Mailing List Archive

if you are using the action() syntax, you set the ownership as part of the
action.

if you post your full config (including included files) we can better guess
what's wrong with it.

David Lang

On Sat, 6 Apr 2024, warron.french via rsyslog wrote:

> I am running multiple servers on RHEL-7.9 at work and with no option to
> upgrade to a newer major version.
>
> I have a server collecting (consolidating) logs from other (remote) servers
> and need to store the various independently generated logfiles but also set
> the Group-owner to something other than root.
>
> I thought the proper syntax to do this was to set:
> $FileOwner somegroup
>
> But rsyslogd upon restart fails to accept this directive.
>
> Can someone tell me what directive I should be using because attempting to
> find the Rsyslog documentation specific to my RHEL-7.9 in combination to
> answering this query at *rsyslog.com <http://rsyslog.com> *
> is not proving to be useful.
>
> Thank you in advance for your assistance,
>
> --------------------------
> Warron French
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Also remember that in Linux system (quoting the man 2 chown):

       Only a privileged process (Linux: one with the CAP_CHOWN
capability) may change the owner of a file.  The owner of a file may
       change  the group of the file to any group of which that owner
is a member.  A privileged process (Linux: with CAP_CHOWN) may
       change the group arbitrarily.

So if your rsyslogd is an unprivileged process (it does not have
CAP_CHOWN granted explicitly and it does not run as root user), you won'
be able to create files as a different user.

MK

On 6.04.2024 07:20, David Lang via rsyslog wrote:
> if you are using the action() syntax, you set the ownership as part of
> the action.
>
> if you post your full config (including included files) we can better
> guess what's wrong with it.
>
> David Lang
>
> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
>
>> I am running multiple servers on RHEL-7.9 at work and with no option to
>> upgrade to a newer major version.
>>
>> I have a server collecting (consolidating) logs from other (remote)
>> servers
>> and need to store the various independently generated logfiles but
>> also set
>> the Group-owner to something other than root.
>>
>> I thought the proper syntax to do this was to set:
>> $FileOwner   somegroup
>>
>> But rsyslogd upon restart fails to accept this directive.
>>
>> Can someone tell me what directive I should be using because
>> attempting to
>> find the Rsyslog documentation specific to my RHEL-7.9 in combination to
>> answering this query at *rsyslog.com <http://rsyslog.com> *
>> is not proving to be useful.
>>
>> Thank you in advance for your assistance,
>>
>> --------------------------
>> Warron French
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

it's common for rsyslog configs to drop privileges, and if it does so, it can't
then make use of those privileges to open files as other users, etc.

This is why we need to see the full config, and any files included.

David Lang

On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:

> Also remember that in Linux system (quoting the man 2 chown):
>
>        Only a privileged process (Linux: one with the CAP_CHOWN
> capability) may change the owner of a file.  The owner of a file may
>        change  the group of the file to any group of which that owner
> is a member.  A privileged process (Linux: with CAP_CHOWN) may
>        change the group arbitrarily.
>
> So if your rsyslogd is an unprivileged process (it does not have
> CAP_CHOWN granted explicitly and it does not run as root user), you won'
> be able to create files as a different user.
>
> MK
>
> On 6.04.2024 07:20, David Lang via rsyslog wrote:
>> if you are using the action() syntax, you set the ownership as part of
>> the action.
>>
>> if you post your full config (including included files) we can better
>> guess what's wrong with it.
>>
>> David Lang
>>
>> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
>>
>>> I am running multiple servers on RHEL-7.9 at work and with no option to
>>> upgrade to a newer major version.
>>>
>>> I have a server collecting (consolidating) logs from other (remote)
>>> servers
>>> and need to store the various independently generated logfiles but
>>> also set
>>> the Group-owner to something other than root.
>>>
>>> I thought the proper syntax to do this was to set:
>>> $FileOwner   somegroup
>>>
>>> But rsyslogd upon restart fails to accept this directive.
>>>
>>> Can someone tell me what directive I should be using because
>>> attempting to
>>> find the Rsyslog documentation specific to my RHEL-7.9 in combination to
>>> answering this query at *rsyslog.com <http://rsyslog.com> *
>>> is not proving to be useful.
>>>
>>> Thank you in advance for your assistance,
>>>
>>> --------------------------
>>> Warron French
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>> POST if you DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>> if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Sir, David, as there anything else you needed from me?


