rainer > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > To: Rainer Gerhards > > > Cc: david at lang.hm; rsyslog-users > > > Subject: Re: rsyslog tarball > > > > > > Just made a shorter run with same info inside... attached... > > > > > > ~maymann > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 9:46 AM > > > > To: Rainer Gerhards > > > > Cc: david at lang.hm; rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > Hi Rainer, > > > > > > > > it is 30Mb - please provide ftp-upload... > > > > > > Zipped or plain? If not zipped, you can probably compress > > it by > > > 90+%. Anyhow, > > > the FTP server is > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > user anonymous, password whatever you like > > > Note that you can only upload, NOT read. Most > > importantly, you > > > won't be able > > > to see the file when the upload is done. > > > > > > If you can compress and mail the file, I can possibly > > faster > > > access it, just > > > if that's an option. > > > > > > Thanks! > > > Rainer > > > > > > > > > > > > > > br. > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 8:43 AM > > > > > To: Rainer Gerhards; david at lang.hm > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > > > > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7- > > postexp1 > > > startup, > > > > > compatibility mode 6, module path '', > > cwd:/var/log > > > > > 9788.497969104:7f639a331700: caller requested > > object > > > 'net', not > > > > found > > > > > > > > [snip] > > > > > > > > Sorry, this debug info does not contain any of > > the > > > > instrumentation I need (no > > > > case occurred) I guess you have cut that off. > > Please send > > > me a > > > > complete file, > > > > best as an attachment (working with saved mail > > messages > > > is far > > > > less nice :)). > > > > > > > > If the debug log is too large to mail, please let > > me > > > know. I can > > > > provide an > > > > anonymous upload-only ftp server in that case. > > > > > > > > Thanks! > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From rory at ooma.com Tue Feb 7 22:34:55 2012 From: rory at ooma.com (Rory Toma) Date: Tue, 07 Feb 2012 13:34:55 -0800 Subject: [rsyslog] Preserving original hostname? Message-ID: <4F3198FF.2050706@ooma.com> I am setting up an rsyslog server whose sole purpose is to decompress and unencrypt, then forward the messages on to a centralized syslog server. I seem to be having trouble getting it to preserve the original message, so that the hostname is from the original sender. I tried using PreserveFQDN, but that doesn't seem to be working, and I can't seem to find an example in the rsyslog docs on how to do this. Is this a simple option, or do I have to set up a template? From rory at ooma.com Tue Feb 7 22:39:25 2012 From: rory at ooma.com (Rory Toma) Date: Tue, 07 Feb 2012 13:39:25 -0800 Subject: [rsyslog] rsyslog 6.2.0 doesn't pick up LIBEE or LIBESTR values from command line In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728186D@GRFEXC.intern.adiscon.com> References: <4F30787F.1020603@ooma.com> <9B6E2A8877C38245BFB15CC491A11DA728186D@GRFEXC.intern.adiscon.com> Message-ID: <4F319A0D.1050000@ooma.com> Yes, the values are correct, and are the same values used to build libee. On 2/7/12 12:09 AM, Rainer Gerhards wrote: > Are you sure the pathes you specify are correct? I ask because this is the > number one reason (by far) for these types of errors. Usually all that is > requird is the set the --bindir, --libdir and --includedir parameters to the > (distro-specific) correct parameters. > > Rainer > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Rory Toma >> Sent: Tuesday, February 07, 2012 2:04 AM >> To: rsyslog-users >> Subject: [rsyslog] rsyslog 6.2.0 doesn't pick up LIBEE or LIBESTR >> values from command line >> >> I'm setting the values of LIBEE_CFLAGS and LIBESTR_CFLAGS, yet I still >> get compile failures as below: >> >> stringbuf.h:39:21: error: libestr.h: No such file or directory >> >> Setting PKG_CONFIG_PATH doesn't work, either. >> >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From david at lang.hm Tue Feb 7 22:49:18 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 7 Feb 2012 13:49:18 -0800 (PST) Subject: [rsyslog] Preserving original hostname? In-Reply-To: <4F3198FF.2050706@ooma.com> References: <4F3198FF.2050706@ooma.com> Message-ID: On Tue, 7 Feb 2012, Rory Toma wrote: > I am setting up an rsyslog server whose sole purpose is to decompress and > unencrypt, then forward the messages on to a centralized syslog server. > > I seem to be having trouble getting it to preserve the original message, so > that the hostname is from the original sender. I tried using PreserveFQDN, > but that doesn't seem to be working, and I can't seem to find an example in > the rsyslog docs on how to do this. Is this a simple option, or do I have to > set up a template? if your template uses %hostname% it will preserve what was in the message. If you use %fromhost% of %fromhost-ip% it will log the machine the message was received from. my guess is that you use fromhost on your central server. David Lang From rory at ooma.com Tue Feb 7 22:53:48 2012 From: rory at ooma.com (Rory Toma) Date: Tue, 07 Feb 2012 13:53:48 -0800 Subject: [rsyslog] Preserving original hostname? In-Reply-To: References: <4F3198FF.2050706@ooma.com> Message-ID: <4F319D6C.602@ooma.com> On 2/7/12 1:49 PM, david at lang.hm wrote: > On Tue, 7 Feb 2012, Rory Toma wrote: > >> I am setting up an rsyslog server whose sole purpose is to decompress >> and unencrypt, then forward the messages on to a centralized syslog >> server. >> >> I seem to be having trouble getting it to preserve the original >> message, so that the hostname is from the original sender. I tried >> using PreserveFQDN, but that doesn't seem to be working, and I can't >> seem to find an example in the rsyslog docs on how to do this. Is >> this a simple option, or do I have to set up a template? > > if your template uses %hostname% it will preserve what was in the > message. If you use %fromhost% of %fromhost-ip% it will log the > machine the message was received from. > > my guess is that you use fromhost on your central server. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ I am currently using no template, or the default template. That must use hostname, so I probably have to create my own template... Now I'll have to go dig out the instructions for that again, I did that once, a long time ago. 8-) thx From david at lang.hm Tue Feb 7 23:32:19 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 7 Feb 2012 14:32:19 -0800 (PST) Subject: [rsyslog] Preserving original hostname? In-Reply-To: <4F319D6C.602@ooma.com> References: <4F3198FF.2050706@ooma.com> <4F319D6C.602@ooma.com> Message-ID: On Tue, 7 Feb 2012, Rory Toma wrote: > On 2/7/12 1:49 PM, david at lang.hm wrote: >> On Tue, 7 Feb 2012, Rory Toma wrote: >> >>> I am setting up an rsyslog server whose sole purpose is to decompress and >>> unencrypt, then forward the messages on to a centralized syslog server. >>> >>> I seem to be having trouble getting it to preserve the original message, >>> so that the hostname is from the original sender. I tried using >>> PreserveFQDN, but that doesn't seem to be working, and I can't seem to >>> find an example in the rsyslog docs on how to do this. Is this a simple >>> option, or do I have to set up a template? >> >> if your template uses %hostname% it will preserve what was in the message. >> If you use %fromhost% of %fromhost-ip% it will log the machine the message >> was received from. >> >> my guess is that you use fromhost on your central server. >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ > I am currently using no template, or the default template. That must use > hostname, so I probably have to create my own template... Now I'll have to go > dig out the instructions for that again, I did that once, a long time ago. > 8-) what is it that you are getting logged, and what are you expecting to get? David Lang From vladg at illinois.edu Wed Feb 8 16:03:23 2012 From: vladg at illinois.edu (Vlad Grigorescu) Date: Wed, 8 Feb 2012 09:03:23 -0600 Subject: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing for rsyslog aggregators) In-Reply-To: References: Message-ID: <4F328EBB.8000000@illinois.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, After the recent discussion of rsyslog sending logs to ElasticSearch, using the bulk indexing API, I did some playing around with the current plugin. First, let me just say that I really appreciate the work that Nathan did on the omelasticsearch plugin, and that it will work fine under many use cases. However, there are a few fundamental limitations with the current omelasticsearch/rsyslog integration: - - omelasticsearch uses curl to make the API calls to ES. The downside of this is that you have to specify a hostname. ES supports auto-discovering a cluster, as well as fail-over. If the host omelasticsearch is using goes down, the cluster may still be fully functional, but omelasticsearch won't be able to find it. Of course, you could go in and add other cluster members as failover actions, but this would mean a config change every time you change your ES topology. - - curl has a default of only returning 16KB of the HTTP response. This response contains the information of which messages were successfully inserted into ES, and which failed. For a large batch of messages, one could easily get a response over the 16KB limit. This would require running a custom-compiled version of curl, that ups this limit. - - "Pushing" to ES seems to work much less reliably than having ES "pull" messages. For similarly small-sized batches (~250 messages), ES would often take 6-8ms for the bulk insert. However, it would occasionally spike up to 6000ms, which would cause quite a backlog in the queue. Having ES "pull" messages instead (more on this later) seemed to work much more consistently. - - Finally, I'm a bit confused on how rsyslog receives commit errors with the new transactional plugin system. If there's a batch of 5 messages, and only message 4 is successfully committed during endTransaction, how would one convey that information back to rsyslog? I know Radu mentioned calling a program with omprog, and sending messages to ES from there, but in my setup, data integrity is paramount, and I don't want to re-implement rsyslog's reliable method delivery and failover systems. The method that I'm currently stress-testing is using the ElasticSearch River[1] with a RabbitMQ[2] type. With this setup, rsyslog sends messages to a RabbitMQ queue. ElasticSearch is configured with the queue's information, and then it periodically pulls messages from that queue. Once it has the messages, it proceeds to bulk index them. If the master ES node goes down, the new master starts pulling messages from the queue. Overall, it seems to work well, and the indexing throughput seems higher, due to not pushing messages to ES when it's very busy. Unfortunately, I can't find any rsyslog plugin for RabbitMQ, so I'm currently bouncing my messages through a logstash[3] server. Does anyone know of any plugin? I suspect the zeromq plugins might be a good starting point; I'm not sure how much would have to be rewritten to send to RabbitMQ instead. Those were my experiences - I hope some of that proves useful to others looking into ElasticSearch. - -- Vlad Grigorescu | IT Security Engineer University of Illinois at Urbana-Champaign Office of Privacy and Information Assurance [1] - [2] - [3] - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) iQIcBAEBAgAGBQJPMo66AAoJEMEVj6tjLlJyW28P/1QgQjTvADUCzG7ljohnK0xq CS1V8lUGU8Q+oZ6RUbc546mMyYGABuRvEr0nKXSY1r9vTIS2OeaUt4EFgdJWP8mO pQXNuFqhmtQCUXqflIUQHuY7y4d6EBmuz5b5sXbYWqLVVVQ5hpb96A4LqTzgkecT XRtYXtU+P5N4kOdKTpgDH80MsFIbHkEFa1NusuuCyBRx0p0b6ZYuOqr13QZV3gGn 3UUbiS6qAi8+3Tw6KhRZ5fpAWw0vdCJP0etyTkR264CgrFQMUM8eFaTrdscK6eHV akDtkM9vCiOeDZucUCo5XIW4nnLXZcR4lGVAS50a/J2IrHUGoe5fV/SYsd2hRHMm veUF18ggH7UCjV91HkQ3TBJtQABjGhdhNPW5o74D0neR7ngSbs3j/sbF0NKZmbHa +XQarL6ba1pJXApLlNIzn3CUWZGnCi65j1UcOkK6HGEbIK3Sa/q550CjuZDWShTF is02ubxm29XP2VkSrWkab2CwIlM7CGtghaaoEbAxJdz0zJJs93MejUKJ0nRBEOPH 5bExCYfUgao9x+41XIw5Zw8X783MMD1PcS6wgJ+5WOGIWdHQZNHsfrRXNeoM++uu uHW7aWk+SkExNP/JhLLXFgv5mmhnA7NePrFRV/CaCZPrB8THwN2D6G2MTFTCSA5C Y3rJ63TeNKF4hSAVhss5 =v2BA -----END PGP SIGNATURE----- From rory at ooma.com Thu Feb 9 00:12:27 2012 From: rory at ooma.com (Rory Toma) Date: Wed, 08 Feb 2012 15:12:27 -0800 Subject: [rsyslog] re-encrypting stream Message-ID: <4F33015B.6050405@ooma.com> I have a situation where I need clients to send encrypted to a forwarder syslog server, and then have it re-send the packets, encrypted to another syslog (not syslog-ng) server. My current situation has the clients sending directly to the syslog server encrypted, and it is working, now I am trying to get the middle piece in. If I use a config file like below, will this also re-encrypt and send to the other syslog server? The reason I want to do this is because the other syslog server only accepts encrypted traffic, and if I decide to send it plain traffic, I have to take that down and change things on that end, which I'd rather not do. thx $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog/cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog/key.pem $ModLoad imtcp $ModLoad imuxsock $PreserveFQDN on $WorkDirectory /var/rsyslog $ActionQueueType LinkedList $ActionQueueFileName rsyslog-fwd $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $ActionQueueMaxDiskSpace 1000m $SystemLogSocketName /var/rsyslog/log $InputTCPServerStreamDriverMode 1 $InputTCPServerStreamDriverAuthMode anon $InputTCPServerRun 110 *.* @@rsyslog.ooma.com:110 From david at lang.hm Thu Feb 9 03:32:58 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 8 Feb 2012 18:32:58 -0800 (PST) Subject: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing for rsyslog aggregators) In-Reply-To: <4F328EBB.8000000@illinois.edu> References: <4F328EBB.8000000@illinois.edu> Message-ID: On Wed, 8 Feb 2012, Vlad Grigorescu wrote: > - - Finally, I'm a bit confused on how rsyslog receives commit errors > with the new transactional plugin system. If there's a batch of 5 > messages, and only message 4 is successfully committed during > endTransaction, how would one convey that information back to rsyslog? I > know Radu mentioned calling a program with omprog, and sending messages > to ES from there, but in my setup, data integrity is paramount, and I > don't want to re-implement rsyslog's reliable method delivery and > failover systems. the approach that rsyslog takes is that it tries to push the entire batch, if that fails it cuts the batch size in half and tries to send that, and if it fails with a batch size of 1 it decides that message is bad. I don't remember what happens with a bad message (it's either that a rsyslog message is logged about the problem and the message is skipped, or the output plugin will stall forever). I do remember that there is a way to differentiate between a temporary failure (the server is down) and a permanent failure (the message is malformed in such a way that it will never succeed) this is based on the assumption that a batch is handled as a single transaction, so if any of the messages fail, none of them are inserted. David Lang From nathans at aconex.com Thu Feb 9 11:10:16 2012 From: nathans at aconex.com (Nathan Scott) Date: Thu, 9 Feb 2012 21:10:16 +1100 (EST) Subject: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing for rsyslog aggregators) In-Reply-To: <4F328EBB.8000000@illinois.edu> Message-ID: <1889441583.80932.1328782216100.JavaMail.root@acxmail-au2.aconex.com> Hi there Vlad, ----- Original Message ----- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > ... > work fine under many use cases. However, there are a few fundamental > limitations with the current omelasticsearch/rsyslog integration: > > - - omelasticsearch uses curl to make the API calls to ES. The > downside of this is that you have to specify a hostname. ES supports > auto-discovering a cluster, as well as fail-over. If the host > omelasticsearch is using goes down, the cluster may still be fully > functional, but omelasticsearch won't be able to find it. Of course, > you could go in and add other cluster members as failover actions, but > this would mean a config change every time you change your ES > topology. *nod* ... > - - curl has a default of only returning 16KB of the HTTP response. > This response contains the information of which messages were > successfully inserted into ES, and which failed. For a large batch of > messages, one could easily get a response over the 16KB limit. This > would require running a custom-compiled version of curl, that ups this > limit. Limiting the batch size to something that can't blow that limit would seem preferable than a libcurl rebuild, perhaps. The ES responses are fairly terse, we should be able to calculate a fixed upper bound. > - - "Pushing" to ES seems to work much less reliably than having ES > "pull" messages. For similarly small-sized batches (~250 messages), ES > would often take 6-8ms for the bulk insert. However, it would That's quite surprising. > occasionally spike up to 6000ms, which would cause quite a backlog in > the queue. That's *really* surprising - 6 seconds?!?? ?Did you figure out what was going on there, OOC? ?That sounds like a network/socket timeout on connect perhaps? Can you describe the platform that you're using (Linux? distro? kernel version etc) - could be something like this old chestnut causing this... http://lkml.indiana.edu/hypermail/linux/net/0908.2/00003.html > Having ES "pull" messages instead (more on this later) > seemed to work much more consistently. > ... > The method that I'm currently stress-testing is using the > ElasticSearch River[1] with a RabbitMQ[2] type. With this setup, > rsyslog sends messages to a RabbitMQ queue. ElasticSearch is That sounds like its just dodging the problem a bit though, by putting a persistent queueing system in the middle to hide a deficiency. I'd really prefer improving/fixing the underlying issues, which all seem to me to not be inherently unfixable...? (except perhaps the first issue of needing at least one ES hostname ... but again, the same issue must affect rabbitmq, so must be solvable somehow? or using a floating IP address or some such trickery). > configured with the queue's information, and then it periodically > pulls messages from that queue. Once it has the messages, it proceeds > to bulk index them. If the master ES node goes down, the new master > starts pulling messages from the queue. Overall, it seems to work What happens when the queueing system in the middle goes down though? Or when that queueing system gets very busy - haven't we just moved the same problem somewhere else? > well, and the indexing throughput seems higher, due to not pushing > messages to ES when it's very busy. OOC, when you see elasticsearch getting very busy, is it network or CPU bound, or something else? > > Those were my experiences - I hope some of that proves useful to > others looking into ElasticSearch. > Indeed, thanks for sharing! Much appreciated. cheers. -- Nathan From taotetek at gmail.com Thu Feb 9 14:44:20 2012 From: taotetek at gmail.com (Brian Knox) Date: Thu, 9 Feb 2012 08:44:20 -0500 Subject: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing for rsyslog aggregators) In-Reply-To: <1889441583.80932.1328782216100.JavaMail.root@acxmail-au2.aconex.com> References: <4F328EBB.8000000@illinois.edu> <1889441583.80932.1328782216100.JavaMail.root@acxmail-au2.aconex.com> Message-ID: Hello! I'm one of the people behind the rsyslog zeromq plugins. I was reading this thread with interest, as I have time set aside to dig into elasticsearch next month. I know little about it yet, but I found this statement interesting: "Pushing" to ES seems to work much less reliably than having ES "pull" messages " As a heads up, we have somewhat experimental (well, I would consider the zeromq plugins as a whole to still be experimental actually) support for ZMQ_REP output sockets in the omzeromq plugin. This output blocks until it receives a request from a ZMQ_REQ socket, at which time it serves up the next waiting log line from rsyslog. It in effect makes the rsyslog output queue an on demand request driven log line server. There's more work to do on it (we're talking about adding in batching support so that each request would receive N messages in reply), but even at the experimental state we've been able to serve up ~ 60,000 log lines a second over the output. While this is far below rsyslog's full capacity we feel it's not bad for a request / reply queue and at least a good starting point. Is there some way this could be