• ubuntu 14.4 (LTS)
  • rsyslog via ppa


I had the need to use the new ability to create a JSON templates and send them over to a remote host. That's why I jumped from the default rsyslog to the latest stable version.

With the following Template, I send over all my Syslog messages to a local running logstash.

$PreserveFQDN on

         option.json="on") {
             constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
             constant(value="\",\"message\":\"")     property(name="msg")
             constant(value="\",\"host\":\"")        property(name="hostname")
             constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
             constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
             constant(value="\",\"programname\":\"") property(name="programname")
             constant(value="\",\"procid\":\"")      property(name="procid")

*.* @;ls_json

I had blindly updated to the latest Version of rsyslog (8.20) without looking at any release notes and the only messages I was left with told me:

action 'action 15' resumed (module 'builtin:omfile') [v8.20.0 try http://www.rsyslog.com/e/2359 ]

The number used in action changed - but all other stay the same. Searching all known rsyslog resources (Github, Wiki, Forum, Mailinglist archive) did not give me a hint what is wrong.

Finally, I took a look at the release notes and found something. Changes to the Modul that was named in the message:

  • bugfix omfile: handle chown() failure correctly If the file creation succeeds, but chown() failed, the file was still writen, even if the user requested that this should be treated as a failure case. This is corrected now. Also, some refactoring was done to create better error messages.
  • omfile now better conveys status of unwritable files back to core

I remembered the Settings in my /etc/rsyslog.conf

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

Double checked the owner of the log files and noticed that most of them belong to root. Changed the owner of all files that are written in my configuration to syslog and boom the annoying message was gone.