--------------------------
Warron French



On Tue, Apr 9, 2024 at 8:05?AM warron.french <warron.french@gmail.com>
wrote:

> Hello sir, sorry, I did not have the opportunity to reply earlier than
> just now as this is a work related issue and I had another task at work
> yesterday.
> Attached is an image of the syntax I have put into place. Unfortunately,
> I am not permitted to share the entire file; and I also had to redact some
> of the syntax.
>
> This syntax, as you see it plus the syntax that is redacted works as
> expected for us presently. As you can see I am not using the *action()
> syntax*, mostly because I do not know how to adapt the syntax I have to
> the action() syntax format.
>
>
> --------------------------
> Warron French
>
>
>
> On Sat, Apr 6, 2024 at 1:20?AM David Lang <david@lang.hm> wrote:
>
>> if you are using the action() syntax, you set the ownership as part of
>> the
>> action.
>>
>> if you post your full config (including included files) we can better
>> guess
>> what's wrong with it.
>>
>> David Lang
>>
>> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
>>
>> > I am running multiple servers on RHEL-7.9 at work and with no option to
>> > upgrade to a newer major version.
>> >
>> > I have a server collecting (consolidating) logs from other (remote)
>> servers
>> > and need to store the various independently generated logfiles but also
>> set
>> > the Group-owner to something other than root.
>> >
>> > I thought the proper syntax to do this was to set:
>> > $FileOwner somegroup
>> >
>> > But rsyslogd upon restart fails to accept this directive.
>> >
>> > Can someone tell me what directive I should be using because attempting
>> to
>> > find the Rsyslog documentation specific to my RHEL-7.9 in combination to
>> > answering this query at *rsyslog.com <http://rsyslog.com> *
>> > is not proving to be useful.
>> >
>> > Thank you in advance for your assistance,
>> >
>> > --------------------------
>> > Warron French
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you DON'T LIKE THAT.
>> >
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hello,

On Thu, Apr 11, 2024 at 1:34?AM warron.french via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Sir, David, as there anything else you needed from me?
>

The legacy way to set owner/group of files is to use something like the
following:
$FileOwner nameOfTheOwner
$FileGroup nameOfTheGroup

The new syntax is the following:
action( type="omfile" file="'path/to/file" FileOwner="nameOfTheOwner"
FileGroup="'nameOfTheGroup" )

Hope that helps.


>
> --------------------------
> Warron French
>
>
>
> On Tue, Apr 9, 2024 at 8:05?AM warron.french <warron.french@gmail.com>
> wrote:
>
> > Hello sir, sorry, I did not have the opportunity to reply earlier than
> > just now as this is a work related issue and I had another task at work
> > yesterday.
> > Attached is an image of the syntax I have put into place. Unfortunately,
> > I am not permitted to share the entire file; and I also had to redact
> some
> > of the syntax.
> >
> > This syntax, as you see it plus the syntax that is redacted works as
> > expected for us presently. As you can see I am not using the *action()
> > syntax*, mostly because I do not know how to adapt the syntax I have to
> > the action() syntax format.
> >
> >
> > --------------------------
> > Warron French
> >
> >
> >
> > On Sat, Apr 6, 2024 at 1:20?AM David Lang <david@lang.hm> wrote:
> >
> >> if you are using the action() syntax, you set the ownership as part of
> >> the
> >> action.
> >>
> >> if you post your full config (including included files) we can better
> >> guess
> >> what's wrong with it.
> >>
> >> David Lang
> >>
> >> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
> >>
> >> > I am running multiple servers on RHEL-7.9 at work and with no option
> to
> >> > upgrade to a newer major version.
> >> >
> >> > I have a server collecting (consolidating) logs from other (remote)
> >> servers
> >> > and need to store the various independently generated logfiles but
> also
> >> set
> >> > the Group-owner to something other than root.
> >> >
> >> > I thought the proper syntax to do this was to set:
> >> > $FileOwner somegroup
> >> >
> >> > But rsyslogd upon restart fails to accept this directive.
> >> >
> >> > Can someone tell me what directive I should be using because
> attempting
> >> to
> >> > find the Rsyslog documentation specific to my RHEL-7.9 in combination
> to
> >> > answering this query at *rsyslog.com <http://rsyslog.com> *
> >> > is not proving to be useful.
> >> >
> >> > Thank you in advance for your assistance,
> >> >
> >> > --------------------------
> >> > Warron French
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if
> >> you DON'T LIKE THAT.
> >> >
> >>
> >
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

At Mariusz, my apologies for not replying earlier, somehow Google Mail
crunched your reply in the thread so that I did not see it (*laziness on my
part I guess, I have been extremely busy at work*).

I just executed *ps -ef | egrep rsyslog* and see that rsyslog is running as
root. Can I assume that I should be able to use the $FileOwner and
$FileGroup directives without issue?

Also sir, for clarification, when I attempt to leave those directives (in
the picture provided earlier in the thread) intact and then restart
rsyslogd, it simply will not successfully restart. It's bombing because of
those directives.

Is there any chance I am using them in an incorrect syntax context? Where
can I find the documentation that is specific to my rsyslog version on the
internet since the documentation is not in the RPM installed?