useful with elastic search, given the statement that elastic search does better when it's requesting data rather than being pushed data? Brian On Thu, Feb 9, 2012 at 5:10 AM, Nathan Scott wrote: > Hi there Vlad, > > ----- Original Message ----- > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > ... > > work fine under many use cases. However, there are a few fundamental > > limitations with the current omelasticsearch/rsyslog integration: > > > > - - omelasticsearch uses curl to make the API calls to ES. The > > downside of this is that you have to specify a hostname. ES supports > > auto-discovering a cluster, as well as fail-over. If the host > > omelasticsearch is using goes down, the cluster may still be fully > > functional, but omelasticsearch won't be able to find it. Of course, > > you could go in and add other cluster members as failover actions, but > > this would mean a config change every time you change your ES > > topology. > > *nod* ... > > > - - curl has a default of only returning 16KB of the HTTP response. > > This response contains the information of which messages were > > successfully inserted into ES, and which failed. For a large batch of > > messages, one could easily get a response over the 16KB limit. This > > would require running a custom-compiled version of curl, that ups this > > limit. > > Limiting the batch size to something that can't blow that limit would > seem preferable than a libcurl rebuild, perhaps. The ES responses are > fairly terse, we should be able to calculate a fixed upper bound. > > > - - "Pushing" to ES seems to work much less reliably than having ES > > "pull" messages. For similarly small-sized batches (~250 messages), ES > > would often take 6-8ms for the bulk insert. However, it would > > That's quite surprising. > > > occasionally spike up to 6000ms, which would cause quite a backlog in > > the queue. > > That's *really* surprising - 6 seconds?!?? Did you figure out what > was going on there, OOC? That sounds like a network/socket timeout > on connect perhaps? Can you describe the platform that you're using > (Linux? distro? kernel version etc) - could be something like this > old chestnut causing this... > http://lkml.indiana.edu/hypermail/linux/net/0908.2/00003.html > > > Having ES "pull" messages instead (more on this later) > > seemed to work much more consistently. > > ... > > The method that I'm currently stress-testing is using the > > ElasticSearch River[1] with a RabbitMQ[2] type. With this setup, > > rsyslog sends messages to a RabbitMQ queue. ElasticSearch is > > That sounds like its just dodging the problem a bit though, by putting > a persistent queueing system in the middle to hide a deficiency. I'd > really prefer improving/fixing the underlying issues, which all seem > to me to not be inherently unfixable...? (except perhaps the first > issue of needing at least one ES hostname ... but again, the same issue > must affect rabbitmq, so must be solvable somehow? or using a floating > IP address or some such trickery). > > > configured with the queue's information, and then it periodically > > pulls messages from that queue. Once it has the messages, it proceeds > > to bulk index them. If the master ES node goes down, the new master > > starts pulling messages from the queue. Overall, it seems to work > > What happens when the queueing system in the middle goes down though? > Or when that queueing system gets very busy - haven't we just moved the > same problem somewhere else? > > > well, and the indexing throughput seems higher, due to not pushing > > messages to ES when it's very busy. > > OOC, when you see elasticsearch getting very busy, is it network or > CPU bound, or something else? > > > > > Those were my experiences - I hope some of that proves useful to > > others looking into ElasticSearch. > > > > Indeed, thanks for sharing! Much appreciated. > > cheers. > > -- > Nathan > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Thu Feb 9 15:29:07 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 9 Feb 2012 15:29:07 +0100 Subject: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing for rsyslog aggregators) In-Reply-To: References: <4F328EBB.8000000@illinois.edu><1889441583.80932.1328782216100.JavaMail.root@acxmail-au2.aconex.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72818B6@GRFEXC.intern.adiscon.com> Just FYI: I am *very* interested in ElasticSearch and this discussion. But I am busy preparing, among other things, for the Fedora Developer conference next week. So I'll probably be able to look at this things some time around the end of the month. Keep on the good discussion. rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Brian Knox > Sent: Thursday, February 09, 2012 2:44 PM > To: rsyslog-users > Subject: Re: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing > for rsyslog aggregators) > > Hello! I'm one of the people behind the rsyslog zeromq plugins. I was > reading this thread with interest, as I have time set aside to dig into > elasticsearch next month. I know little about it yet, but I found this > statement interesting: > > "Pushing" to ES seems to work much less reliably than having ES "pull" > messages " > > As a heads up, we have somewhat experimental (well, I would consider > the > zeromq plugins as a whole to still be experimental actually) support > for > ZMQ_REP output sockets in the omzeromq plugin. > > This output blocks until it receives a request from a ZMQ_REQ socket, > at > which time it serves up the next waiting log line from rsyslog. It in > effect makes the rsyslog output queue an on demand request driven log > line > server. > > There's more work to do on it (we're talking about adding in batching > support so that each request would receive N messages in reply), but > even > at the experimental state we've been able to serve up ~ 60,000 log > lines a > second over the output. While this is far below rsyslog's full > capacity we > feel it's not bad for a request / reply queue and at least a good > starting > point. > > Is there some way this could be useful with elastic search, given the > statement that elastic search does better when it's requesting data > rather > than being pushed data? > > Brian > > On Thu, Feb 9, 2012 at 5:10 AM, Nathan Scott > wrote: > > > Hi there Vlad, > > > > ----- Original Message ----- > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > ... > > > work fine under many use cases. However, there are a few > fundamental > > > limitations with the current omelasticsearch/rsyslog integration: > > > > > > - - omelasticsearch uses curl to make the API calls to ES. The > > > downside of this is that you have to specify a hostname. ES > supports > > > auto-discovering a cluster, as well as fail-over. If the host > > > omelasticsearch is using goes down, the cluster may still be fully > > > functional, but omelasticsearch won't be able to find it. Of > course, > > > you could go in and add other cluster members as failover actions, > but > > > this would mean a config change every time you change your ES > > > topology. > > > > *nod* ... > > > > > - - curl has a default of only returning 16KB of the HTTP response. > > > This response contains the information of which messages were > > > successfully inserted into ES, and which failed. For a large batch > of > > > messages, one could easily get a response over the 16KB limit. This > > > would require running a custom-compiled version of curl, that ups > this > > > limit. > > > > Limiting the batch size to something that can't blow that limit would > > seem preferable than a libcurl rebuild, perhaps. The ES responses > are > > fairly terse, we should be able to calculate a fixed upper bound. > > > > > - - "Pushing" to ES seems to work much less reliably than having ES > > > "pull" messages. For similarly small-sized batches (~250 messages), > ES > > > would often take 6-8ms for the bulk insert. However, it would > > > > That's quite surprising. > > > > > occasionally spike up to 6000ms, which would cause quite a backlog > in > > > the queue. > > > > That's *really* surprising - 6 seconds?!?? Did you figure out what > > was going on there, OOC? That sounds like a network/socket timeout > > on connect perhaps? Can you describe the platform that you're using > > (Linux? distro? kernel version etc) - could be something like this > > old chestnut causing this... > > http://lkml.indiana.edu/hypermail/linux/net/0908.2/00003.html > > > > > Having ES "pull" messages instead (more on this later) > > > seemed to work much more consistently. > > > ... > > > The method that I'm currently stress-testing is using the > > > ElasticSearch River[1] with a RabbitMQ[2] type. With this setup, > > > rsyslog sends messages to a RabbitMQ queue. ElasticSearch is > > > > That sounds like its just dodging the problem a bit though, by > putting > > a persistent queueing system in the middle to hide a deficiency. I'd > > really prefer improving/fixing the underlying issues, which all seem > > to me to not be inherently unfixable...? (except perhaps the first > > issue of needing at least one ES hostname ... but again, the same > issue > > must affect rabbitmq, so must be solvable somehow? or using a > floating > > IP address or some such trickery). > > > > > configured with the queue's information, and then it periodically > > > pulls messages from that queue. Once it has the messages, it > proceeds > > > to bulk index them. If the master ES node goes down, the new master > > > starts pulling messages from the queue. Overall, it seems to work > > > > What happens when the queueing system in the middle goes down though? > > Or when that queueing system gets very busy - haven't we just moved > the > > same problem somewhere else? > > > > > well, and the indexing throughput seems higher, due to not pushing > > > messages to ES when it's very busy. > > > > OOC, when you see elasticsearch getting very busy, is it network or > > CPU bound, or something else? > > > > > > > > Those were my experiences - I hope some of that proves useful to > > > others looking into ElasticSearch. > > > > > > > Indeed, thanks for sharing! Much appreciated. > > > > cheers. > > > > -- > > Nathan > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From radu0gheorghe at gmail.com Fri Feb 10 08:13:58 2012 From: radu0gheorghe at gmail.com (Radu Gheorghe) Date: Fri, 10 Feb 2012 09:13:58 +0200 Subject: [rsyslog] Can't make omelasticsearch work Message-ID: Hi, I've posted the same question on the forum here: http://kb.monitorware.com/can-install-elasticsearch-output-module-t11309.html#p21855 But I didn't get any answer so far. The idea is that I can't get the Elasticsearch output module to work. I have this in the conf: ------------------ $ModLoad omelasticsearch.so $template precise,"%syslogseverity% %timereported:1:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n" *.* -/var/log/messages;precise *.* :omelasticsearch:;precise ------------------ And I get this in the debug log (and in Elasticsearch's log): ------------------ omelasticsearch result: {"error":"ElasticSearchParseException[Failed to derive xcontent from (offset=0, length=159): ------------------ I'm very interested in the discussions about rsyslog and Elasticsearch, though I don't want to pollute those threads with this question. Can anyone, please, help? Right now I'm using a python script with omprog, which has a number of problems. To name only a few: - it's slow. For example, I have to parse the rsyslog output in order to insert the stuff into Elasticsearch - I have to reimplement a lot of functionality that is already in rsyslog. For example, queueing Best regards, Radu From michael at maymann.org Fri Feb 10 13:10:33 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 10 Feb 2012 13:10:33 +0100 Subject: [rsyslog] rsyslog as a SNMPtrap server ? Message-ID: Hi list, can rsyslog be used as a SNMPtrap-server to gather traps from all my servers/network-equipment/storage-systems/etc. (clients) ? If so, what module should I load and what does an example configuration look like on both linux client+server ? If not, does anyone know a working non-rsyslog-solution ? Thanks in advance :-) ! ~maymann From michael at maymann.org Fri Feb 10 13:14:47 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 10 Feb 2012 13:14:47 +0100 Subject: [rsyslog] old RHEL5 syslog client doesn't report time right Message-ID: Hi List, we are running some older RHEL5 syslog-client (that can't be upgraded due to software on them) running the old syslog daemon. I configured my new rsyslog RHEL6 clients with the following: $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat and that did the trick for them... (How) can I get same result with the old syslog daemon on my syslog clients ? Thanks in advance :-) ! ~maymann From vladg at illinois.edu Fri Feb 10 15:42:13 2012 From: vladg at illinois.edu (Vlad Grigorescu) Date: Fri, 10 Feb 2012 08:42:13 -0600 Subject: [rsyslog] ElasticSearch Bulk Indexing (was: Load balancing for rsyslog aggregators) In-Reply-To: <1889441583.80932.1328782216100.JavaMail.root@acxmail-au2.aconex.com> References: <1889441583.80932.1328782216100.JavaMail.root@acxmail-au2.aconex.com> Message-ID: <4F352CC5.7020207@illinois.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the reply. I should point out that my goal isn't to advise any one particular approach - just to share my experiences in the hopes that others might find them useful, and/or point out some mistake(s) I'm making. On 2/9/12 4:10 AM, Nathan Scott wrote: >> - - "Pushing" to ES seems to work much less reliably than having ES >> "pull" messages. For similarly small-sized batches (~250 messages), ES >> would often take 6-8ms for the bulk insert. However, it would > > That's quite surprising. > >> occasionally spike up to 6000ms, which would cause quite a backlog in >> the queue. > > That's *really* surprising - 6 seconds?!?? Did you figure out what > was going on there, OOC? That sounds like a network/socket timeout > on connect perhaps? Can you describe the platform that you're using > (Linux? distro? kernel version etc) - could be something like this > old chestnut causing this... > http://lkml.indiana.edu/hypermail/linux/net/0908.2/00003.html You know, I did some poking around and couldn't find anything. Neither libcurl nor elasticsearch were reporting any errors. My queue just kept filling faster than it was emptying, and I'd see the occasional spike to 2, 3, 4 or 6 seconds. Load, memory, etc. all seemed fine on all systems. Reading over that thread, it very well could be a backlog issue. Backlog is currently set to 128 - I'll ask the system admin to up that and see if I get more consistent writes. Just for the record, for this setup, I have one box running rsyslog, and 2 ES nodes, with replication=1. All machines are VMs, either on the same VM host, or very near to each other - latency should be <1ms. They're all running RHEL6, with 2.6.32-220.2.1 64-bit. ES nodes are quad-core, 4 GB RAM, while rsyslog is single-core, 1 GB RAM. I am pointing the firehose at the setup, which is roughly 6000 messages/second right now. > That sounds like its just dodging the problem a bit though, by putting > a persistent queueing system in the middle to hide a deficiency. I'd > really prefer improving/fixing the underlying issues, which all seem > to me to not be inherently unfixable...? (except perhaps the first > issue of needing at least one ES hostname ... but again, the same issue > must affect rabbitmq, so must be solvable somehow? or using a floating > IP address or some such trickery). No, I agree - I think these are issues that are fixable, and of course the simpler the solution, the better. > What happens when the queueing system in the middle goes down though? > Or when that queueing system gets very busy - haven't we just moved the > same problem somewhere else? The reason I started playing around with rabbit was for greater performance. From what I've read, the river should be faster than simply using the bulk API, simply because it's designed to deal with the constant stream of messages I'm sending it. However, I need to do some additional testing, to figure out exactly how much faster it is. However, if I can figure out how to get the performance I need without the extra layer of complexity, that'd be preferred. >> well, and the indexing throughput seems higher, due to not pushing >> messages to ES when it's very busy. > > OOC, when you see elasticsearch getting very busy, is it network or > CPU bound, or something else? I had assumed that when the ES insert would take seconds, that was because ES load was momentarily high. I didn't see anything on the network on the on ES nodes to indicate an issue. It seems reasonable, however, that having ES grab data asynchronously would be more efficient, but again, I still need to test this. > Limiting the batch size to something that can't blow that limit would > seem preferable than a libcurl rebuild, perhaps. The ES responses are > fairly terse, we should be able to calculate a fixed upper bound. I did some looking into this, and the numbers seemed to be pretty low. The response I see is: {"took":8,"items":[{"create":{"_index":"system","_type":"events","_id":01234567890123456890ab","_version":1,"ok":true}},{"create":{"_index":"system","_type":"events","_id":01234567890123456890ab","_version":1,"ok":true}}]} The value of took is the milliseconds that the operation took to complete. Let's assume a slow operation that took >=10 ms to complete. So, we have a fixed value of: {"took":10,"items":[]} (22 characters). Then, each message has a response of: {"create":{"_index":"system","_type":"events","_id":01234567890123456890ab","_version":1,"ok":true}}, (101 characters). The last message won't have the trailing comma, so that gives us 22 + 101*n - 1, where n is the number of messages sent in a batch. The result is just ASCII encoded (one byte/character). 16 KB minus the 21 bytes of overhead give us a maximum of only 162 messages at 101 bytes each. (Obviously this will change depending on your index and type name). However, in the event of an error, the reply is much more verbose. ElasticSearch will return the exception name, the error message, and in the case of a parse error, it will return your message in comma-separated decimal ASCII format. I introduced an extra character in the messages I was sending, and had an average error length of 718 bytes (in addition to the 101 baseline). That would be less than 20 messages/batch, and that's only in the average case. Thanks, --Vlad -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) iQIcBAEBAgAGBQJPNSzDAAoJEMEVj6tjLlJyGpwP/RmuOTEyUrGgxkGYYYocqbYE SMc9NOCXxB+ML6K3kQ5nG8op/hBNkjbkC2x3ALTucs/HwmImRMEN2/twGLDT2b5p CMS9dzlJWHSP5SoVYoYMCooBqrSCHJaAxXw+5bwWlG4tIjnZ3/cxA+LrwkrxGpYl gQ/KehvVJWyhYAYEofPg52dSvEHh/z+pLzUa1t+MDP+OKbVJgKKOpSggCaTXDN7Y yvUdSGwEb5dVmJ4N38htBlsxT15MiS6NalY+YyII+MaFLMm+imZBqxlvb/+c33XR NonvMZvHUIMj1x/kg9kZ768M4Tl1njFDnEXa7+dlGu5R2swcetFRuLK321zjkvoK bO9+IxkOYzkAUAaMSsFwl4+DDD4k66wkF+M/8SKdJBHR+vf2jzipbgd7CUFx3NOT RUo+hhIrb0SKLwWtxfQWBEWpLqACtj/fgjNkeaPubpXrDWisqENhHWWjsxrp09qe q95DxNHKjLC7AXIEJbX8n9xQucX4NmR/NwPI8O8ODM1kyvhqUe9t9jDMYauDK9nd z53sgVZLteIQ7Qi5z8ls/T3tyPOkPH+NMxGxGV14wM7LbWC6QKKHpUqCfI0a1MjF uDoH7EGpP1UCEq0nSbeAXyowp+Hf4UK+hu8M+dwM+oK9m39a1DtUuFGTBkI/yJTS FLLeOHx8PXoJhWGG39fe =NPn0 -----END PGP SIGNATURE----- From vladg at illinois.edu Fri Feb 10 15:44:39 2012 From: vladg at illinois.edu (Vlad Grigorescu) Date: Fri, 10 Feb 2012 08:44:39 -0600 Subject: [rsyslog] Can't make omelasticsearch work In-Reply-To: References: Message-ID: <4F352D57.6050807@illinois.