I see you're trying to send data to Splunk and thus probably want the
files read as a user running the Universal Forwarder.
Instead of writing files locally you can send them straight to HEC input
using the omhttp module. (which gives you additional flexibility since
you can dynamically overwrite the metadata on the fly).
But anyway, if your rsyslogd doesn't start, check with "rsyslogd -N1"
where's the problem in your config. (you can give a config filename with
-f option if you're not using standard /etc/rsyslog.conf).
MK
On 15.04.2024 15:59, warron.french via rsyslog wrote:
At David, Mariusz, and Attila, here is my attempt to provide the syntax
(again). I am thinking you might not have received it because it came in
image form before.
Snippets of my Rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
########## UDG-specific; Start
# $ModLoad omfile; Wfrench; 28FEB2024; does not work, error 3003
Module(load=”builtin:omfile”)
$CreateDirs on
$DirCreateMode 0700
#$dirGroup root
#$dirOwner root
$FileCreateMode 0600
#$FileGroup splunk
#$FileOwner root
########## UDG-specific; End
############### Syntax with Templates and Conditionals
needed #################
################## TEMPLATES
#############################
$template CATC,”/var/log/remote/%HOSTNAME%.log”
$template SECU,”/var/log/remote/%HOSTNAME%/secure”
$template MESG,”/var/log/remote/%HOSTNAME%/messages”
#################### CONDITIONALS ########################
if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains
‘172.20.245.101’) then {
authpriv.*
-?SECU
*.info;mail.none;authpriv.none;cron.none
-?MESG
& stop
} else if ( $fromhost contains ‘i42tskvm’ ) then {
*.*
-?MESG
stop
} else {
*.*
/var/log/messages
stop
}
#
####### End all Custom Directives to support TGS Rsyslog forwarding to
MNTR01 in support of CDP-initiative
I am not permitted to provide the entire Rsyslog Configuration, but we are
not using /etc/rsyslog.d/ files at all, we do not have any files in there.
--------------------------
Warron French
On Mon, Apr 15, 2024 at 9:53 AM warron.french <warron.fre...@gmail.com>
wrote:
Did you not see the full config? I provided it as an image. Was the
image blocked at your end, from being received?
--------------------------
Warron French
On Sat, Apr 6, 2024 at 3:04 AM David Lang via rsyslog <
rsyslog@lists.adiscon.com> wrote:
it's common for rsyslog configs to drop privileges, and if it does so, it
can't
then make use of those privileges to open files as other users, etc.
This is why we need to see the full config, and any files included.
David Lang
On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:
Also remember that in Linux system (quoting the man 2 chown):
Only a privileged process (Linux: one with the CAP_CHOWN
capability) may change the owner of a file. The owner of a file may
change the group of the file to any group of which that owner
is a member. A privileged process (Linux: with CAP_CHOWN) may
change the group arbitrarily.
So if your rsyslogd is an unprivileged process (it does not have
CAP_CHOWN granted explicitly and it does not run as root user), you
won'
be able to create files as a different user.
MK
On 6.04.2024 07:20, David Lang via rsyslog wrote:
if you are using the action() syntax, you set the ownership as part of
the action.
if you post your full config (including included files) we can better
guess what's wrong with it.
David Lang
On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
I am running multiple servers on RHEL-7.9 at work and with no option
to
upgrade to a newer major version.
I have a server collecting (consolidating) logs from other (remote)
servers
and need to store the various independently generated logfiles but
also set
the Group-owner to something other than root.
I thought the proper syntax to do this was to set:
$FileOwner somegroup
But rsyslogd upon restart fails to accept this directive.
Can someone tell me what directive I should be using because
attempting to
find the Rsyslog documentation specific to my RHEL-7.9 in combination
to
answering this query at *rsyslog.com <http://rsyslog.com> *
is not proving to be useful.
Thank you in advance for your assistance,
--------------------------
Warron French
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