--------------------------
Warron French



On Sat, Apr 6, 2024 at 2:39?AM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Also remember that in Linux system (quoting the man 2 chown):
>
> Only a privileged process (Linux: one with the CAP_CHOWN
> capability) may change the owner of a file. The owner of a file may
> change the group of the file to any group of which that owner
> is a member. A privileged process (Linux: with CAP_CHOWN) may
> change the group arbitrarily.
>
> So if your rsyslogd is an unprivileged process (it does not have
> CAP_CHOWN granted explicitly and it does not run as root user), you won'
> be able to create files as a different user.
>
> MK
>
> On 6.04.2024 07:20, David Lang via rsyslog wrote:
> > if you are using the action() syntax, you set the ownership as part of
> > the action.
> >
> > if you post your full config (including included files) we can better
> > guess what's wrong with it.
> >
> > David Lang
> >
> > On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
> >
> >> I am running multiple servers on RHEL-7.9 at work and with no option to
> >> upgrade to a newer major version.
> >>
> >> I have a server collecting (consolidating) logs from other (remote)
> >> servers
> >> and need to store the various independently generated logfiles but
> >> also set
> >> the Group-owner to something other than root.
> >>
> >> I thought the proper syntax to do this was to set:
> >> $FileOwner somegroup
> >>
> >> But rsyslogd upon restart fails to accept this directive.
> >>
> >> Can someone tell me what directive I should be using because
> >> attempting to
> >> find the Rsyslog documentation specific to my RHEL-7.9 in combination to
> >> answering this query at *rsyslog.com <http://rsyslog.com> *
> >> is not proving to be useful.
> >>
> >> Thank you in advance for your assistance,
> >>
> >> --------------------------
> >> Warron French
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> >>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Did you not see the full config? I provided it as an image. Was the image
blocked at your end, from being received?

--------------------------
Warron French



On Sat, Apr 6, 2024 at 3:04?AM David Lang via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> it's common for rsyslog configs to drop privileges, and if it does so, it
> can't
> then make use of those privileges to open files as other users, etc.
>
> This is why we need to see the full config, and any files included.
>
> David Lang
>
> On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:
>
> > Also remember that in Linux system (quoting the man 2 chown):
> >
> > Only a privileged process (Linux: one with the CAP_CHOWN
> > capability) may change the owner of a file. The owner of a file may
> > change the group of the file to any group of which that owner
> > is a member. A privileged process (Linux: with CAP_CHOWN) may
> > change the group arbitrarily.
> >
> > So if your rsyslogd is an unprivileged process (it does not have
> > CAP_CHOWN granted explicitly and it does not run as root user), you won'
> > be able to create files as a different user.
> >
> > MK
> >
> > On 6.04.2024 07:20, David Lang via rsyslog wrote:
> >> if you are using the action() syntax, you set the ownership as part of
> >> the action.
> >>
> >> if you post your full config (including included files) we can better
> >> guess what's wrong with it.
> >>
> >> David Lang
> >>
> >> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
> >>
> >>> I am running multiple servers on RHEL-7.9 at work and with no option to
> >>> upgrade to a newer major version.
> >>>
> >>> I have a server collecting (consolidating) logs from other (remote)
> >>> servers
> >>> and need to store the various independently generated logfiles but
> >>> also set
> >>> the Group-owner to something other than root.
> >>>
> >>> I thought the proper syntax to do this was to set:
> >>> $FileOwner somegroup
> >>>
> >>> But rsyslogd upon restart fails to accept this directive.
> >>>
> >>> Can someone tell me what directive I should be using because
> >>> attempting to
> >>> find the Rsyslog documentation specific to my RHEL-7.9 in combination
> to
> >>> answering this query at *rsyslog.com <http://rsyslog.com> *
> >>> is not proving to be useful.
> >>>
> >>> Thank you in advance for your assistance,
> >>>
> >>> --------------------------
> >>> Warron French
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >>> POST if you DON'T LIKE THAT.
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> > LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

At David, Mariusz, and Attila, here is my attempt to provide the syntax
(again). I am thinking you might not have received it because it came in
image form before.