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/10/12 1:13 AM, Radu Gheorghe wrote: > $template precise,"%syslogseverity% %timereported:1:19:date-rfc3339% > %HOSTNAME% %syslogtag% %msg%\n" > > :omelasticsearch:;precise I'm not sure why you're doing this. ElasticSearch expects the messages in JSON, and if you don't give omelasticsearch a format, it will default to StdJSONFmt. What happens if you remove ';precise'? --Vlad -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) iQIcBAEBAgAGBQJPNS1WAAoJEMEVj6tjLlJyDBAP/RJVVv4uBXPqf8pnqPnrtbGA /+ph2vwzYwa2eCANFgSg30ADdpq49z6g5OSCbk/QcOsKgGlIsHJcruyTBBbrXEdj z9OYlcGTfyOnpEFoJqMa5qwOYVUmzn/BGXM84TQZTZP1Dfjan7zRBIXBE/pBy02e Wa9niBqeO+ywmGB7CLcln+fAijDBSeyrGGfNC53wUAX5xJO9VlB3kG0wA4ITvCBT c52qHAMECuF4eEhWS0zjRmRfnlhOwK2KcMh98sBWQ84CG+GzHHSi9uN5o4+mZkYu rQnDu7HQaojq9JUP36S4SQr1adrvXhcJRXhC7mJ7XvHgoiP6oElg/fJuMdXVZoba ey27LbApi63uPWcYdt4L07CqplD/GuaG1WALklp5o5yyfKt9reZc097LsiE6BRIJ e+rXzpsoq1exGt9Ma4SAWDZ076DSqbrsuXedR0mmSzGN9UPcSwOCIQEYAyHWdC2p 2s9WGeTP2wp9bypUW9vCe+Li7DYjaicGqnO8S+yJIXbUxLDKMjHothw6VcLwQOQi p4OAFXysNAZTPFmwOPswkrErEDn784VTmylby4nzgxWdkZrrcgzL4Oqg4tJf68Qa OgfeRGQ8/8sjOiPRfwpiHCgh3yjIDTiUJLjFF4K8k5xuEvaMkbUX6TECvKBwUWm7 /9P6xDGOW3ong7Vmg88l =GPk8 -----END PGP SIGNATURE----- From rgerhards at hq.adiscon.com Fri Feb 10 17:34:39 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 10 Feb 2012 17:34:39 +0100 Subject: [rsyslog] rsyslog as a SNMPtrap server ? In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72818C0@GRFEXC.intern.adiscon.com> Unfortunately not, but we would love to take some order for implementing it ;) That said, have a look at snmptrapd ;) rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > Sent: Friday, February 10, 2012 1:11 PM > To: rsyslog-users > Subject: [rsyslog] rsyslog as a SNMPtrap server ? > > Hi list, > > can rsyslog be used as a SNMPtrap-server to gather traps from all my > servers/network-equipment/storage-systems/etc. (clients) ? > If so, what module should I load and what does an example configuration > look like on both linux client+server ? > If not, does anyone know a working non-rsyslog-solution ? > > > Thanks in advance :-) ! > ~maymann > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From david at lang.hm Fri Feb 10 20:16:24 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 10 Feb 2012 11:16:24 -0800 (PST) Subject: [rsyslog] old RHEL5 syslog client doesn't report time right In-Reply-To: References: Message-ID: On Fri, 10 Feb 2012, Michael Maymann wrote: > Hi List, > > we are running some older RHEL5 syslog-client (that can't be upgraded due > to software on them) running the old syslog daemon. > I configured my new rsyslog RHEL6 clients with the following: > $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat > and that did the trick for them... > > (How) can I get same result with the old syslog daemon on my syslog clients > ? First off, this sounds like a question to send to RedHat because you are asking how to configure their non-rsyslog daemon. but before we can help you, what is the actual problem you are having? is RHEL5 the sender or the receiver of the log message? what are you getting, and what do you think you should be getting? David Lang From michael at maymann.org Fri Feb 10 20:35:09 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 10 Feb 2012 20:35:09 +0100 Subject: [rsyslog] old RHEL5 syslog client doesn't report time right In-Reply-To: References: Message-ID: Hi, my RHEL5 are legacy syslog clients and they don't report time right. They report client-time but server-timezone... RHEL6 rsyslog-client did the same thing before i added: $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat Br. ~maymann 2012/2/10 > On Fri, 10 Feb 2012, Michael Maymann wrote: > > Hi List, >> >> we are running some older RHEL5 syslog-client (that can't be upgraded due >> to software on them) running the old syslog daemon. >> I configured my new rsyslog RHEL6 clients with the following: >> $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat >> and that did the trick for them... >> >> (How) can I get same result with the old syslog daemon on my syslog >> clients >> ? >> > > First off, this sounds like a question to send to RedHat because you are > asking how to configure their non-rsyslog daemon. > > but before we can help you, what is the actual problem you are having? > > is RHEL5 the sender or the receiver of the log message? > > what are you getting, and what do you think you should be getting? > > David Lang > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From david at lang.hm Fri Feb 10 20:45:53 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 10 Feb 2012 11:45:53 -0800 (PST) Subject: [rsyslog] old RHEL5 syslog client doesn't report time right In-Reply-To: References: Message-ID: as far as I know, you cannot change the logging format of the old syslog daemon. reading between the lines I think that you are saying that the server you are logging to is rsyslog, is this correct? If you are logging in rsyslog using a format that includes the timezone, but the system sending you the log doesn't include what timezone that server is in, rsyslog makes the guess that the sending server is in the same timezone as the receiving server and sets the timezone accordingly. I would suggest that you compile rsyslog for RHEL5 and replace the syslog daemon on those systems (the version that came with RHEL5 is old enough that it's not supported by rsyslog any longer, that version only gets support from Red Hat) The other option would be to put all your systems on the same timezone (and I would strongly recommend putting them on UTC, it avoids a lot of hassles) David Lang On Fri, 10 Feb 2012, Michael Maymann wrote: > Hi, > > my RHEL5 are legacy syslog clients and they don't report time right. They > report client-time but server-timezone... > RHEL6 rsyslog-client did the same thing before i added: > $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat > > > Br. > ~maymann > > > 2012/2/10 > >> On Fri, 10 Feb 2012, Michael Maymann wrote: >> >> Hi List, >>> >>> we are running some older RHEL5 syslog-client (that can't be upgraded due >>> to software on them) running the old syslog daemon. >>> I configured my new rsyslog RHEL6 clients with the following: >>> $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat >>> and that did the trick for them... >>> >>> (How) can I get same result with the old syslog daemon on my syslog >>> clients >>> ? >>> >> >> First off, this sounds like a question to send to RedHat because you are >> asking how to configure their non-rsyslog daemon. >> >> but before we can help you, what is the actual problem you are having? >> >> is RHEL5 the sender or the receiver of the log message? >> >> what are you getting, and what do you think you should be getting? >> >> David Lang >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Fri Feb 10 20:53:02 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 10 Feb 2012 20:53:02 +0100 Subject: [rsyslog] old RHEL5 syslog client doesn't report time right In-Reply-To: References: Message-ID: Hi, David: yes, my server is running rsyslog 6.3.7-devel. Thanks for your suggestions - I will recompile rsyslog on my RHEL5 syslog-clients. Have a nice weekend...:-) ! Br. ~maymann 2012/2/10 > as far as I know, you cannot change the logging format of the old syslog > daemon. > > reading between the lines I think that you are saying that the server you > are logging to is rsyslog, is this correct? > > If you are logging in rsyslog using a format that includes the timezone, > but the system sending you the log doesn't include what timezone that > server is in, rsyslog makes the guess that the sending server is in the > same timezone as the receiving server and sets the timezone accordingly. > > I would suggest that you compile rsyslog for RHEL5 and replace the syslog > daemon on those systems (the version that came with RHEL5 is old enough > that it's not supported by rsyslog any longer, that version only gets > support from Red Hat) > > The other option would be to put all your systems on the same timezone > (and I would strongly recommend putting them on UTC, it avoids a lot of > hassles) > > David Lang > > > On Fri, 10 Feb 2012, Michael Maymann wrote: > > Hi, >> >> my RHEL5 are legacy syslog clients and they don't report time right. They >> report client-time but server-timezone... >> RHEL6 rsyslog-client did the same thing before i added: >> $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat >> >> >> Br. >> ~maymann >> >> >> 2012/2/10 >> >> On Fri, 10 Feb 2012, Michael Maymann wrote: >>> >>> Hi List, >>> >>>> >>>> we are running some older RHEL5 syslog-client (that can't be upgraded >>>> due >>>> to software on them) running the old syslog daemon. >>>> I configured my new rsyslog RHEL6 clients with the following: >>>> $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat >>>> and that did the trick for them... >>>> >>>> (How) can I get same result with the old syslog daemon on my syslog >>>> clients >>>> ? >>>> >>>> >>> First off, this sounds like a question to send to RedHat because you are >>> asking how to configure their non-rsyslog daemon. >>> >>> but before we can help you, what is the actual problem you are having? >>> >>> is RHEL5 the sender or the receiver of the log message? >>> >>> what are you getting, and what do you think you should be getting? >>> >>> David Lang >>> ______________________________****_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog >>> >>> > >>> http://www.rsyslog.com/****professional-services/ >>> >>> > >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From michael at maymann.org Fri Feb 10 20:55:47 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 10 Feb 2012 20:55:47 +0100 Subject: [rsyslog] rsyslog as a SNMPtrap server ? In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72818C0@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA72818C0@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: thanks for your reply. Can't this module do the trick ?: http://www.rsyslog.com/doc/rsyslog_conf_modules.html/mmsnmptrapd.html Br. ~maymann 2012/2/10 Rainer Gerhards > Unfortunately not, but we would love to take some order for implementing it > ;) > > That said, have a look at snmptrapd ;) > rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann > > Sent: Friday, February 10, 2012 1:11 PM > > To: rsyslog-users > > Subject: [rsyslog] rsyslog as a SNMPtrap server ? > > > > Hi list, > > > > can rsyslog be used as a SNMPtrap-server to gather traps from all my > > servers/network-equipment/storage-systems/etc. (clients) ? > > If so, what module should I load and what does an example configuration > > look like on both linux client+server ? > > If not, does anyone know a working non-rsyslog-solution ? > > > > > > Thanks in advance :-) ! > > ~maymann > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From david at lang.hm Fri Feb 10 21:16:18 2012 From: david at lang.hm (david at lang.hm) Date: Fri, 10 Feb 2012 12:16:18 -0800 (PST) Subject: [rsyslog] rsyslog as a SNMPtrap server ? In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA72818C0@GRFEXC.intern.adiscon.com> Message-ID: not directly. this module reformats messages that are already in syslog to extract the information. What it sounded like you were looking for is a module that would listen on the SNMP trap port for traps to be sent to it, and then add them in to the queue. however if you run SNMPTT and have it listening on the SNMP trap port and logging the message to syslog via the logger command, then mmsnmptrapd will reformat the message to make it far more useful. David Lang On Fri, 10 Feb 2012, Michael Maymann wrote: > Hi, > > Rainer: thanks for your reply. > Can't this module do the trick ?: > http://www.rsyslog.com/doc/rsyslog_conf_modules.html/mmsnmptrapd.html > > > Br. > ~maymann > > 2012/2/10 Rainer Gerhards > >> Unfortunately not, but we would love to take some order for implementing it >> ;) >> >> That said, have a look at snmptrapd ;) >> rainer >> >>> -----Original Message----- >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>> Sent: Friday, February 10, 2012 1:11 PM >>> To: rsyslog-users >>> Subject: [rsyslog] rsyslog as a SNMPtrap server ? >>> >>> Hi list, >>> >>> can rsyslog be used as a SNMPtrap-server to gather traps from all my >>> servers/network-equipment/storage-systems/etc. (clients) ? >>> If so, what module should I load and what does an example configuration >>> look like on both linux client+server ? >>> If not, does anyone know a working non-rsyslog-solution ? >>> >>> >>> Thanks in advance :-) ! >>> ~maymann >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Fri Feb 10 21:22:50 2012 From: michael at maymann.org (Michael Maymann) Date: Fri, 10 Feb 2012 21:22:50 +0100 Subject: [rsyslog] rsyslog as a SNMPtrap server ? In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA72818C0@GRFEXC.intern.adiscon.com> Message-ID: Hi, David: thanks for your reply. This is exactly what I am looking for. Sounds good... I will give it a try...:-) ! Br. ~maymann 2012/2/10 > not directly. > > this module reformats messages that are already in syslog to extract the > information. > > What it sounded like you were looking for is a module that would listen on > the SNMP trap port for traps to be sent to it, and then add them in to the > queue. > > however if you run SNMPTT and have it listening on the SNMP trap port and > logging the message to syslog via the logger command, then mmsnmptrapd will > reformat the message to make it far more useful. > > David Lang > > > On Fri, 10 Feb 2012, Michael Maymann wrote: > > Hi, >> >> Rainer: thanks for your reply. >> Can't this module do the trick ?: >> http://www.rsyslog.com/doc/**rsyslog_conf_modules.html/**mmsnmptrapd.html >> >> >> Br. >> ~maymann >> >> 2012/2/10 Rainer Gerhards >> >> Unfortunately not, but we would love to take some order for implementing >>> it >>> ;) >>> >>> That said, have a look at snmptrapd ;) >>> rainer >>> >>> -----Original Message----- >>>> From: rsyslog-bounces at lists.adiscon.**com[mailto: >>>> rsyslog- >>>> bounces at lists.adiscon.com] On Behalf Of Michael Maymann >>>> Sent: Friday, February 10, 2012 1:11 PM >>>> To: rsyslog-users >>>> Subject: [rsyslog] rsyslog as a SNMPtrap server ? >>>> >>>> Hi list, >>>> >>>> can rsyslog be used as a SNMPtrap-server to gather traps from all my >>>> servers/network-equipment/**storage-systems/etc. (clients) ? >>>> If so, what module should I load and what does an example configuration >>>> look like on both linux client+server ? >>>> If not, does anyone know a working non-rsyslog-solution ? >>>> >>>> >>>> Thanks in advance :-) ! >>>> ~maymann >>>> ______________________________**_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/**professional-services/ >>>> >>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog >>> http://www.rsyslog.com/**professional-services/ >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog >> http://www.rsyslog.com/**professional-services/ >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog > http://www.rsyslog.com/**professional-services/ > From rory at ooma.com Fri Feb 10 23:51:00 2012 From: rory at ooma.com (Rory Toma) Date: Fri, 10 Feb 2012 14:51:00 -0800 Subject: [rsyslog] Encrypted receiver Message-ID: <4F359F54.405@ooma.com> I am having trouble getting an encrypted receiver to work. I can send to a syslog-ng setup just fine, but I can't seem to get it to work with rsyslogd. I can see the packets hitting my server, but nothing shows up in the log. I probably have a simple error in the config file, but I don't know what it is. thx Here is my client file: $DefaultNetStreamDriverCAFile /etc/ca.pem $DefaultNetStreamDriver gtls $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode anon $ActionQueueDequeueBatchSize 256 $ActionQueueDequeueSlowdown 1000 $ActionSendTCPRebindInterval 5 $WorkDirectory /var/log $ModLoad imuxsock $SystemLogSocketName /var/log/log $OptimizeForUniprocessor on *.* @@syslogserver:110 Here is my receiver file: $DefaultNetstreamDriverCAFile /export/tls/ca.pem $DefaultNetstreamDriverCertFile /export/tls/cert.pem $DefaultNetstreamDriverKeyFile /export/tls/key.pem $DefaultNetstreamDriver gtls $ModLoad imtcp $ModLoad imuxsock $ModLoad omprog $PreserveFQDN on $WorkDirectory /var/rsyslog $ActionQueueType LinkedList $ActionQueueFileName rsyslog-fwd $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $ActionQueueMaxDiskSpace 1000m $SystemLogSocketName /var/rsyslog/log $InputTCPServerStreamDriverMode 1 $InputTCPServerStreamDriverAuthMode anon $InputTCPServerRun 111 $template Ooma,"%HOSTNAME% %$now% %TIMESTAMP% %msg%" #$actionomprogbinary /mongodb/tools/syslog/myxlog-import.pl $actionomprogbinary /tmp/test-import.pl #*.* :omprog: *.* /var/rsyslog/foo From michael at maymann.org Mon Feb 13 13:24:36 2012 From: michael at maymann.org (Michael Maymann) Date: Mon, 13 Feb 2012 13:24:36 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: thanks - the fix you send me seems to work...:-) at-least on hosts sending its IP... - unfortunately not all legacy syslog clients do..:-( ! I tried to restart syslog again on the host that caused "???" before, but I am still unable to find either IP or hostname in the log... is FROMHOST based on: 1. dns-lookup of the IP inside the transmitted IP-packet ? or 2. dns-lookup of what it states as its IP/hostname inside syslog-message ? I would prefer 1., as this would always be right - expect if your in a NAT'ed environment... Preferably NAT could be auto-detected (could it be: if traffic is coming from syslog-server LAN or syslog-server default-GW then the client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost (nslookup of IPPacketIP) variables could be added and used if it fits ones environment... ? Br. ~maymann 2012/2/7 Rainer Gerhards > That's a regular log file [in RSYSLOG_DebugForm], showing the log messages > as > you received them. That's not a debug log that shows rsyslog processing. To > create the later, do the same procedure that you used to create the content > of your mail I received at 8:43am today. *That* was a debug log. Look at > the > content of both of your mails and you will immediately notice the > difference. > > Please also keep the mailing list CCed... > > Rainer > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Tuesday, February 07, 2012 10:28 AM > > To: Rainer Gerhards > > Subject: Re: rsyslog tarball > > > > it states "Debug line with all properties:" all over the logfile... > > Please tell me how to run this thing...? > > > > ~maymann > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > I guess you mistook files: this was not a debug log but a logfile > > ;) > > > > rainer > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > To: Rainer Gerhards > > > Cc: david at lang.hm; rsyslog-users > > > Subject: Re: rsyslog tarball > > > > > > Just made a shorter run with same info inside... attached... > > > > > > ~maymann > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 9:46 AM > > > > To: Rainer Gerhards > > > > Cc: david at lang.hm; rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > Hi Rainer, > > > > > > > > it is 30Mb - please provide ftp-upload... > > > > > > Zipped or plain? If not zipped, you can probably compress > > it by > > > 90+%. Anyhow, > > > the FTP server is > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > user anonymous, password whatever you like > > > Note that you can only upload, NOT read. Most > > importantly, you > > > won't be able > > > to see the file when the upload is done. > > > > > > If you can compress and mail the file, I can possibly > > faster > > > access it, just > > > if that's an option. > > > > > > Thanks! > > > Rainer > > > > > > > > > > > > > > br. > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 8:43 AM > > > > > To: Rainer Gerhards; david at lang.hm > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd -c 6 -d > > > > > > > > > > 9788.497831529:7f639a331700: rsyslogd 6.3.7- > > postexp1 > > > startup, > > > > > compatibility mode 6, module path '', > > cwd:/var/log > > > > > 9788.497969104:7f639a331700: caller requested > > object > > > 'net', not > > > > found > > > > > > > > [snip] > > > > > > > > Sorry, this debug info does not contain any of > > the > > > > instrumentation I need (no > > > > case occurred) I guess you have cut that off. > > Please send > > > me a > > > > complete file, > > > > best as an attachment (working with saved mail > > messages > > > is far > > > > less nice :)). > > > > > > > > If the debug log is too large to mail, please let > > me > > > know. I can > > > > provide an > > > > anonymous upload-only ftp server in that case. > > > > > > > > Thanks! > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > From rgerhards at hq.adiscon.com Mon Feb 13 14:05:26 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 13 Feb 2012 14:05:26 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: Michael Maymann [mailto:michael at maymann.org] > Sent: Monday, February 13, 2012 1:25 PM > To: Rainer Gerhards > Cc: rsyslog-users > Subject: Re: rsyslog tarball > > Hi, > > Rainer: thanks - the fix you send me seems to work...:-) at-least on > hosts sending its IP... - unfortunately not all legacy syslog clients > do..:-( ! > > I tried to restart syslog again on the host that caused "???" before, > but I am still unable to find either IP or hostname in the log... > > > is FROMHOST based on: > 1. dns-lookup of the IP inside the transmitted IP-packet ? > > or > 2. dns-lookup of what it states as its IP/hostname inside syslog- > message ? > Neither. It's just the remote peer (taken from the IP header). It's not taken from a syslog header field. If you use DNS reverse resolution, it's the name, else the IP address. > > I would prefer 1., as this would always be right - expect if your in a > NAT'ed environment... > Preferably NAT could be auto-detected (could it be: