Environment
- ubuntu 14.4 (LTS)
- rsyslog via ppa
Story
I had the need to use the new ability to create a JSON templates and send them over to a remote host. That's why I jumped from the default rsyslog to the latest stable version.
With the following Template, I send over all my Syslog messages to a local running logstash.
$PreserveFQDN on
template(name="ls_json"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\"}\n")
}
*.* @127.0.0.1:5514;ls_json
I had blindly updated to the latest Version of rsyslog (8.20) without looking at any release notes and the only messages I was left with told me:
action 'action 15' resumed (module 'builtin:omfile') [v8.20.0 try http://www.rsyslog.com/e/2359 ]
The number used in action changed - but all other stay the same. Searching all known rsyslog resources (Github, Wiki, Forum, Mailinglist archive) did not give me a hint what is wrong.
Finally, I took a look at the release notes and found something. Changes to the Modul that was named in the message:
- bugfix omfile: handle chown() failure correctly
If the file creation succeeds, but chown() failed, the file was
still writen, even if the user requested that this should be treated
as a failure case. This is corrected now.
Also, some refactoring was done to create better error messages.
- omfile now better conveys status of unwritable files back to core
I remembered the Settings in my /etc/rsyslog.conf
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
Double checked the owner of the log files and noticed that most of them belong to root
. Changed the owner of all files that are written in my configuration to syslog
and boom the annoying message was gone.