if traffic is > coming from syslog-server LAN or syslog-server default-GW then the > client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost > (nslookup of IPPacketIP) variables could be added and used if it fits > ones environment... ? The best route is to make sure all syslogd'd emit proper RFC3164 or RFC5424 format and simply use HOSTNAME. (you may also look at [1] for NAT and non-rsyslog). Rainer [1] http://www.rsyslog.com/article19/ > > > Br. > ~maymann > > > 2012/2/7 Rainer Gerhards > > > That's a regular log file [in RSYSLOG_DebugForm], showing the log > messages as > you received them. That's not a debug log that shows rsyslog > processing. To > create the later, do the same procedure that you used to create > the content > of your mail I received at 8:43am today. *That* was a debug log. > Look at the > content of both of your mails and you will immediately notice the > difference. > > Please also keep the mailing list CCed... > > > Rainer > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > > Sent: Tuesday, February 07, 2012 10:28 AM > > To: Rainer Gerhards > > Subject: Re: rsyslog tarball > > > > it states "Debug line with all properties:" all over the > logfile... > > Please tell me how to run this thing...? > > > > ~maymann > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > I guess you mistook files: this was not a debug log but a > logfile > > ;) > > > > rainer > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > To: Rainer Gerhards > > > Cc: david at lang.hm; rsyslog-users > > > Subject: Re: rsyslog tarball > > > > > > Just made a shorter run with same info inside... > attached... > > > > > > ~maymann > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann > [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 9:46 AM > > > > To: Rainer Gerhards > > > > Cc: david at lang.hm; rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > Hi Rainer, > > > > > > > > it is 30Mb - please provide ftp-upload... > > > > > > Zipped or plain? If not zipped, you can probably > compress > > it by > > > 90+%. Anyhow, > > > the FTP server is > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > user anonymous, password whatever you like > > > Note that you can only upload, NOT read. Most > > importantly, you > > > won't be able > > > to see the file when the upload is done. > > > > > > If you can compress and mail the file, I can > possibly > > faster > > > access it, just > > > if that's an option. > > > > > > Thanks! > > > Rainer > > > > > > > > > > > > > > br. > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 8:43 > AM > > > > > To: Rainer Gerhards; david at lang.hm > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd > -c 6 -d > > > > > > > > > > 9788.497831529:7f639a331700: rsyslogd > 6.3.7- > > postexp1 > > > startup, > > > > > compatibility mode 6, module path '', > > cwd:/var/log > > > > > 9788.497969104:7f639a331700: caller > requested > > object > > > 'net', not > > > > found > > > > > > > > [snip] > > > > > > > > Sorry, this debug info does not contain > any of > > the > > > > instrumentation I need (no > > > > case occurred) I guess you have cut that > off. > > Please send > > > me a > > > > complete file, > > > > best as an attachment (working with saved > mail > > messages > > > is far > > > > less nice :)). > > > > > > > > If the debug log is too large to mail, > please let > > me > > > know. I can > > > > provide an > > > > anonymous upload-only ftp server in that > case. > > > > > > > > Thanks! > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > From david at lang.hm Mon Feb 13 21:39:46 2012 From: david at lang.hm (david at lang.hm) Date: Mon, 13 Feb 2012 12:39:46 -0800 (PST) Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> Message-ID: Rainer, while you are looking in this area, a bug I ran into a while ago that I don't remember seeing a fix for is that if you start rsyslog with the -x flag fromhost-ip doesn't get populated (the IP address is in fromhost) David Lang On Mon, 13 Feb 2012, Rainer Gerhards wrote: >> -----Original Message----- >> From: Michael Maymann [mailto:michael at maymann.org] >> Sent: Monday, February 13, 2012 1:25 PM >> To: Rainer Gerhards >> Cc: rsyslog-users >> Subject: Re: rsyslog tarball >> >> Hi, >> >> Rainer: thanks - the fix you send me seems to work...:-) at-least on >> hosts sending its IP... - unfortunately not all legacy syslog clients >> do..:-( ! >> >> I tried to restart syslog again on the host that caused "???" before, >> but I am still unable to find either IP or hostname in the log... >> >> >> is FROMHOST based on: >> 1. dns-lookup of the IP inside the transmitted IP-packet ? >> >> or >> 2. dns-lookup of what it states as its IP/hostname inside syslog- >> message ? >> > > Neither. It's just the remote peer (taken from the IP header). It's not taken > from a syslog header field. If you use DNS reverse resolution, it's the name, > else the IP address. > >> >> I would prefer 1., as this would always be right - expect if your in a >> NAT'ed environment... >> Preferably NAT could be auto-detected (could it be: if traffic is >> coming from syslog-server LAN or syslog-server default-GW then the >> client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost >> (nslookup of IPPacketIP) variables could be added and used if it fits >> ones environment... ? > > The best route is to make sure all syslogd'd emit proper RFC3164 or RFC5424 > format and simply use HOSTNAME. (you may also look at [1] for NAT and > non-rsyslog). > > Rainer > [1] http://www.rsyslog.com/article19/ >> >> >> Br. >> ~maymann >> >> >> 2012/2/7 Rainer Gerhards >> >> >> That's a regular log file [in RSYSLOG_DebugForm], showing the log >> messages as >> you received them. That's not a debug log that shows rsyslog >> processing. To >> create the later, do the same procedure that you used to create >> the content >> of your mail I received at 8:43am today. *That* was a debug log. >> Look at the >> content of both of your mails and you will immediately notice the >> difference. >> >> Please also keep the mailing list CCed... >> >> >> Rainer >> >> > -----Original Message----- >> > From: Michael Maymann [mailto:michael at maymann.org] >> >> > Sent: Tuesday, February 07, 2012 10:28 AM >> > To: Rainer Gerhards >> > Subject: Re: rsyslog tarball >> > >> > it states "Debug line with all properties:" all over the >> logfile... >> > Please tell me how to run this thing...? >> > >> > ~maymann >> > >> > >> > >> > 2012/2/7 Rainer Gerhards >> > >> > >> > I guess you mistook files: this was not a debug log but a >> logfile >> > ;) >> > >> > rainer >> > >> > >> > > -----Original Message----- >> > > From: Michael Maymann [mailto:michael at maymann.org] >> > >> > > Sent: Tuesday, February 07, 2012 10:22 AM >> > > To: Rainer Gerhards >> > > Cc: david at lang.hm; rsyslog-users >> > > Subject: Re: rsyslog tarball >> > > >> > > Just made a shorter run with same info inside... >> attached... >> > > >> > > ~maymann >> > > >> > > >> > > 2012/2/7 Rainer Gerhards >> > > >> > > >> > > > -----Original Message----- >> > > > From: Michael Maymann >> [mailto:michael at maymann.org] >> > > >> > > > Sent: Tuesday, February 07, 2012 9:46 AM >> > > > To: Rainer Gerhards >> > > > Cc: david at lang.hm; rsyslog-users >> > > > Subject: Re: rsyslog tarball >> > > > >> > > > Hi Rainer, >> > > > >> > > > it is 30Mb - please provide ftp-upload... >> > > >> > > Zipped or plain? If not zipped, you can probably >> compress >> > it by >> > > 90+%. Anyhow, >> > > the FTP server is >> > > >> > > ftp://custservice.adiscon.com/incoming >> > > >> > > user anonymous, password whatever you like >> > > Note that you can only upload, NOT read. Most >> > importantly, you >> > > won't be able >> > > to see the file when the upload is done. >> > > >> > > If you can compress and mail the file, I can >> possibly >> > faster >> > > access it, just >> > > if that's an option. >> > > >> > > Thanks! >> > > Rainer >> > > >> > > >> > > > >> > > > br. >> > > > ~maymann >> > > > >> > > > >> > > > 2012/2/7 Rainer Gerhards >> >> > > > >> > > > >> > > > >> > > > >> > > > > -----Original Message----- >> > > > > From: Michael Maymann >> > [mailto:michael at maymann.org] >> > > > > Sent: Tuesday, February 07, 2012 8:43 >> AM >> > > > > To: Rainer Gerhards; david at lang.hm >> > > > > Subject: Re: rsyslog tarball >> > > > > >> > > > > [root at oulog001 log]# /usr/sbin/rsyslogd >> -c 6 -d >> > > > > >> > > > > 9788.497831529:7f639a331700: rsyslogd >> 6.3.7- >> > postexp1 >> > > startup, >> > > > > compatibility mode 6, module path '', >> > cwd:/var/log >> > > > > 9788.497969104:7f639a331700: caller >> requested >> > object >> > > 'net', not >> > > > found >> > > > >> > > > [snip] >> > > > >> > > > Sorry, this debug info does not contain >> any of >> > the >> > > > instrumentation I need (no >> > > > case occurred) I guess you have cut that >> off. >> > Please send >> > > me a >> > > > complete file, >> > > > best as an attachment (working with saved >> mail >> > messages >> > > is far >> > > > less nice :)). >> > > > >> > > > If the debug log is too large to mail, >> please let >> > me >> > > know. I can >> > > > provide an >> > > > anonymous upload-only ftp server in that >> case. >> > > > >> > > > Thanks! >> > > > Rainer >> > > > >> > > > >> > > >> > > >> > > >> > >> > >> > >> >> >> > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From michael at maymann.org Tue Feb 14 08:46:29 2012 From: michael at maymann.org (Michael Maymann) Date: Tue, 14 Feb 2012 08:46:29 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> Message-ID: Hi, I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is logging their hostname just fine... If this is taken from the IP-header, all syslog-messages (weither it be legacy or rsyslog) will report its actual IP in a non-NAT'ed environment. So this situation wouldn't be possible neither if it is legacy syslog or rsyslog - am I right ? Rainer: Are you able to see, from the last debug output I send you, what is happening (think I also send you the hostname/ip of "the problem host" directly) ? Br. ~maymann 2012/2/13 Rainer Gerhards > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Monday, February 13, 2012 1:25 PM > > To: Rainer Gerhards > > Cc: rsyslog-users > > Subject: Re: rsyslog tarball > > > > Hi, > > > > Rainer: thanks - the fix you send me seems to work...:-) at-least on > > hosts sending its IP... - unfortunately not all legacy syslog clients > > do..:-( ! > > > > I tried to restart syslog again on the host that caused "???" before, > > but I am still unable to find either IP or hostname in the log... > > > > > > is FROMHOST based on: > > 1. dns-lookup of the IP inside the transmitted IP-packet ? > > > > or > > 2. dns-lookup of what it states as its IP/hostname inside syslog- > > message ? > > > > Neither. It's just the remote peer (taken from the IP header). It's not > taken > from a syslog header field. If you use DNS reverse resolution, it's the > name, > else the IP address. > > > > > I would prefer 1., as this would always be right - expect if your in a > > NAT'ed environment... > > Preferably NAT could be auto-detected (could it be: if traffic is > > coming from syslog-server LAN or syslog-server default-GW then the > > client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost > > (nslookup of IPPacketIP) variables could be added and used if it fits > > ones environment... ? > > The best route is to make sure all syslogd'd emit proper RFC3164 or RFC5424 > format and simply use HOSTNAME. (you may also look at [1] for NAT and > non-rsyslog). > > Rainer > [1] http://www.rsyslog.com/article19/ > > > > > > Br. > > ~maymann > > > > > > 2012/2/7 Rainer Gerhards > > > > > > That's a regular log file [in RSYSLOG_DebugForm], showing the log > > messages as > > you received them. That's not a debug log that shows rsyslog > > processing. To > > create the later, do the same procedure that you used to create > > the content > > of your mail I received at 8:43am today. *That* was a debug log. > > Look at the > > content of both of your mails and you will immediately notice the > > difference. > > > > Please also keep the mailing list CCed... > > > > > > Rainer > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > To: Rainer Gerhards > > > Subject: Re: rsyslog tarball > > > > > > it states "Debug line with all properties:" all over the > > logfile... > > > Please tell me how to run this thing...? > > > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > I guess you mistook files: this was not a debug log but a > > logfile > > > ;) > > > > > > rainer > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > > To: Rainer Gerhards > > > > Cc: david at lang.hm; rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > Just made a shorter run with same info inside... > > attached... > > > > > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > > > > > Sent: Tuesday, February 07, 2012 9:46 AM > > > > > To: Rainer Gerhards > > > > > Cc: david at lang.hm; rsyslog-users > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > Hi Rainer, > > > > > > > > > > it is 30Mb - please provide ftp-upload... > > > > > > > > Zipped or plain? If not zipped, you can probably > > compress > > > it by > > > > 90+%. Anyhow, > > > > the FTP server is > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > user anonymous, password whatever you like > > > > Note that you can only upload, NOT read. Most > > > importantly, you > > > > won't be able > > > > to see the file when the upload is done. > > > > > > > > If you can compress and mail the file, I can > > possibly > > > faster > > > > access it, just > > > > if that's an option. > > > > > > > > Thanks! > > > > Rainer > > > > > > > > > > > > > > > > > > br. > > > > > ~maymann > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:michael at maymann.org] > > > > > > Sent: Tuesday, February 07, 2012 8:43 > > AM > > > > > > To: Rainer Gerhards; david at lang.hm > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > [root at oulog001 log]# /usr/sbin/rsyslogd > > -c 6 -d > > > > > > > > > > > > 9788.497831529:7f639a331700: rsyslogd > > 6.3.7- > > > postexp1 > > > > startup, > > > > > > compatibility mode 6, module path '', > > > cwd:/var/log > > > > > > 9788.497969104:7f639a331700: caller > > requested > > > object > > > > 'net', not > > > > > found > > > > > > > > > > [snip] > > > > > > > > > > Sorry, this debug info does not contain > > any of > > > the > > > > > instrumentation I need (no > > > > > case occurred) I guess you have cut that > > off. > > > Please send > > > > me a > > > > > complete file, > > > > > best as an attachment (working with saved > > mail > > > messages > > > > is far > > > > > less nice :)). > > > > > > > > > > If the debug log is too large to mail, > > please let > > > me > > > > know. I can > > > > > provide an > > > > > anonymous upload-only ftp server in that > > case. > > > > > > > > > > Thanks! > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From david at lang.hm Tue Feb 14 08:52:26 2012 From: david at lang.hm (david at lang.hm) Date: Mon, 13 Feb 2012 23:52:26 -0800 (PST) Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> Message-ID: On Tue, 14 Feb 2012, Michael Maymann wrote: > I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is > logging their hostname just fine... > If this is taken from the IP-header, all syslog-messages (weither it be > legacy or rsyslog) will report its actual IP in a non-NAT'ed environment. > So this situation wouldn't be possible neither if it is legacy syslog or > rsyslog - am I right ? yes, fromhost-ip is taken from the IP header, so it should record the IP of any remote machine. If it's not doing so it's a bug. David Lang > Rainer: Are you able to see, from the last debug output I send you, what is > happening (think I also send you the hostname/ip of "the problem host" > directly) ? > > > Br. > ~maymann > > 2012/2/13 Rainer Gerhards > >> >>> -----Original Message----- >>> From: Michael Maymann [mailto:michael at maymann.org] >>> Sent: Monday, February 13, 2012 1:25 PM >>> To: Rainer Gerhards >>> Cc: rsyslog-users >>> Subject: Re: rsyslog tarball >>> >>> Hi, >>> >>> Rainer: thanks - the fix you send me seems to work...:-) at-least on >>> hosts sending its IP... - unfortunately not all legacy syslog clients >>> do..:-( ! >>> >>> I tried to restart syslog again on the host that caused "???" before, >>> but I am still unable to find either IP or hostname in the log... >>> >>> >>> is FROMHOST based on: >>> 1. dns-lookup of the IP inside the transmitted IP-packet ? >>> >>> or >>> 2. dns-lookup of what it states as its IP/hostname inside syslog- >>> message ? >>> >> >> Neither. It's just the remote peer (taken from the IP header). It's not >> taken >> from a syslog header field. If you use DNS reverse resolution, it's the >> name, >> else the IP address. >> >>> >>> I would prefer 1., as this would always be right - expect if your in a >>> NAT'ed environment... >>> Preferably NAT could be auto-detected (could it be: if traffic is >>> coming from syslog-server LAN or syslog-server default-GW then the >>> client is not NAT'ed ?) or alternatively IPPacketIP/IPPacketFromHost >>> (nslookup of IPPacketIP) variables could be added and used if it fits >>> ones environment... ? >> >> The best route is to make sure all syslogd'd emit proper RFC3164 or RFC5424 >> format and simply use HOSTNAME. (you may also look at [1] for NAT and >> non-rsyslog). >> >> Rainer >> [1] http://www.rsyslog.com/article19/ >>> >>> >>> Br. >>> ~maymann >>> >>> >>> 2012/2/7 Rainer Gerhards >>> >>> >>> That's a regular log file [in RSYSLOG_DebugForm], showing the log >>> messages as >>> you received them. That's not a debug log that shows rsyslog >>> processing. To >>> create the later, do the same procedure that you used to create >>> the content >>> of your mail I received at 8:43am today. *That* was a debug log. >>> Look at the >>> content of both of your mails and you will immediately notice the >>> difference. >>> >>> Please also keep the mailing list CCed... >>> >>> >>> Rainer >>> >>> > -----Original Message----- >>> > From: Michael Maymann [mailto:michael at maymann.org] >>> >>> > Sent: Tuesday, February 07, 2012 10:28 AM >>> > To: Rainer Gerhards >>> > Subject: Re: rsyslog tarball >>> > >>> > it states "Debug line with all properties:" all over the >>> logfile... >>> > Please tell me how to run this thing...? >>> > >>> > ~maymann >>> > >>> > >>> > >>> > 2012/2/7 Rainer Gerhards >>> > >>> > >>> > I guess you mistook files: this was not a debug log but a >>> logfile >>> > ;) >>> > >>> > rainer >>> > >>> > >>> > > -----Original Message----- >>> > > From: Michael Maymann [mailto:michael at maymann.org] >>> > >>> > > Sent: Tuesday, February 07, 2012 10:22 AM >>> > > To: Rainer Gerhards >>> > > Cc: david at lang.hm; rsyslog-users >>> > > Subject: Re: rsyslog tarball >>> > > >>> > > Just made a shorter run with same info inside... >>> attached... >>> > > >>> > > ~maymann >>> > > >>> > > >>> > > 2012/2/7 Rainer Gerhards >>> > > >>> > > >>> > > > -----Original Message----- >>> > > > From: Michael Maymann >>> [mailto:michael at maymann.org] >>> > > >>> > > > Sent: Tuesday, February 07, 2012 9:46 AM >>> > > > To: Rainer Gerhards >>> > > > Cc: david at lang.hm; rsyslog-users >>> > > > Subject: Re: rsyslog tarball >>> > > > >>> > > > Hi Rainer, >>> > > > >>> > > > it is 30Mb - please provide ftp-upload... >>> > > >>> > > Zipped or plain? If not zipped, you can probably >>> compress >>> > it by >>> > > 90+%. Anyhow, >>> > > the FTP server is >>> > > >>> > > ftp://custservice.adiscon.com/incoming >>> > > >>> > > user anonymous, password whatever you like >>> > > Note that you can only upload, NOT read. Most >>> > importantly, you >>> > > won't be able >>> > > to see the file when the upload is done. >>> > > >>> > > If you can compress and mail the file, I can >>> possibly >>> > faster >>> > > access it, just >>> > > if that's an option. >>> > > >>> > > Thanks! >>> > > Rainer >>> > > >>> > > >>> > > > >>> > > > br. >>> > > > ~maymann >>> > > > >>> > > > >>> > > > 2012/2/7 Rainer Gerhards >>> >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > > -----Original Message----- >>> > > > > From: Michael Maymann >>> > [mailto:michael at maymann.org] >>> > > > > Sent: Tuesday, February 07, 2012 8:43 >>> AM >>> > > > > To: Rainer Gerhards; david at lang.hm >>> > > > > Subject: Re: rsyslog tarball >>> > > > > >>> > > > > [root at oulog001 log]# /usr/sbin/rsyslogd >>> -c 6 -d >>> > > > > >>> > > > > 9788.497831529:7f639a331700: rsyslogd >>> 6.3.7- >>> > postexp1 >>> > > startup, >>> > > > > compatibility mode 6, module path '', >>> > cwd:/var/log >>> > > > > 9788.497969104:7f639a331700: caller >>> requested >>> > object >>> > > 'net', not >>> > > > found >>> > > > >>> > > > [snip] >>> > > > >>> > > > Sorry, this debug info does not contain >>> any of >>> > the >>> > > > instrumentation I need (no >>> > > > case occurred) I guess you have cut that >>> off. >>> > Please send >>> > > me a >>> > > > complete file, >>> > > > best as an attachment (working with saved >>> mail >>> > messages >>> > > is far >>> > > > less nice :)). >>> > > > >>> > > > If the debug log is too large to mail, >>> please let >>> > me >>> > > know. I can >>> > > > provide an >>> > > > anonymous upload-only ftp server in that >>> case. >>> > > > >>> > > > Thanks! >>> > > > Rainer >>> > > > >>> > > > >>> > > >>> > > >>> > > >>> > >>> > >>> > >>> >>> >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Tue Feb 14 09:05:04 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 14 Feb 2012 09:05:04 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72818D6@GRFEXC.intern.adiscon.com> > I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is > logging their hostname just fine... > If this is taken from the IP-header, all syslog-messages (weither it be > legacy or rsyslog) will report its actual IP in a non-NAT'ed > environment. So this situation wouldn't be possible neither if it is > legacy syslog or rsyslog - am I right ? > > Rainer: Are you able to see, from the last debug output I send you, > what is happening (think I also send you the hostname/ip of "the > problem host" directly) ? I think I didn't get a debug log that shows this problem. At least I have none in my mail archive. In any case, in order to track this down quickly, I need a debug log where the vast majority of traffic is from a system that doesn't appear to be right. So that I can see which receive is from that system and how it is processed. It is much harder to try to analyze this is there are several hosts and I don't know what to look at. Note that I am off to the Fedora Developer Conference tomorrow and busy there for the rest of the week. Rainer > > > Br. > ~maymann > > > 2012/2/13 Rainer Gerhards > > > > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > > Sent: Monday, February 13, 2012 1:25 PM > > To: Rainer Gerhards > > Cc: rsyslog-users > > Subject: Re: rsyslog tarball > > > > > Hi, > > > > Rainer: thanks - the fix you send me seems to work...:-) at- > least on > > hosts sending its IP... - unfortunately not all legacy syslog > clients > > do..:-( ! > > > > I tried to restart syslog again on the host that caused "???" > before, > > but I am still unable to find either IP or hostname in the > log... > > > > > > is FROMHOST based on: > > 1. dns-lookup of the IP inside the transmitted IP-packet ? > > > > or > > 2. dns-lookup of what it states as its IP/hostname inside > syslog- > > message ? > > > > > Neither. It's just the remote peer (taken from the IP header). > It's not taken > from a syslog header field. If you use DNS reverse resolution, > it's the name, > else the IP address. > > > > > > I would prefer 1., as this would always be right - expect if > your in a > > NAT'ed environment... > > Preferably NAT could be auto-detected (could it be: if traffic > is > > coming from syslog-server LAN or syslog-server default-GW then > the > > client is not NAT'ed ?) or alternatively > IPPacketIP/IPPacketFromHost > > (nslookup of IPPacketIP) variables could be added and used if > it fits > > ones environment... ? > > > The best route is to make sure all syslogd'd emit proper RFC3164 > or RFC5424 > format and simply use HOSTNAME. (you may also look at [1] for NAT > and > non-rsyslog). > > Rainer > [1] http://www.rsyslog.com/article19/ > > > > > > > Br. > > ~maymann > > > > > > 2012/2/7 Rainer Gerhards > > > > > > That's a regular log file [in RSYSLOG_DebugForm], showing > the log > > messages as > > you received them. That's not a debug log that shows > rsyslog > > processing. To > > create the later, do the same procedure that you used to > create > > the content > > of your mail I received at 8:43am today. *That* was a > debug log. > > Look at the > > content of both of your mails and you will immediately > notice the > > difference. > > > > Please also keep the mailing list CCed... > > > > > > Rainer > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > To: Rainer Gerhards > > > Subject: Re: rsyslog tarball > > > > > > it states "Debug line with all properties:" all over > the > > logfile... > > > Please tell me how to run this thing...? > > > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > I guess you mistook files: this was not a debug > log but a > > logfile > > > ;) > > > > > > rainer > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann > [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > > To: Rainer Gerhards > > > > Cc: david at lang.hm; rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > Just made a shorter run with same info > inside... > > attached... > > > > > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > > > > > Sent: Tuesday, February 07, 2012 9:46 > AM > > > > > To: Rainer Gerhards > > > > > Cc: david at lang.hm; rsyslog-users > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > Hi Rainer, > > > > > > > > > > it is 30Mb - please provide ftp- > upload... > > > > > > > > Zipped or plain? If not zipped, you can > probably > > compress > > > it by > > > > 90+%. Anyhow, > > > > the FTP server is > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > user anonymous, password whatever you > like > > > > Note that you can only upload, NOT read. > Most > > > importantly, you > > > > won't be able > > > > to see the file when the upload is done. > > > > > > > > If you can compress and mail the file, I > can > > possibly > > > faster > > > > access it, just > > > > if that's an option. > > > > > > > > Thanks! > > > > Rainer > > > > > > > > > > > > > > > > > > br. > > > > > ~maymann > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:michael at maymann.org] > > > > > > Sent: Tuesday, February 07, > 2012 8:43 > > AM > > > > > > To: Rainer Gerhards; > david at lang.hm > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > [root at oulog001 log]# > /usr/sbin/rsyslogd > > -c 6 -d > > > > > > > > > > > > 9788.497831529:7f639a331700: > rsyslogd > > 6.3.7- > > > postexp1 > > > > startup, > > > > > > compatibility mode 6, module > path '', > > > cwd:/var/log > > > > > > 9788.497969104:7f639a331700: > caller > > requested > > > object > > > > 'net', not > > > > > found > > > > > > > > > > [snip] > > > > > > > > > > Sorry, this debug info does not > contain > > any of > > > the > > > > > instrumentation I need (no > > > > > case occurred) I guess you have > cut that > > off. > > > Please send > > > > me a > > > > > complete file, > > > > > best as an attachment (working > with saved > > mail > > > messages > > > > is far > > > > > less nice :)). > > > > > > > > > > If the debug log is too large to > mail, > > please let > > > me > > > > know. I can > > > > > provide an > > > > > anonymous upload-only ftp server > in that > > case. > > > > > > > > > > Thanks! > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From michael at maymann.org Tue Feb 14 10:10:26 2012 From: michael at maymann.org (Michael Maymann) Date: Tue, 14 Feb 2012 10:10:26 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72818D6@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818D6@GRFEXC.intern.adiscon.com> Message-ID: Hi, David: thanks. Rainer: I will try to install a new rsyslog server with the latest package you send me. Point my troublesome host to that server and send you the debug log from there... Br. ~maymann 2012/2/14 Rainer Gerhards > > I am not behind NAT..., and some hosts (also RHEL5) from same VLAN is > > logging their hostname just fine... > > If this is taken from the IP-header, all syslog-messages (weither it be > > legacy or rsyslog) will report its actual IP in a non-NAT'ed > > environment. So this situation wouldn't be possible neither if it is > > legacy syslog or rsyslog - am I right ? > > > > Rainer: Are you able to see, from the last debug output I send you, > > what is happening (think I also send you the hostname/ip of "the > > problem host" directly) ? > > I think I didn't get a debug log that shows this problem. At least I have > none in my mail archive. > > In any case, in order to track this down quickly, I need a debug log where > the vast majority of traffic is from a system that doesn't appear to be > right. So that I can see which receive is from that system and how it is > processed. It is much harder to try to analyze this is there are several > hosts and I don't know what to look at. Note that I am off to the Fedora > Developer Conference tomorrow and busy there for the rest of the week. > > Rainer > > > > > > Br. > > ~maymann > > > > > > 2012/2/13 Rainer Gerhards > > > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Monday, February 13, 2012 1:25 PM > > > To: Rainer Gerhards > > > Cc: rsyslog-users > > > Subject: Re: rsyslog tarball > > > > > > > > Hi, > > > > > > Rainer: thanks - the fix you send me seems to work...:-) at- > > least on > > > hosts sending its IP... - unfortunately not all legacy syslog > > clients > > > do..:-( ! > > > > > > I tried to restart syslog again on the host that caused "???" > > before, > > > but I am still unable to find either IP or hostname in the > > log... > > > > > > > > > is FROMHOST based on: > > > 1. dns-lookup of the IP inside the transmitted IP-packet ? > > > > > > or > > > 2. dns-lookup of what it states as its IP/hostname inside > > syslog- > > > message ? > > > > > > > > > Neither. It's just the remote peer (taken from the IP header). > > It's not taken > > from a syslog header field. If you use DNS reverse resolution, > > it's the name, > > else the IP address. > > > > > > > > > > I would prefer 1., as this would always be right - expect if > > your in a > > > NAT'ed environment... > > > Preferably NAT could be auto-detected (could it be: if traffic > > is > > > coming from syslog-server LAN or syslog-server default-GW then > > the > > > client is not NAT'ed ?) or alternatively > > IPPacketIP/IPPacketFromHost > > > (nslookup of IPPacketIP) variables could be added and used if > > it fits > > > ones environment... ? > > > > > > The best route is to make sure all syslogd'd emit proper RFC3164 > > or RFC5424 > > format and simply use HOSTNAME. (you may also look at [1] for NAT > > and > > non-rsyslog). > > > > Rainer > > [1] http://www.rsyslog.com/article19/ > > > > > > > > > > > Br. > > > ~maymann > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > That's a regular log file [in RSYSLOG_DebugForm], showing > > the log > > > messages as > > > you received them. That's not a debug log that shows > > rsyslog > > > processing. To > > > create the later, do the same procedure that you used to > > create > > > the content > > > of your mail I received at 8:43am today. *That* was a > > debug log. > > > Look at the > > > content of both of your mails and you will immediately > > notice the > > > difference. > > > > > > Please also keep the mailing list CCed... > > > > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > > To: Rainer Gerhards > > > > Subject: Re: rsyslog tarball > > > > > > > > it states "Debug line with all properties:" all over > > the > > > logfile... > > > > Please tell me how to run this thing...? > > > > > > > > ~maymann > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > I guess you mistook files: this was not a debug > > log but a > > > logfile > > > > ;) > > > > > > > > rainer > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > > > > > Sent: Tuesday, February 07, 2012 10:22 AM > > > > > To: Rainer Gerhards > > > > > Cc: david at lang.hm; rsyslog-users > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > Just made a shorter run with same info > > inside... > > > attached... > > > > > > > > > > ~maymann > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:michael at maymann.org] > > > > > > > > > > > Sent: Tuesday, February 07, 2012 9:46 > > AM > > > > > > To: Rainer Gerhards > > > > > > Cc: david at lang.hm; rsyslog-users > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > Hi Rainer, > > > > > > > > > > > > it is 30Mb - please provide ftp- > > upload... > > > > > > > > > > Zipped or plain? If not zipped, you can > > probably > > > compress > > > > it by > > > > > 90+%. Anyhow, > > > > > the FTP server is > > > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > > > user anonymous, password whatever you > > like > > > > > Note that you can only upload, NOT read. > > Most > > > > importantly, you > > > > > won't be able > > > > > to see the file when the upload is done. > > > > > > > > > > If you can compress and mail the file, I > > can > > > possibly > > > > faster > > > > > access it, just > > > > > if that's an option. > > > > > > > > > > Thanks! > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > br. > > > > > > ~maymann > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Michael Maymann > > > > [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, > > 2012 8:43 > > > AM > > > > > > > To: Rainer Gerhards; > > david at lang.hm > > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > > > [root at oulog001 log]# > > /usr/sbin/rsyslogd > > > -c 6 -d > > > > > > > > > > > > > > 9788.497831529:7f639a331700: > > rsyslogd > > > 6.3.7- > > > > postexp1 > > > > > startup, > > > > > > > compatibility mode 6, module > > path '', > > > > cwd:/var/log > > > > > > > 9788.497969104:7f639a331700: > > caller > > > requested > > > > object > > > > > 'net', not > > > > > > found > > > > > > > > > > > > [snip] > > > > > > > > > > > > Sorry, this debug info does not > > contain > > > any of > > > > the > > > > > > instrumentation I need (no > > > > > > case occurred) I guess you have > > cut that > > > off. > > > > Please send > > > > > me a > > > > > > complete file, > > > > > > best as an attachment (working > > with saved > > > mail > > > > messages > > > > > is far > > > > > > less nice :)). > > > > > > > > > > > > If the debug log is too large to > > mail, > > > please let > > > > me > > > > > know. I can > > > > > > provide an > > > > > > anonymous upload-only ftp server > > in that > > > case. > > > > > > > > > > > > Thanks! > > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From rgerhards at hq.adiscon.com Tue Feb 14 10:12:38 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 14 Feb 2012 10:12:38 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818D6@GRFEXC.intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA72818D7@GRFEXC.intern.adiscon.com> > -----Original Message----- > From: Michael Maymann [mailto:michael at maymann.org] > Sent: Tuesday, February 14, 2012 10:10 AM > To: Rainer Gerhards > Cc: rsyslog-users > Subject: Re: rsyslog tarball > > Hi, > > David: thanks. > Rainer: I will try to install a new rsyslog server with the latest > package you send me. Point my troublesome host to that server and send > you the debug log from there... Thx, that would be great. We have a great opportunity here to finally iron out the cache code :) Rainer > > Br. > ~maymann > > > 2012/2/14 Rainer Gerhards > > > > I am not behind NAT..., and some hosts (also RHEL5) from same > VLAN is > > logging their hostname just fine... > > If this is taken from the IP-header, all syslog-messages > (weither it be > > legacy or rsyslog) will report its actual IP in a non-NAT'ed > > environment. So this situation wouldn't be possible neither if > it is > > legacy syslog or rsyslog - am I right ? > > > > Rainer: Are you able to see, from the last debug output I send > you, > > what is happening (think I also send you the hostname/ip of > "the > > problem host" directly) ? > > > I think I didn't get a debug log that shows this problem. At > least I have > none in my mail archive. > > In any case, in order to track this down quickly, I need a debug > log where > the vast majority of traffic is from a system that doesn't appear > to be > right. So that I can see which receive is from that system and > how it is > processed. It is much harder to try to analyze this is there are > several > hosts and I don't know what to look at. Note that I am off to the > Fedora > Developer Conference tomorrow and busy there for the rest of the > week. > > Rainer > > > > > > > Br. > > ~maymann > > > > > > 2012/2/13 Rainer Gerhards > > > > > > > > > -----Original Message----- > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > Sent: Monday, February 13, 2012 1:25 PM > > > To: Rainer Gerhards > > > Cc: rsyslog-users > > > Subject: Re: rsyslog tarball > > > > > > > > Hi, > > > > > > Rainer: thanks - the fix you send me seems to work...:- > ) at- > > least on > > > hosts sending its IP... - unfortunately not all legacy > syslog > > clients > > > do..:-( ! > > > > > > I tried to restart syslog again on the host that caused > "???" > > before, > > > but I am still unable to find either IP or hostname in > the > > log... > > > > > > > > > is FROMHOST based on: > > > 1. dns-lookup of the IP inside the transmitted IP- > packet ? > > > > > > or > > > 2. dns-lookup of what it states as its IP/hostname > inside > > syslog- > > > message ? > > > > > > > > > Neither. It's just the remote peer (taken from the IP > header). > > It's not taken > > from a syslog header field. If you use DNS reverse > resolution, > > it's the name, > > else the IP address. > > > > > > > > > > I would prefer 1., as this would always be right - > expect if > > your in a > > > NAT'ed environment... > > > Preferably NAT could be auto-detected (could it be: if > traffic > > is > > > coming from syslog-server LAN or syslog-server default- > GW then > > the > > > client is not NAT'ed ?) or alternatively > > IPPacketIP/IPPacketFromHost > > > (nslookup of IPPacketIP) variables could be added and > used if > > it fits > > > ones environment... ? > > > > > > The best route is to make sure all syslogd'd emit proper > RFC3164 > > or RFC5424 > > format and simply use HOSTNAME. (you may also look at [1] > for NAT > > and > > non-rsyslog). > > > > Rainer > > [1] http://www.rsyslog.com/article19/ > > > > > > > > > > > Br. > > > ~maymann > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > That's a regular log file [in RSYSLOG_DebugForm], > showing > > the log > > > messages as > > > you received them. That's not a debug log that > shows > > rsyslog > > > processing. To > > > create the later, do the same procedure that you > used to > > create > > > the content > > > of your mail I received at 8:43am today. *That* > was a > > debug log. > > > Look at the > > > content of both of your mails and you will > immediately > > notice the > > > difference. > > > > > > Please also keep the mailing list CCed... > > > > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: Michael Maymann > [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > > To: Rainer Gerhards > > > > Subject: Re: rsyslog tarball > > > > > > > > it states "Debug line with all properties:" all > over > > the > > > logfile... > > > > Please tell me how to run this thing...? > > > > > > > > ~maymann > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > I guess you mistook files: this was not a > debug > > log but a > > > logfile > > > > ;) > > > > > > > > rainer > > > > > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > > > > > Sent: Tuesday, February 07, 2012 10:22 > AM > > > > > To: Rainer Gerhards > > > > > Cc: david at lang.hm; rsyslog-users > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > Just made a shorter run with same info > > inside... > > > attached... > > > > > > > > > > ~maymann > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:michael at maymann.org] > > > > > > > > > > > Sent: Tuesday, February 07, > 2012 9:46 > > AM > > > > > > To: Rainer Gerhards > > > > > > Cc: david at lang.hm; rsyslog- > users > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > Hi Rainer, > > > > > > > > > > > > it is 30Mb - please provide > ftp- > > upload... > > > > > > > > > > Zipped or plain? If not zipped, > you can > > probably > > > compress > > > > it by > > > > > 90+%. Anyhow, > > > > > the FTP server is > > > > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > > > user anonymous, password whatever > you > > like > > > > > Note that you can only upload, > NOT read. > > Most > > > > importantly, you > > > > > won't be able > > > > > to see the file when the upload > is done. > > > > > > > > > > If you can compress and mail the > file, I > > can > > > possibly > > > > faster > > > > > access it, just > > > > > if that's an option. > > > > > > > > > > Thanks! > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > br. > > > > > > ~maymann > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message-- > --- > > > > > > > From: Michael Maymann > > > > [mailto:michael at maymann.org] > > > > > > > Sent: Tuesday, February > 07, > > 2012 8:43 > > > AM > > > > > > > To: Rainer Gerhards; > > david at lang.hm > > > > > > > Subject: Re: rsyslog > tarball > > > > > > > > > > > > > > [root at oulog001 log]# > > /usr/sbin/rsyslogd > > > -c 6 -d > > > > > > > > > > > > > > > 9788.497831529:7f639a331700: > > rsyslogd > > > 6.3.7- > > > > postexp1 > > > > > startup, > > > > > > > compatibility mode 6, > module > > path '', > > > > cwd:/var/log > > > > > > > > 9788.497969104:7f639a331700: > > caller > > > requested > > > > object > > > > > 'net', not > > > > > > found > > > > > > > > > > > > [snip] > > > > > > > > > > > > Sorry, this debug info > does not > > contain > > > any of > > > > the > > > > > > instrumentation I need (no > > > > > > case occurred) I guess > you have > > cut that > > > off. > > > > Please send > > > > > me a > > > > > > complete file, > > > > > > best as an attachment > (working > > with saved > > > mail > > > > messages > > > > > is far > > > > > > less nice :)). > > > > > > > > > > > > If the debug log is too > large to > > mail, > > > please let > > > > me > > > > > know. I can > > > > > > provide an > > > > > > anonymous upload-only ftp > server > > in that > > > case. > > > > > > > > > > > > Thanks! > > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From radu0gheorghe at gmail.com Tue Feb 14 22:03:35 2012 From: radu0gheorghe at gmail.com (Radu Gheorghe) Date: Tue, 14 Feb 2012 23:03:35 +0200 Subject: [rsyslog] Can't make omelasticsearch work In-Reply-To: <4F352D57.6050807@illinois.edu> References: <4F352D57.6050807@illinois.edu> Message-ID: 2012/2/10 Vlad Grigorescu > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 2/10/12 1:13 AM, Radu Gheorghe wrote: > > $template precise,"%syslogseverity% %timereported:1:19:date-rfc3339% > > %HOSTNAME% %syslogtag% %msg%\n" > > > > > :omelasticsearch:;precise > > I'm not sure why you're doing this. ElasticSearch expects the messages in > JSON, and if you don't give omelasticsearch a format, it will default to > StdJSONFmt. What happens if you remove ';precise'? > Hi Vlad, Sorry for the late reply. Indeed, the template was the problem. So it worked when I removed it. My intention was to insert only a subset of data into Elasticsearch. I assumed rsyslog will automatically make my template JSON, but now I realize it makes no sense. So now I know how to do it, the only trouble being escaping quotes. You know, if there are unescaped quotes in the message it ruins the JSON format. But I'll find a way to fix this. Thanks a lot, Radu From radu0gheorghe at gmail.com Tue Feb 14 22:14:43 2012 From: radu0gheorghe at gmail.com (Radu Gheorghe) Date: Tue, 14 Feb 2012 23:14:43 +0200 Subject: [rsyslog] Encrypted receiver In-Reply-To: <4F359F54.405@ooma.com> References: <4F359F54.405@ooma.com> Message-ID: 2012/2/11 Rory Toma > I am having trouble getting an encrypted receiver to work. I can send to a > syslog-ng setup just fine, but I can't seem to get it to work with > rsyslogd. I can see the packets hitting my server, but nothing shows up in > the log. I probably have a simple error in the config file, but I don't > know what it is. > > thx > > Here is my client file: > > $DefaultNetStreamDriverCAFile /etc/ca.pem > > $DefaultNetStreamDriver gtls > $ActionSendStreamDriverMode 1 > $**ActionSendStreamDriverAuthMode anon > > $ActionQueueDequeueBatchSize 256 > $ActionQueueDequeueSlowdown 1000 > > $ActionSendTCPRebindInterval 5 > > $WorkDirectory /var/log > > $ModLoad imuxsock > $SystemLogSocketName /var/log/log > $OptimizeForUniprocessor on > > *.* @@syslogserver:110 > > > Here is my receiver file: > > $DefaultNetstreamDriverCAFile /export/tls/ca.pem > $**DefaultNetstreamDriverCertFile /export/tls/cert.pem > $DefaultNetstreamDriverKeyFile /export/tls/key.pem > > $DefaultNetstreamDriver gtls > > $ModLoad imtcp > $ModLoad imuxsock > $ModLoad omprog > > $PreserveFQDN on > > $WorkDirectory /var/rsyslog > $ActionQueueType LinkedList > $ActionQueueFileName rsyslog-fwd > $ActionResumeRetryCount -1 > $ActionQueueSaveOnShutdown on > $ActionQueueMaxDiskSpace 1000m > > $SystemLogSocketName /var/rsyslog/log > > $**InputTCPServerStreamDriverMode 1 > $**InputTCPServerStreamDriverAuth**Mode anon > $InputTCPServerRun 111 > > $template Ooma,"%HOSTNAME% %$now% %TIMESTAMP% %msg%" > #$actionomprogbinary /mongodb/tools/syslog/myxlog-**import.pl > $actionomprogbinary /tmp/test-import.pl > > #*.* :omprog: > *.* /var/rsyslog/foo > > Hi Rory, Is it because you are sending to port 110 on the server: *.* @@syslogserver:110 But listening on 111? $InputTCPServerRun 111 Best regards, Radu From reader at newsguy.com Fri Feb 17 01:53:24 2012 From: reader at newsguy.com (Harry Putnam) Date: Thu, 16 Feb 2012 19:53:24 -0500 Subject: [rsyslog] Is this compile error just a missing pkg Message-ID: <87fweai8l7.fsf@newsguy.com> Compiling rsyslog-5.8.7 on gentoo linux, the build ends with an error involving a missing gcrypt.h file. Hope its not too jumbled up by mail encoding. But you can see the last line about gcrypt.h: No such file or directory. Anyone know what it means [...] missing-format-attribute -c -o lmnsd_ptcp_la-nsdsel_ptcp.lo `test -f 'nsdsel_ptcp.c' || echo './'`nsdsel_ptcp. c CC lmnsd_ptcp_la-nsdpoll_ptcp.lo /bin/sh ../libtool --silent --tag=CC --mode=compile i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I.. -pthread -I../runtime -I.. -O2 -march=i686 -pipe -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith -W missing-format-attribute -c -o lmnsd_ptcp_la-nsdpoll_ptcp.lo `test -f 'nsdpoll_ptcp.c' || echo './'`nsdpoll_pt cp.c CC lmnsd_gtls_la-nsd_gtls.lo /bin/sh ../libtool --silent --tag=CC --mode=compile i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I.. -pthread -I../runtime -I.. -O2 -march=i686 -pipe -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - Wmissing-format-attribute -c -o lmnsd_gtls_la-nsd_gtls.lo `test -f 'nsd_gtls.c' || echo './'`nsd_gtls.c nsd_gtls.c:32:20: fatal error: gcrypt.h: No such file or directory compilation terminated. [...] From david at lang.hm Fri Feb 17 02:21:07 2012 From: david at lang.hm (david at lang.hm) Date: Thu, 16 Feb 2012 17:21:07 -0800 (PST) Subject: [rsyslog] Is this compile error just a missing pkg In-Reply-To: <87fweai8l7.fsf@newsguy.com> References: <87fweai8l7.fsf@newsguy.com> Message-ID: It means that there is a missing dependancy on some package going to the debian package contect tool (packages.debian.org), debian has this file in a package libgcrypt11-dev I don't know what package name gentoo would use for this, but lookg for libgcrypt or similar If you have it installed, it could be that the rsyslog build is looking in the wrong place, see if you have gcrypt.h anywhere on your system. David Lang On Thu, 16 Feb 2012, Harry Putnam wrote: > Compiling rsyslog-5.8.7 on gentoo linux, the build ends with an error > involving a missing gcrypt.h file. > > Hope its not too jumbled up by mail encoding. But you can see the > last line about gcrypt.h: No such file or directory. > > Anyone know what it means > > > [...] > > missing-format-attribute -c -o lmnsd_ptcp_la-nsdsel_ptcp.lo `test -f 'nsdsel_ptcp.c' || echo './'`nsdsel_ptcp. > c > CC lmnsd_ptcp_la-nsdpoll_ptcp.lo > /bin/sh ../libtool --silent --tag=CC --mode=compile i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I.. -pthread > -I../runtime -I.. -O2 -march=i686 -pipe -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith -W > missing-format-attribute -c -o lmnsd_ptcp_la-nsdpoll_ptcp.lo `test -f 'nsdpoll_ptcp.c' || echo './'`nsdpoll_pt > cp.c > CC lmnsd_gtls_la-nsd_gtls.lo > /bin/sh ../libtool --silent --tag=CC --mode=compile i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I.. -pthread > -I../runtime -I.. -O2 -march=i686 -pipe -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - > Wmissing-format-attribute -c -o lmnsd_gtls_la-nsd_gtls.lo `test -f 'nsd_gtls.c' || echo './'`nsd_gtls.c > nsd_gtls.c:32:20: fatal error: gcrypt.h: No such file or directory > compilation terminated. > > [...] > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From reader at newsguy.com Sat Feb 18 15:48:05 2012 From: reader at newsguy.com (Harry Putnam) Date: Sat, 18 Feb 2012 09:48:05 -0500 Subject: [rsyslog] Is this compile error just a missing pkg References: <87fweai8l7.fsf@newsguy.com> Message-ID: <87boowi4ey.fsf@newsguy.com> david at lang.hm writes: > going to the debian package contect tool (packages.debian.org), debian > has this file in a package libgcrypt11-dev > > I don't know what package name gentoo would use for this, but lookg > for libgcrypt or similar > > If you have it installed, it could be that the rsyslog build is > looking in the wrong place, see if you have gcrypt.h anywhere on your > system. This is for a gentoo system and I found a similar named package, installed it and now rsyslog compiles smoothly... thanks. From marcin at mejor.pl Mon Feb 20 12:07:20 2012 From: marcin at mejor.pl (=?UTF-8?B?TWFyY2luIE1pcm9zxYJhdw==?=) Date: Mon, 20 Feb 2012 12:07:20 +0100 Subject: [rsyslog] Correct syntax for :omusrmsg: module Message-ID: <4F422968.5060407@mejor.pl> Hello! When i have acitve line as below: *.emerg :omusrmsg:* rsyslogd throws "rsyslogd: warning: selector line without actions will be discarded". I'm using rsyslogd from git (compiled today). Regards, Marcin From jpoling at moody.edu Mon Feb 20 15:43:28 2012 From: jpoling at moody.edu (Jeff Poling) Date: Mon, 20 Feb 2012 08:43:28 -0600 Subject: [rsyslog] Log Storm Message-ID: <9599A350A0A5884DB4E50D83F9287D0F05AB80AF49@exchmbx01.moody.edu> I am kind of at the end of my rope on this one, so I thought I would ask the community. I don't have a lot of information, but last week we had an incident on our rsyslog collector system. Essentially, the disk space in the file system where we keep the log files filled up. The rsyslog spool area filled up as well. What seemed to cause this were several systems that began logging excessively - 30+ GB log files within minutes. I was able to add some disk space and stop rsyslog on systems that were problematic; however, I simply cannot tell why the incident happened. Has anyone seen this type of behavior with rsyslog? On our collector system we are running v. 5.8.5. We are still migrating our client systems to 5.8.5 so most of them are still at 5.4.0 of rsyslog. Any experiences or insight is greatly appreciated. Thanks, Jeff Jeffrey Poling System Administrator | Information Systems Moody Bible Institute 820 N. LaSalle Blvd., Chicago, IL 60610 312-329-8968 www.moodyministries.net >From the Word. To Life. From radu0gheorghe at gmail.com Mon Feb 20 16:50:37 2012 From: radu0gheorghe at gmail.com (Radu Gheorghe) Date: Mon, 20 Feb 2012 17:50:37 +0200 Subject: [rsyslog] Log Storm In-Reply-To: <9599A350A0A5884DB4E50D83F9287D0F05AB80AF49@exchmbx01.moody.edu> References: <9599A350A0A5884DB4E50D83F9287D0F05AB80AF49@exchmbx01.moody.edu> Message-ID: Hi Jeff, How do the "excessive logs" look like? Are they garbage, or duplicates of "normal" logs? Best regards, Radu 2012/2/20 Jeff Poling > I am kind of at the end of my rope on this one, so I thought I would ask > the community. I don't have a lot of information, but last week we had an > incident on our rsyslog collector system. Essentially, the disk space in > the file system where we keep the log files filled up. The rsyslog spool > area filled up as well. What seemed to cause this were several systems > that began logging excessively - 30+ GB log files within minutes. > > I was able to add some disk space and stop rsyslog on systems that were > problematic; however, I simply cannot tell why the incident happened. > > Has anyone seen this type of behavior with rsyslog? On our collector > system we are running v. 5.8.5. We are still migrating our client systems > to 5.8.5 so most of them are still at 5.4.0 of rsyslog. > > Any experiences or insight is greatly appreciated. > > Thanks, > > Jeff > > Jeffrey Poling > System Administrator | Information Systems > Moody Bible Institute > 820 N. LaSalle Blvd., Chicago, IL 60610 > 312-329-8968 > www.moodyministries.net > From the Word. To Life. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From jpoling at moody.edu Mon Feb 20 18:14:00 2012 From: jpoling at moody.edu (Jeff Poling) Date: Mon, 20 Feb 2012 11:14:00 -0600 Subject: [rsyslog] Log Storm In-Reply-To: References: <9599A350A0A5884DB4E50D83F9287D0F05AB80AF49@exchmbx01.moody.edu> Message-ID: <9599A350A0A5884DB4E50D83F9287D0F05AB80AFDC@exchmbx01.moody.edu> Seems to be duplicates of normal logs. I saved a couple of the logs and they include entries all from the same time down to the seconds. Jeff Jeffrey Poling System Administrator | Information Systems Moody Bible Institute 820 N. LaSalle Blvd., Chicago, IL 60610 312-329-8968 www.moodyministries.net >From the Word. To Life. > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of Radu Gheorghe > Sent: Monday, February 20, 2012 9:51 AM > To: rsyslog-users > Subject: Re: [rsyslog] Log Storm > > Hi Jeff, > > How do the "excessive logs" look like? Are they garbage, or duplicates of > "normal" logs? > > Best regards, > Radu > > 2012/2/20 Jeff Poling > > > I am kind of at the end of my rope on this one, so I thought I would > > ask the community. I don't have a lot of information, but last week > > we had an incident on our rsyslog collector system. Essentially, the > > disk space in the file system where we keep the log files filled up. > > The rsyslog spool area filled up as well. What seemed to cause this > > were several systems that began logging excessively - 30+ GB log files > within minutes. > > > > I was able to add some disk space and stop rsyslog on systems that > > were problematic; however, I simply cannot tell why the incident > happened. > > > > Has anyone seen this type of behavior with rsyslog? On our collector > > system we are running v. 5.8.5. We are still migrating our client > > systems to 5.8.5 so most of them are still at 5.4.0 of rsyslog. > > > > Any experiences or insight is greatly appreciated. > > > > Thanks, > > > > Jeff > > > > Jeffrey Poling > > System Administrator | Information Systems Moody Bible Institute > > 820 N. LaSalle Blvd., Chicago, IL 60610 > > 312-329-8968 > > www.moodyministries.net > > From the Word. To Life. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From david at lang.hm Tue Feb 21 00:36:57 2012 From: david at lang.hm (david at lang.hm) Date: Mon, 20 Feb 2012 15:36:57 -0800 (PST) Subject: [rsyslog] Log Storm In-Reply-To: <9599A350A0A5884DB4E50D83F9287D0F05AB80AFDC@exchmbx01.moody.edu> References: <9599A350A0A5884DB4E50D83F9287D0F05AB80AF49@exchmbx01.moody.edu> <9599A350A0A5884DB4E50D83F9287D0F05AB80AFDC@exchmbx01.moody.edu> Message-ID: are you sure the sender didn't send you duplicate logs? the only type of thing that I can think of that would cause this on the receiver side is if you have an action that started to fail, in that case I think that rsyslog is going to retry (and depending on your retry and throttling limits, it may do so a LOT) David Lang On Mon, 20 Feb 2012, Jeff Poling wrote: > Seems to be duplicates of normal logs. I saved a couple of the logs and they include entries all from the same time down to the seconds. > > Jeff > > Jeffrey Poling > System Administrator | Information Systems > Moody Bible Institute > 820 N. LaSalle Blvd., Chicago, IL 60610 > 312-329-8968 > www.moodyministries.net > From the Word. To Life. > > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghe >> Sent: Monday, February 20, 2012 9:51 AM >> To: rsyslog-users >> Subject: Re: [rsyslog] Log Storm >> >> Hi Jeff, >> >> How do the "excessive logs" look like? Are they garbage, or duplicates of >> "normal" logs? >> >> Best regards, >> Radu >> >> 2012/2/20 Jeff Poling >> >>> I am kind of at the end of my rope on this one, so I thought I would >>> ask the community. I don't have a lot of information, but last week >>> we had an incident on our rsyslog collector system. Essentially, the >>> disk space in the file system where we keep the log files filled up. >>> The rsyslog spool area filled up as well. What seemed to cause this >>> were several systems that began logging excessively - 30+ GB log files >> within minutes. >>> >>> I was able to add some disk space and stop rsyslog on systems that >>> were problematic; however, I simply cannot tell why the incident >> happened. >>> >>> Has anyone seen this type of behavior with rsyslog? On our collector >>> system we are running v. 5.8.5. We are still migrating our client >>> systems to 5.8.5 so most of them are still at 5.4.0 of rsyslog. >>> >>> Any experiences or insight is greatly appreciated. >>> >>> Thanks, >>> >>> Jeff >>> >>> Jeffrey Poling >>> System Administrator | Information Systems Moody Bible Institute >>> 820 N. LaSalle Blvd., Chicago, IL 60610 >>> 312-329-8968 >>> www.moodyministries.net >>> From the Word. To Life. >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Tue Feb 21 08:34:41 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 21 Feb 2012 08:34:41 +0100 Subject: [rsyslog] Log Storm In-Reply-To: References: <9599A350A0A5884DB4E50D83F9287D0F05AB80AF49@exchmbx01.moody.edu><9599A350A0A5884DB4E50D83F9287D0F05AB80AFDC@exchmbx01.moody.edu> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728191A@GRFEXC.intern.adiscon.com> One thing that came to my mind is imfile. I know that we had issues with some older version that continued to send data ever and ever again under some circumstances. Was fixed half a year to a year ago, the ChangeLog should tell you the exact version. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of david at lang.hm > Sent: Tuesday, February 21, 2012 12:37 AM > To: rsyslog-users > Subject: Re: [rsyslog] Log Storm > > are you sure the sender didn't send you duplicate logs? > > the only type of thing that I can think of that would cause this on the > receiver side is if you have an action that started to fail, in that > case > I think that rsyslog is going to retry (and depending on your retry and > throttling limits, it may do so a LOT) > > David Lang > > On Mon, 20 Feb 2012, Jeff Poling wrote: > > > Seems to be duplicates of normal logs. I saved a couple of the logs > and they include entries all from the same time down to the seconds. > > > > Jeff > > > > Jeffrey Poling > > System Administrator | Information Systems > > Moody Bible Institute > > 820 N. LaSalle Blvd., Chicago, IL 60610 > > 312-329-8968 > > www.moodyministries.net > > From the Word. To Life. > > > > > >> -----Original Message----- > >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghe > >> Sent: Monday, February 20, 2012 9:51 AM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] Log Storm > >> > >> Hi Jeff, > >> > >> How do the "excessive logs" look like? Are they garbage, or > duplicates of > >> "normal" logs? > >> > >> Best regards, > >> Radu > >> > >> 2012/2/20 Jeff Poling > >> > >>> I am kind of at the end of my rope on this one, so I thought I > would > >>> ask the community. I don't have a lot of information, but last > week > >>> we had an incident on our rsyslog collector system. Essentially, > the > >>> disk space in the file system where we keep the log files filled > up. > >>> The rsyslog spool area filled up as well. What seemed to cause > this > >>> were several systems that began logging excessively - 30+ GB log > files > >> within minutes. > >>> > >>> I was able to add some disk space and stop rsyslog on systems that > >>> were problematic; however, I simply cannot tell why the incident > >> happened. > >>> > >>> Has anyone seen this type of behavior with rsyslog? On our > collector > >>> system we are running v. 5.8.5. We are still migrating our client > >>> systems to 5.8.5 so most of them are still at 5.4.0 of rsyslog. > >>> > >>> Any experiences or insight is greatly appreciated. > >>> > >>> Thanks, > >>> > >>> Jeff > >>> > >>> Jeffrey Poling > >>> System Administrator | Information Systems Moody Bible Institute > >>> 820 N. LaSalle Blvd., Chicago, IL 60610 > >>> 312-329-8968 > >>> www.moodyministries.net > >>> From the Word. To Life. > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From rgerhards at hq.adiscon.com Tue Feb 21 16:03:09 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 21 Feb 2012 16:03:09 +0100 Subject: [rsyslog] FYI: structured logging Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281924@GRFEXC.intern.adiscon.com> Hi all, just a quick info: the Fedora Developer Conference last week was a big success, we have some very good ideas on structured logging. It were not only the Red Hat people around but also the syslog-ng guys and MITRE. While the journal folks did not express any interest in coordinating with the effort, we are sufficiently sure to have something very decent. More announcements will follow within the next two weeks. I have begun to implement some of the ideas and reached a first milestone. For more and background, please check this blog entry: http://blog.gerhards.net/2012/02/parsing-json-enhanced-syslog.html This week I will probably be mostly focused on new things, next week I'll probably start switching between bug fixing and new development again. Rainer From david at lang.hm Tue Feb 21 23:28:20 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 21 Feb 2012 14:28:20 -0800 (PST) Subject: [rsyslog] build problems on debian 5 Message-ID: building libee, libestr, and liblognorm I was unable to run autoreconf -fvi because I get an error message about an undefined macro AM_SILENT_RULES I did a quick google search and found someone who recommended adding a line to configure.ac to define it m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])]) this seems to work. In addition, libestr was unhappy that I didn't have a install-sh in the path, creating a link the /usr/bin/install works (it had to be install-sh, if I made the link install.sh it complained that that is obsolete and should not be used) David Lang From david at lang.hm Tue Feb 21 23:36:37 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 21 Feb 2012 14:36:37 -0800 (PST) Subject: [rsyslog] build problems on debian 5 In-Reply-To: References: Message-ID: rsyslog configure didn't detect that I was missing yacc on my system. David Lang On Tue, 21 Feb 2012, david at lang.hm wrote: > Date: Tue, 21 Feb 2012 14:28:20 -0800 (PST) > From: david at lang.hm > To: rsyslog-users > Subject: build problems on debian 5 > > building libee, libestr, and liblognorm I was unable to run autoreconf -fvi > because I get an error message about an undefined macro AM_SILENT_RULES > > I did a quick google search and found someone who recommended adding a line > to configure.ac to define it > > m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])]) > > this seems to work. > > In addition, libestr was unhappy that I didn't have a install-sh in the path, > creating a link the /usr/bin/install works (it had to be install-sh, if I > made the link install.sh it complained that that is obsolete and should not > be used) > > David Lang > From david at lang.hm Tue Feb 21 23:59:02 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 21 Feb 2012 14:59:02 -0800 (PST) Subject: [rsyslog] rsyslog build error Message-ID: building 6.3.7 on debian 5 I was able to build 6.2.0 without a problem David Lang make[2]: Leaving directory `/usr/src/rsyslog/runtime' Making all in grammar make[2]: Entering directory `/usr/src/rsyslog/grammar' /bin/sh ../ylwrap grammar.y y.tab.c grammar.c y.tab.h grammar.h y.output grammar.output -- bison -y -d updating grammar.h make all-am make[3]: Entering directory `/usr/src/rsyslog/grammar' /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP -MF .deps/libgrammar_la-grammar.Tpo -c -o libgrammar_la-grammar.lo `test -f 'grammar.c' || echo './'`grammar.c mkdir .libs gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP -MF .deps/libgrammar_la-grammar.Tpo -c grammar.c -fPIC -DPIC -o .libs/libgrammar_la-grammar.o mv -f .deps/libgrammar_la-grammar.Tpo .deps/libgrammar_la-grammar.Plo /bin/sh ../ylwrap lexer.l .c lexer.c -- : make[3]: *** [lexer.c] Error 1 make[3]: Leaving directory `/usr/src/rsyslog/grammar' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/src/rsyslog/grammar' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/rsyslog' make: *** [all] Error 2 secdev:/usr/src/rsyslog# From mbiebl at gmail.com Wed Feb 22 00:05:31 2012 From: mbiebl at gmail.com (Michael Biebl) Date: Wed, 22 Feb 2012 00:05:31 +0100 Subject: [rsyslog] build problems on debian 5 In-Reply-To: References: Message-ID: Am 21. Februar 2012 23:28 schrieb : > building libee, libestr, and liblognorm I was unable to run autoreconf -fvi > because I get an error message about an undefined macro AM_SILENT_RULES > > I did a quick google search and found someone who recommended adding a line > to configure.ac to define it > > m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])]) > > this seems to work. rsyslog already contains m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) which should take care of that. Or was that failure non in rsyslog? An alternative idea would be to just bump the minimum required version of automake to 1.11. Given that security support ended for Debian 5, you should upgrade anyway :-) Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? From david at lang.hm Wed Feb 22 00:09:48 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 21 Feb 2012 15:09:48 -0800 (PST) Subject: [rsyslog] build problems on debian 5 In-Reply-To: References: Message-ID: On Wed, 22 Feb 2012, Michael Biebl wrote: > Am 21. Februar 2012 23:28 schrieb : >> building libee, libestr, and liblognorm I was unable to run autoreconf -fvi >> because I get an error message about an undefined macro AM_SILENT_RULES >> >> I did a quick google search and found someone who recommended adding a line >> to configure.ac to define it >> >> m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])]) >> >> this seems to work. > > rsyslog already contains > > m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) > > which should take care of that. > Or was that failure non in rsyslog? the failures were in libee, libestr, and liblognorm > An alternative idea would be to just bump the minimum required version > of automake to 1.11. for such a simple 'fix', I think it's better to add the ifndef rather than require a newer automake > Given that security support ended for Debian 5, you should upgrade anyway :-) I will, but such an upgrade takes time. David Lang From rodney.mckee at gmail.com Wed Feb 22 03:29:42 2012 From: rodney.mckee at gmail.com (Rodney McKee) Date: Wed, 22 Feb 2012 13:29:42 +1100 (EST) Subject: [rsyslog] howto anonymise logs In-Reply-To: <9a599099-be50-413c-86db-4ac80fa5af80@wsrmckee> Message-ID: Hello, I'm wondering if it is possible to anonymise email addresses in a log using rsyslog. I've had a read through the mmnormalize plugin but we are currently only running 5.8.5 and not > 6.1.2 and it looks to need logging to a DB which we do not do. I'd like to effectively search for any email address in a log line and replace it with something like anonymised_data at anonymised_data. Yes I know that the regex for a valid email is insane but I'm looking to start with something simple. Rgds Rodney From david at lang.hm Wed Feb 22 07:08:50 2012 From: david at lang.hm (david at lang.hm) Date: Tue, 21 Feb 2012 22:08:50 -0800 (PST) Subject: [rsyslog] howto anonymise logs In-Reply-To: References: Message-ID: On Wed, 22 Feb 2012, Rodney McKee wrote: > Hello, > > I'm wondering if it is possible to anonymise email addresses in a log using rsyslog. I've had a read through the mmnormalize plugin but we are currently only running 5.8.5 and not > 6.1.2 and it looks to need logging to a DB which we do not do. > > I'd like to effectively search for any email address in a log line and replace it with something like anonymised_data at anonymised_data. > Yes I know that the regex for a valid email is insane but I'm looking to start with something simple. well, assuming that you can get a regex you are happy with, and assuming that there is only one e-mail per line of logs, I would look at doing something along the lines of a custom template that for the message part was something like (regex match for the part before the e-mail address)dummy at address(regex match for the part after the e-mail address) you really may be better off doing this in a separate program, do something like have rsyslog write the log to a temporary location, then run it through sed to 'fix' e-mail addresses and put the result in the final location. David Lang From victor.lu at citi.com Wed Feb 22 20:17:34 2012 From: victor.lu at citi.com (Lu, Victor ) Date: Wed, 22 Feb 2012 13:17:34 -0600 Subject: [rsyslog] Persistent connections from client Message-ID: <35B12B7283BF44478AFA717323EE52951D0AFB6241@extxmb32.nam.nsroot.net> Hi, Any idea why the tcp communication from rsyslog client to rsyslog collector is persistent? I found for each selector rule it will have one connection to the collector. The collector will have too many TCP connections to handle. It will be a problem for large scale deployment. Is there any way to configure so that the TCP connections will not be persistent? Thanks in advance Victor From david at lang.hm Thu Feb 23 02:01:03 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 22 Feb 2012 17:01:03 -0800 (PST) Subject: [rsyslog] Persistent connections from client In-Reply-To: <35B12B7283BF44478AFA717323EE52951D0AFB6241@extxmb32.nam.nsroot.net> References: <35B12B7283BF44478AFA717323EE52951D0AFB6241@extxmb32.nam.nsroot.net> Message-ID: On Wed, 22 Feb 2012, Lu, Victor wrote: > Hi, > > Any idea why the tcp communication from rsyslog client to rsyslog > collector is persistent? I found for each selector rule it will have one > connection to the collector. The collector will have too many TCP > connections to handle. It will be a problem for large scale deployment. > > Is there any way to configure so that the TCP connections will not be persistent? > > Thanks in advance This is normal behavior to avoid the overhead of establishing the connections for each message. Why are you thinking that this is a problem? it should be simple enough to allow tens of thousands of connections to a single machine. The ulimit on your OS may default to something much lower, but that should be an easy thing to change. Yes, each connection eats a little memory, but compared to the overhead of processing the logs from that many machines, it should be trivial. I don't believe that there is any way to have it not keep the connection open. David Lang From cmccraw at newrelic.com Thu Feb 23 02:42:56 2012 From: cmccraw at newrelic.com (Chris McCraw) Date: Wed, 22 Feb 2012 17:42:56 -0800 Subject: [rsyslog] DNS lookups in rsyslog v5 Message-ID: Hi list, Longtime user, first time optimizer of rsyslog. Here's my situation: We just upgraded a machine that gets a ridiculous amount of log traffic from one IP (our load balancer)--firehose levels, hundreds of MB/minute. This machine also takes logs of a few dozen low-traffic servers on the same subnet. With the upgrade from v4.6.2 to v5.8.5, we gained UDP Multiruleset binding, yay! We've moved all of our logging via the firehose from TCP to UDP, because the TCP logging was very fragile and would simply stop if the rsyslog restart for log rotation took a microsecond too long. Logging works great. Our nameserver load shot way up, because it seems our TCP-only 4.6.2 setup was not doing a DNS lookup for every message...yet using the same file (with the addition of the UDP ruleset binding) with v5.8.5 and -c5 instead of -c4 on the command line for rsyslog has changed the lookup behavior of rsyslog, and named is spinning constantly, presumably on the same host name. Any pointers to the docs on how to mitigate this? We're open to any number of solutions (hopefully not including upgrading to v6)--put all hostnames in /etc/hosts, for instance. Since the firehose is all bound to specific files anyway, those logs don't even need DNS lookups--we know exactly where they come from. We don't want to turn off DNS entirely if we can avoid it, but we could partition into "normal port 514 tcp traffic gets lookups and other port UDP traffic doesn't". I'm guessing there is more than one way to do this =) Thanks for your advice! From david at lang.hm Thu Feb 23 02:49:54 2012 From: david at lang.hm (david at lang.hm) Date: Wed, 22 Feb 2012 17:49:54 -0800 (PST) Subject: [rsyslog] DNS lookups in rsyslog v5 In-Reply-To: References: Message-ID: On Wed, 22 Feb 2012, Chris McCraw wrote: > Hi list, > > Longtime user, first time optimizer of rsyslog. Here's my situation: > > We just upgraded a machine that gets a ridiculous amount of log > traffic from one IP (our load balancer)--firehose levels, hundreds of > MB/minute. This machine also takes logs of a few dozen low-traffic > servers on the same subnet. With the upgrade from v4.6.2 to v5.8.5, > we gained UDP Multiruleset binding, yay! We've moved all of our > logging via the firehose from TCP to UDP, because the TCP logging was > very fragile and would simply stop if the rsyslog restart for log > rotation took a microsecond too long. > > Logging works great. Our nameserver load shot way up, because it > seems our TCP-only 4.6.2 setup was not doing a DNS lookup for every > message...yet using the same file (with the addition of the UDP > ruleset binding) with v5.8.5 and -c5 instead of -c4 on the command > line for rsyslog has changed the lookup behavior of rsyslog, and named > is spinning constantly, presumably on the same host name. > > Any pointers to the docs on how to mitigate this? We're open to any > number of solutions (hopefully not including upgrading to v6)--put all > hostnames in /etc/hosts, for instance. Since the firehose is all > bound to specific files anyway, those logs don't even need DNS > lookups--we know exactly where they come from. We don't want to turn > off DNS entirely if we can avoid it, but we could partition into > "normal port 514 tcp traffic gets lookups and other port UDP traffic > doesn't". I'm guessing there is more than one way to do this =) Unfortunantly in v5 it's all or nothing, -x will disable DNS lookups entirely. It does have a little bit of caching so that it won't lookup the same IP again and again, but that doesn't help a lot if you have a bunch of active sources. putting the names in /etc/hosts will help, but there's still a very significant amount of time spend doing the lookup, even if everything is local. version 6.3 has a full DNS cache. other than that, consider running two copies of rsyslog, one with DNS disabled and one with it enabled. you don't even need to forward from one to the other in your case. David Lang From rgerhards at hq.adiscon.com Sat Feb 25 18:05:39 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Sat, 25 Feb 2012 18:05:39 +0100 Subject: [rsyslog] build problems on debian 5 In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728195E@GRFEXC.intern.adiscon.com> > the failures were in libee, libestr, and liblognorm > > > An alternative idea would be to just bump the minimum required > version > > of automake to 1.11. > > for such a simple 'fix', I think it's better to add the ifndef rather > than > require a newer automake This was an oversight. I just added the necessary check to all three projects. It's in git, don't intend to release just for that reason... Thanks everyone, Rainer From rgerhards at hq.adiscon.com Sat Feb 25 18:07:18 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Sat, 25 Feb 2012 18:07:18 +0100 Subject: [rsyslog] rsyslog build error In-Reply-To: References: Message-ID: <9B6E2A8877C38245BFB15CC491A11DA728195F@GRFEXC.intern.adiscon.com> This looks like a problem with flex/bison, but I have to admit I don't see any message that points me to where the problem could be... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of david at lang.hm > Sent: Tuesday, February 21, 2012 11:59 PM > To: rsyslog-users > Subject: [rsyslog] rsyslog build error > > building 6.3.7 on debian 5 > > I was able to build 6.2.0 without a problem > > David Lang > > make[2]: Leaving directory `/usr/src/rsyslog/runtime' > Making all in grammar > make[2]: Entering directory `/usr/src/rsyslog/grammar' > /bin/sh ../ylwrap grammar.y y.tab.c grammar.c y.tab.h grammar.h > y.output grammar.output -- bison -y -d > updating grammar.h > make all-am > make[3]: Entering directory `/usr/src/rsyslog/grammar' > /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. - > I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security > -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g -MT > libgrammar_la-grammar.lo -MD -MP -MF .deps/libgrammar_la-grammar.Tpo -c > -o libgrammar_la-grammar.lo `test -f 'grammar.c' || echo './'`grammar.c > mkdir .libs > gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 -W > -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - > Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP -MF > .deps/libgrammar_la-grammar.Tpo -c grammar.c -fPIC -DPIC -o > .libs/libgrammar_la-grammar.o > mv -f .deps/libgrammar_la-grammar.Tpo .deps/libgrammar_la-grammar.Plo > /bin/sh ../ylwrap lexer.l .c lexer.c -- : > make[3]: *** [lexer.c] Error 1 > make[3]: Leaving directory `/usr/src/rsyslog/grammar' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/usr/src/rsyslog/grammar' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/usr/src/rsyslog' > make: *** [all] Error 2 > secdev:/usr/src/rsyslog# > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From david at lang.hm Sun Feb 26 01:35:14 2012 From: david at lang.hm (david at lang.hm) Date: Sat, 25 Feb 2012 16:35:14 -0800 (PST) Subject: [rsyslog] rsyslog build error In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA728195F@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA728195F@GRFEXC.intern.adiscon.com> Message-ID: do you have any modified version for me to test? David Lang On Sat, 25 Feb 2012, Rainer Gerhards wrote: > This looks like a problem with flex/bison, but I have to admit I don't see > any message that points me to where the problem could be... > > Rainer > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of david at lang.hm >> Sent: Tuesday, February 21, 2012 11:59 PM >> To: rsyslog-users >> Subject: [rsyslog] rsyslog build error >> >> building 6.3.7 on debian 5 >> >> I was able to build 6.2.0 without a problem >> >> David Lang >> >> make[2]: Leaving directory `/usr/src/rsyslog/runtime' >> Making all in grammar >> make[2]: Entering directory `/usr/src/rsyslog/grammar' >> /bin/sh ../ylwrap grammar.y y.tab.c grammar.c y.tab.h grammar.h >> y.output grammar.output -- bison -y -d >> updating grammar.h >> make all-am >> make[3]: Entering directory `/usr/src/rsyslog/grammar' >> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. - >> I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security >> -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g -MT >> libgrammar_la-grammar.lo -MD -MP -MF .deps/libgrammar_la-grammar.Tpo -c >> -o libgrammar_la-grammar.lo `test -f 'grammar.c' || echo './'`grammar.c >> mkdir .libs >> gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 -W >> -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - >> Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP -MF >> .deps/libgrammar_la-grammar.Tpo -c grammar.c -fPIC -DPIC -o >> .libs/libgrammar_la-grammar.o >> mv -f .deps/libgrammar_la-grammar.Tpo .deps/libgrammar_la-grammar.Plo >> /bin/sh ../ylwrap lexer.l .c lexer.c -- : >> make[3]: *** [lexer.c] Error 1 >> make[3]: Leaving directory `/usr/src/rsyslog/grammar' >> make[2]: *** [all] Error 2 >> make[2]: Leaving directory `/usr/src/rsyslog/grammar' >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory `/usr/src/rsyslog' >> make: *** [all] Error 2 >> secdev:/usr/src/rsyslog# >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Sun Feb 26 10:05:07 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Sun, 26 Feb 2012 10:05:07 +0100 Subject: [rsyslog] rsyslog build error Message-ID: <000101ccf465$b2575659$100013ac@intern.adiscon.com> Unfortunately not, as i do not know what the problem is. I should setup a debian 5, but it is extremely busy right now with stuff from the fedora devconf, which i would hate to loose momentum. Rainer "david at lang.hm" hat geschrieben:do you have any modified version for me to test? David Lang On Sat, 25 Feb 2012, Rainer Gerhards wrote: > This looks like a problem with flex/bison, but I have to admit I don't see > any message that points me to where the problem could be... > > Rainer > >> -----Original Message----- >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >> bounces at lists.adiscon.com] On Behalf Of david at lang.hm >> Sent: Tuesday, February 21, 2012 11:59 PM >> To: rsyslog-users >> Subject: [rsyslog] rsyslog build error >> >> building 6.3.7 on debian 5 >> >> I was able to build 6.2.0 without a problem >> >> David Lang >> >> make[2]: Leaving directory `/usr/src/rsyslog/runtime' >> Making all in grammar >> make[2]: Entering directory `/usr/src/rsyslog/grammar' >> /bin/sh ../ylwrap grammar.y y.tab.c grammar.c y.tab.h grammar.h >> y.output grammar.output -- bison -y -d >> updating grammar.h >> make all-am >> make[3]: Entering directory `/usr/src/rsyslog/grammar' >> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. - >> I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security >> -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g -MT >> libgrammar_la-grammar.lo -MD -MP -MF .deps/libgrammar_la-grammar.Tpo -c >> -o libgrammar_la-grammar.lo `test -f 'grammar.c' || echo './'`grammar.c >> mkdir .libs >> gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 -W >> -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - >> Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP -MF >> .deps/libgrammar_la-grammar.Tpo -c grammar.c -fPIC -DPIC -o >> .libs/libgrammar_la-grammar.o >> mv -f .deps/libgrammar_la-grammar.Tpo .deps/libgrammar_la-grammar.Plo >> /bin/sh ../ylwrap lexer.l .c lexer.c -- : >> make[3]: *** [lexer.c] Error 1 >> make[3]: Leaving directory `/usr/src/rsyslog/grammar' >> make[2]: *** [all] Error 2 >> make[2]: Leaving directory `/usr/src/rsyslog/grammar' >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory `/usr/src/rsyslog' >> make: *** [all] Error 2 >> secdev:/usr/src/rsyslog# >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ From david at lang.hm Sun Feb 26 10:51:25 2012 From: david at lang.hm (david at lang.hm) Date: Sun, 26 Feb 2012 01:51:25 -0800 (PST) Subject: [rsyslog] rsyslog build error In-Reply-To: <000101ccf465$b2575659$100013ac@intern.adiscon.com> References: <000101ccf465$b2575659$100013ac@intern.adiscon.com> Message-ID: Ok, I'll just stick with 6.2 for now. David Lang On Sun, 26 Feb 2012, Rainer Gerhards wrote: > Date: Sun, 26 Feb 2012 10:05:07 +0100 > From: Rainer Gerhards > Reply-To: rsyslog-users > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] rsyslog build error > > Unfortunately not, as i do not know what the problem is. I should setup a debian 5, but it is extremely busy right now with stuff from the fedora devconf, which i would hate to loose momentum. > > Rainer > "david at lang.hm" hat geschrieben:do you have any modified version for me to test? > > David Lang > > On Sat, 25 Feb 2012, Rainer Gerhards wrote: > >> This looks like a problem with flex/bison, but I have to admit I don't see >> any message that points me to where the problem could be... >> >> Rainer >> >>> -----Original Message----- >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- >>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm >>> Sent: Tuesday, February 21, 2012 11:59 PM >>> To: rsyslog-users >>> Subject: [rsyslog] rsyslog build error >>> >>> building 6.3.7 on debian 5 >>> >>> I was able to build 6.2.0 without a problem >>> >>> David Lang >>> >>> make[2]: Leaving directory `/usr/src/rsyslog/runtime' >>> Making all in grammar >>> make[2]: Entering directory `/usr/src/rsyslog/grammar' >>> /bin/sh ../ylwrap grammar.y y.tab.c grammar.c y.tab.h grammar.h >>> y.output grammar.output -- bison -y -d >>> updating grammar.h >>> make all-am >>> make[3]: Entering directory `/usr/src/rsyslog/grammar' >>> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. - >>> I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security >>> -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g -MT >>> libgrammar_la-grammar.lo -MD -MP -MF .deps/libgrammar_la-grammar.Tpo -c >>> -o libgrammar_la-grammar.lo `test -f 'grammar.c' || echo './'`grammar.c >>> mkdir .libs >>> gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 -W >>> -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - >>> Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP -MF >>> .deps/libgrammar_la-grammar.Tpo -c grammar.c -fPIC -DPIC -o >>> .libs/libgrammar_la-grammar.o >>> mv -f .deps/libgrammar_la-grammar.Tpo .deps/libgrammar_la-grammar.Plo >>> /bin/sh ../ylwrap lexer.l .c lexer.c -- : >>> make[3]: *** [lexer.c] Error 1 >>> make[3]: Leaving directory `/usr/src/rsyslog/grammar' >>> make[2]: *** [all] Error 2 >>> make[2]: Leaving directory `/usr/src/rsyslog/grammar' >>> make[1]: *** [all-recursive] Error 1 >>> make[1]: Leaving directory `/usr/src/rsyslog' >>> make: *** [all] Error 2 >>> secdev:/usr/src/rsyslog# >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > From rgerhards at hq.adiscon.com Sun Feb 26 17:13:40 2012 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Sun, 26 Feb 2012 17:13:40 +0100 Subject: [rsyslog] rsyslog build error In-Reply-To: References: <000101ccf465$b2575659$100013ac@intern.adiscon.com> Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7281965@GRFEXC.intern.adiscon.com> I've setup a current Debian 5 as a side-activity and run into exactly the same issue you do. It looks like a script ylwrap was not generated by autotools (or it exists somewhere but does not report any real error message). Quick web search did not bring a solution but many of the same error messages. Long story short: I have no idea on how to fix this on Debian 5. Seems not to be related to rsyslog but rather the build system there, which seems to have problems with flex/bison :( Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > bounces at lists.adiscon.com] On Behalf Of david at lang.hm > Sent: Sunday, February 26, 2012 10:51 AM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog build error > > Ok, I'll just stick with 6.2 for now. > > David Lang > > On Sun, 26 Feb 2012, Rainer Gerhards wrote: > > > Date: Sun, 26 Feb 2012 10:05:07 +0100 > > From: Rainer Gerhards > > Reply-To: rsyslog-users > > To: rsyslog at lists.adiscon.com > > Subject: Re: [rsyslog] rsyslog build error > > > > Unfortunately not, as i do not know what the problem is. I should setup a > debian 5, but it is extremely busy right now with stuff from the fedora > devconf, which i would hate to loose momentum. > > > > Rainer > > "david at lang.hm" hat geschrieben:do you have any > modified version for me to test? > > > > David Lang > > > > On Sat, 25 Feb 2012, Rainer Gerhards wrote: > > > >> This looks like a problem with flex/bison, but I have to admit I > >> don't see any message that points me to where the problem could be... > >> > >> Rainer > >> > >>> -----Original Message----- > >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog- > >>> bounces at lists.adiscon.com] On Behalf Of david at lang.hm > >>> Sent: Tuesday, February 21, 2012 11:59 PM > >>> To: rsyslog-users > >>> Subject: [rsyslog] rsyslog build error > >>> > >>> building 6.3.7 on debian 5 > >>> > >>> I was able to build 6.2.0 without a problem > >>> > >>> David Lang > >>> > >>> make[2]: Leaving directory `/usr/src/rsyslog/runtime' > >>> Making all in grammar > >>> make[2]: Entering directory `/usr/src/rsyslog/grammar' > >>> /bin/sh ../ylwrap grammar.y y.tab.c grammar.c y.tab.h grammar.h > >>> y.output grammar.output -- bison -y -d updating grammar.h make > >>> all-am > >>> make[3]: Entering directory `/usr/src/rsyslog/grammar' > >>> /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. - > >>> I.. -I../runtime -I.. -I../grammar -g -O2 -W -Wall -Wformat-security > >>> -Wshadow -Wcast-align -Wpointer-arith -Wmissing-format-attribute -g > >>> -MT libgrammar_la-grammar.lo -MD -MP -MF > >>> .deps/libgrammar_la-grammar.Tpo -c -o libgrammar_la-grammar.lo `test > >>> -f 'grammar.c' || echo './'`grammar.c mkdir .libs > >>> gcc -DHAVE_CONFIG_H -I. -I.. -I../runtime -I.. -I../grammar -g -O2 > >>> -W -Wall -Wformat-security -Wshadow -Wcast-align -Wpointer-arith - > >>> Wmissing-format-attribute -g -MT libgrammar_la-grammar.lo -MD -MP > >>> -MF .deps/libgrammar_la-grammar.Tpo -c grammar.c -fPIC -DPIC -o > >>> .libs/libgrammar_la-grammar.o mv -f .deps/libgrammar_la-grammar.Tpo > >>> .deps/libgrammar_la-grammar.Plo /bin/sh ../ylwrap lexer.l .c lexer.c > >>> -- : > >>> make[3]: *** [lexer.c] Error 1 > >>> make[3]: Leaving directory `/usr/src/rsyslog/grammar' > >>> make[2]: *** [all] Error 2 > >>> make[2]: Leaving directory `/usr/src/rsyslog/grammar' > >>> make[1]: *** [all-recursive] Error 1 > >>> make[1]: Leaving directory `/usr/src/rsyslog' > >>> make: *** [all] Error 2 > >>> secdev:/usr/src/rsyslog# > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ From jerome.renard at gmail.com Mon Feb 27 17:13:58 2012 From: jerome.renard at gmail.com (Jerome Renard) Date: Mon, 27 Feb 2012 17:13:58 +0100 Subject: [rsyslog] Port based filtering Message-ID: Hi, I have an Rsyslog instance which listens on several ports. I would like to do port based filtering. For example I would like to say "if $from-port == 1234 then do thus" I read the documentation page which lists available properties [1] but found none which exposes the port number. So I have the feeling I can not do port based filtering, am I correct or did I overlook something ? If I can not do port based filtering, is it possible to prepend the InputTCPServerRun port in the syslog message so I can process it in an output module ? Thanks in advance for your feedback. Best Regards, 1. http://www.rsyslog.com/doc/property_replacer.html -- J?r?me Renard From david at lang.hm Mon Feb 27 20:34:35 2012 From: david at lang.hm (david at lang.hm) Date: Mon, 27 Feb 2012 11:34:35 -0800 (PST) Subject: [rsyslog] Port based filtering In-Reply-To: References: Message-ID: On Mon, 27 Feb 2012, Jerome Renard wrote: > Hi, > > I have an Rsyslog instance which listens on several ports. > > I would like to do port based filtering. For example I would like to > say "if $from-port == 1234 then do thus" > > I read the documentation page which lists available properties [1] but > found none which exposes the port > number. So I have the feeling I can not do port based filtering, am I > correct or did I overlook something ? > > If I can not do port based filtering, is it possible to prepend the > InputTCPServerRun port in the syslog message so I > can process it in an output module ? you can't do that, but I think you can use rulesets to do what you are wanting. define a separate ruleset for each listening port and put the rules for that port inside that ruleset. David Lang From michael at maymann.org Mon Feb 27 20:57:19 2012 From: michael at maymann.org (Michael Maymann) Date: Mon, 27 Feb 2012 20:57:19 +0100 Subject: [rsyslog] rsyslog tarball In-Reply-To: <9B6E2A8877C38245BFB15CC491A11DA72818D7@GRFEXC.intern.adiscon.com> References: <9B6E2A8877C38245BFB15CC491A11DA70107AC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281870@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281873@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281876@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA7281877@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818CC@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818D6@GRFEXC.intern.adiscon.com> <9B6E2A8877C38245BFB15CC491A11DA72818D7@GRFEXC.intern.adiscon.com> Message-ID: Hi, Rainer: send you the new debug log outside list. Please let me know if I can do anything more to solve this. Thanks in advance :-) ! ~maymann 2012/2/14 Rainer Gerhards > > -----Original Message----- > > From: Michael Maymann [mailto:michael at maymann.org] > > Sent: Tuesday, February 14, 2012 10:10 AM > > To: Rainer Gerhards > > Cc: rsyslog-users > > Subject: Re: rsyslog tarball > > > > Hi, > > > > David: thanks. > > Rainer: I will try to install a new rsyslog server with the latest > > package you send me. Point my troublesome host to that server and send > > you the debug log from there... > > Thx, that would be great. We have a great opportunity here to finally iron > out the cache code :) > > Rainer > > > > Br. > > ~maymann > > > > > > 2012/2/14 Rainer Gerhards > > > > > > > I am not behind NAT..., and some hosts (also RHEL5) from same > > VLAN is > > > logging their hostname just fine... > > > If this is taken from the IP-header, all syslog-messages > > (weither it be > > > legacy or rsyslog) will report its actual IP in a non-NAT'ed > > > environment. So this situation wouldn't be possible neither if > > it is > > > legacy syslog or rsyslog - am I right ? > > > > > > Rainer: Are you able to see, from the last debug output I send > > you, > > > what is happening (think I also send you the hostname/ip of > > "the > > > problem host" directly) ? > > > > > > I think I didn't get a debug log that shows this problem. At > > least I have > > none in my mail archive. > > > > In any case, in order to track this down quickly, I need a debug > > log where > > the vast majority of traffic is from a system that doesn't appear > > to be > > right. So that I can see which receive is from that system and > > how it is > > processed. It is much harder to try to analyze this is there are > > several > > hosts and I don't know what to look at. Note that I am off to the > > Fedora > > Developer Conference tomorrow and busy there for the rest of the > > week. > > > > Rainer > > > > > > > > > > > Br. > > > ~maymann > > > > > > > > > 2012/2/13 Rainer Gerhards > > > > > > > > > > > > > -----Original Message----- > > > > From: Michael Maymann [mailto:michael at maymann.org] > > > > > > > Sent: Monday, February 13, 2012 1:25 PM > > > > To: Rainer Gerhards > > > > Cc: rsyslog-users > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > Hi, > > > > > > > > Rainer: thanks - the fix you send me seems to work...:- > > ) at- > > > least on > > > > hosts sending its IP... - unfortunately not all legacy > > syslog > > > clients > > > > do..:-( ! > > > > > > > > I tried to restart syslog again on the host that caused > > "???" > > > before, > > > > but I am still unable to find either IP or hostname in > > the > > > log... > > > > > > > > > > > > is FROMHOST based on: > > > > 1. dns-lookup of the IP inside the transmitted IP- > > packet ? > > > > > > > > or > > > > 2. dns-lookup of what it states as its IP/hostname > > inside > > > syslog- > > > > message ? > > > > > > > > > > > > > Neither. It's just the remote peer (taken from the IP > > header). > > > It's not taken > > > from a syslog header field. If you use DNS reverse > > resolution, > > > it's the name, > > > else the IP address. > > > > > > > > > > > > > > I would prefer 1., as this would always be right - > > expect if > > > your in a > > > > NAT'ed environment... > > > > Preferably NAT could be auto-detected (could it be: if > > traffic > > > is > > > > coming from syslog-server LAN or syslog-server default- > > GW then > > > the > > > > client is not NAT'ed ?) or alternatively > > > IPPacketIP/IPPacketFromHost > > > > (nslookup of IPPacketIP) variables could be added and > > used if > > > it fits > > > > ones environment... ? > > > > > > > > > The best route is to make sure all syslogd'd emit proper > > RFC3164 > > > or RFC5424 > > > format and simply use HOSTNAME. (you may also look at [1] > > for NAT > > > and > > > non-rsyslog). > > > > > > Rainer > > > [1] http://www.rsyslog.com/article19/ > > > > > > > > > > > > > > > Br. > > > > ~maymann > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > That's a regular log file [in RSYSLOG_DebugForm], > > showing > > > the log > > > > messages as > > > > you received them. That's not a debug log that > > shows > > > rsyslog > > > > processing. To > > > > create the later, do the same procedure that you > > used to > > > create > > > > the content > > > > of your mail I received at 8:43am today. *That* > > was a > > > debug log. > > > > Look at the > > > > content of both of your mails and you will > > immediately > > > notice the > > > > difference. > > > > > > > > Please also keep the mailing list CCed... > > > > > > > > > > > > Rainer > > > > > > > > > -----Original Message----- > > > > > From: Michael Maymann > > [mailto:michael at maymann.org] > > > > > > > > > Sent: Tuesday, February 07, 2012 10:28 AM > > > > > To: Rainer Gerhards > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > it states "Debug line with all properties:" all > > over > > > the > > > > logfile... > > > > > Please tell me how to run this thing...? > > > > > > > > > > ~maymann > > > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > I guess you mistook files: this was not a > > debug > > > log but a > > > > logfile > > > > > ;) > > > > > > > > > > rainer > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Michael Maymann > > > [mailto:michael at maymann.org] > > > > > > > > > > > Sent: Tuesday, February 07, 2012 10:22 > > AM > > > > > > To: Rainer Gerhards > > > > > > Cc: david at lang.hm; rsyslog-users > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > Just made a shorter run with same info > > > inside... > > > > attached... > > > > > > > > > > > > ~maymann > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Michael Maymann > > > > [mailto:michael at maymann.org] > > > > > > > > > > > > > Sent: Tuesday, February 07, > > 2012 9:46 > > > AM > > > > > > > To: Rainer Gerhards > > > > > > > Cc: david at lang.hm; rsyslog- > > users > > > > > > > Subject: Re: rsyslog tarball > > > > > > > > > > > > > > Hi Rainer, > > > > > > > > > > > > > > it is 30Mb - please provide > > ftp- > > > upload... > > > > > > > > > > > > Zipped or plain? If not zipped, > > you can > > > probably > > > > compress > > > > > it by > > > > > > 90+%. Anyhow, > > > > > > the FTP server is > > > > > > > > > > > > > > ftp://custservice.adiscon.com/incoming > > > > > > > > > > > > user anonymous, password whatever > > you > > > like > > > > > > Note that you can only upload, > > NOT read. > > > Most > > > > > importantly, you > > > > > > won't be able > > > > > > to see the file when the upload > > is done. > > > > > > > > > > > > If you can compress and mail the > > file, I > > > can > > > > possibly > > > > > faster > > > > > > access it, just > > > > > > if that's an option. > > > > > > > > > > > > Thanks! > > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > br. > > > > > > > ~maymann > > > > > > > > > > > > > > > > > > > > > 2012/2/7 Rainer Gerhards > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message-- > > --- > > > > > > > > From: Michael Maymann > > > > > [mailto:michael at maymann.org] > > > > > > > > Sent: Tuesday, February > > 07, > > > 2012 8:43 > > > > AM > > > > > > > > To: Rainer Gerhards; > > > david at lang.hm > > > > > > > > Subject: Re: rsyslog > > tarball > > > > > > > > > > > > > > > > [root at oulog001 log]# > > > /usr/sbin/rsyslogd > > > > -c 6 -d > > > > > > > > > > > > > > > > > > 9788.497831529:7f639a331700: > > > rsyslogd > > > > 6.3.7- > > > > > postexp1 > > > > > > startup, > > > > > > > > compatibility mode 6, > > module > > > path '', > > > > > cwd:/var/log > > > > > > > > > > 9788.497969104:7f639a331700: > > > caller > > > > requested > > > > > object > > > > > > 'net', not > > > > > > > found > > > > > > > > > > > > > > [snip] > > > > > > > > > > > > > > Sorry, this debug info > > does not > > > contain > > > > any of > > > > > the > > > > > > > instrumentation I need (no > > > > > > > case occurred) I guess > > you have > > > cut that > > > > off. > > > > > Please send > > > > > > me a > > > > > > > complete file, > > > > > > > best as an attachment > > (working > > > with saved > > > > mail > > > > > messages > > > > > > is far > > > > > > > less nice :)). > > > > > > > > > > > > > > If the debug log is too > > large to > > > mail, > > > > please let > > > > > me > > > > > > know. I can > > > > > > > provide an > > > > > > > anonymous upload-only ftp > > server > > > in that > > > > case. > > > > > > > > > > > > > > Thanks! > > > > > > > Rainer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From cmccraw at newrelic.com Mon Feb 27 20:58:13 2012 From: cmccraw at newrelic.com (Chris McCraw) Date: Mon, 27 Feb 2012 11:58:13 -0800 Subject: [rsyslog] Port based filtering In-Reply-To: References: Message-ID: On Mon, Feb 27, 2012 at 11:34 AM, wrote: > you can't do that, but I think you can use rulesets to do what you are > wanting. define a separate ruleset for each listening port and put the rules > for that port inside that ruleset. Yup, we use rulesets to do exactly that. We even have tcp and udp set up on the same port bound to different rulesets, because we're crazy that way =) From jerome.renard at gmail.com Mon Feb 27 21:00:33 2012 From: jerome.renard at gmail.com (Jerome Renard) Date: Mon, 27 Feb 2012 21:00:33 +0100 Subject: [rsyslog] Port based filtering In-Reply-To: References: Message-ID: On Mon, Feb 27, 2012 at 8:58 PM, Chris McCraw wrote: > On Mon, Feb 27, 2012 at 11:34 AM, ? wrote: > >> you can't do that, but I think you can use rulesets to do what you are >> wanting. define a separate ruleset for each listening port and put the rules >> for that port inside that ruleset. > > Yup, we use rulesets to do exactly that. ?We even have tcp and udp set > up on the same port bound to different rulesets, because we're crazy > that way =) Thanks a lot for your feedback. Best Regards, -- J?r?me Renard From david.donchez at smartjog.com Wed Feb 29 17:25:43 2012 From: david.donchez at smartjog.com (David Donchez) Date: Wed, 29 Feb 2012 17:25:43 +0100 Subject: [rsyslog] Rsyslog - isempty filter Message-ID: <4F4E5187.4000502@smartjog.com> Hi all, I'm currently checking the website and i see this feature : isempty Checks if the property is empty. The value is discarded. This is especially useful when working with normalized data, where some fields may be populated based on normalization result. Available since 6.6.2. on page : http://www.rsyslog.com/doc/rsyslog_conf_filter.html But i haven't see any version tagged 6.6.2 in the download section. I have try rsyslog-6.2, but it don't seems to work. Anyone knows in which version this option is available ? Thanks for feedback.