Snippets of my Rsyslog.conf

$ModLoad imudp

$UDPServerRun 514



########## UDG-specific; Start

# $ModLoad omfile; Wfrench; 28FEB2024; does not work, error 3003

Module(load=”builtin:omfile”)

$CreateDirs on

$DirCreateMode 0700

#$dirGroup root

#$dirOwner root

$FileCreateMode 0600

#$FileGroup splunk

#$FileOwner root

########## UDG-specific; End


############### Syntax with Templates and Conditionals
needed #################

################## TEMPLATES
#############################

$template CATC,”/var/log/remote/%HOSTNAME%.log”

$template SECU,”/var/log/remote/%HOSTNAME%/secure”

$template MESG,”/var/log/remote/%HOSTNAME%/messages”

#################### CONDITIONALS ########################

if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains
‘172.20.245.101’) then {


authpriv.*
-?SECU


*.info;mail.none;authpriv.none;cron.none
-?MESG

& stop

} else if ( $fromhost contains ‘i42tskvm’ ) then {


*.*
-?MESG

stop

} else {


*.*
/var/log/messages

stop

}

#

####### End all Custom Directives to support TGS Rsyslog forwarding to
MNTR01 in support of CDP-initiative


I am not permitted to provide the entire Rsyslog Configuration, but we are
not using /etc/rsyslog.d/ files at all, we do not have any files in there.


--------------------------
Warron French



On Mon, Apr 15, 2024 at 9:53?AM warron.french <warron.french@gmail.com>
wrote:

> Did you not see the full config? I provided it as an image. Was the
> image blocked at your end, from being received?
>
> --------------------------
> Warron French
>
>
>
> On Sat, Apr 6, 2024 at 3:04?AM David Lang via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> it's common for rsyslog configs to drop privileges, and if it does so, it
>> can't
>> then make use of those privileges to open files as other users, etc.
>>
>> This is why we need to see the full config, and any files included.
>>
>> David Lang
>>
>> On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:
>>
>> > Also remember that in Linux system (quoting the man 2 chown):
>> >
>> > Only a privileged process (Linux: one with the CAP_CHOWN
>> > capability) may change the owner of a file. The owner of a file may
>> > change the group of the file to any group of which that owner
>> > is a member. A privileged process (Linux: with CAP_CHOWN) may
>> > change the group arbitrarily.
>> >
>> > So if your rsyslogd is an unprivileged process (it does not have
>> > CAP_CHOWN granted explicitly and it does not run as root user), you
>> won'
>> > be able to create files as a different user.
>> >
>> > MK
>> >
>> > On 6.04.2024 07:20, David Lang via rsyslog wrote:
>> >> if you are using the action() syntax, you set the ownership as part of
>> >> the action.
>> >>
>> >> if you post your full config (including included files) we can better
>> >> guess what's wrong with it.
>> >>
>> >> David Lang
>> >>
>> >> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
>> >>
>> >>> I am running multiple servers on RHEL-7.9 at work and with no option
>> to
>> >>> upgrade to a newer major version.
>> >>>
>> >>> I have a server collecting (consolidating) logs from other (remote)
>> >>> servers
>> >>> and need to store the various independently generated logfiles but
>> >>> also set
>> >>> the Group-owner to something other than root.
>> >>>
>> >>> I thought the proper syntax to do this was to set:
>> >>> $FileOwner somegroup
>> >>>
>> >>> But rsyslogd upon restart fails to accept this directive.
>> >>>
>> >>> Can someone tell me what directive I should be using because
>> >>> attempting to
>> >>> find the Rsyslog documentation specific to my RHEL-7.9 in combination
>> to
>> >>> answering this query at *rsyslog.com <http://rsyslog.com> *
>> >>> is not proving to be useful.
>> >>>
>> >>> Thank you in advance for your assistance,
>> >>>
>> >>> --------------------------
>> >>> Warron French
>> >>> _______________________________________________
>> >>> rsyslog mailing list
>> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>> http://www.rsyslog.com/professional-services/
>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> >>> POST if you DON'T LIKE THAT.
>> >>>
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com/professional-services/
>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>> >> if you DON'T LIKE THAT.
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of
>> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T
>> > LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Which error messages do you see?

Rainer

Sent from phone, thus brief.

warron.french via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 15.
Apr. 2024, 15:52:

> At Mariusz, my apologies for not replying earlier, somehow Google Mail
> crunched your reply in the thread so that I did not see it (*laziness on my
> part I guess, I have been extremely busy at work*).
>
> I just executed *ps -ef | egrep rsyslog* and see that rsyslog is running as
> root. Can I assume that I should be able to use the $FileOwner and
> $FileGroup directives without issue?
>
> Also sir, for clarification, when I attempt to leave those directives (in
> the picture provided earlier in the thread) intact and then restart
> rsyslogd, it simply will not successfully restart. It's bombing because of
> those directives.
>
> Is there any chance I am using them in an incorrect syntax context? Where
> can I find the documentation that is specific to my rsyslog version on the
> internet since the documentation is not in the RPM installed?
>
>
>
> --------------------------
> Warron French
>
>
>
> On Sat, Apr 6, 2024 at 2:39?AM Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > Also remember that in Linux system (quoting the man 2 chown):
> >
> > Only a privileged process (Linux: one with the CAP_CHOWN
> > capability) may change the owner of a file. The owner of a file may
> > change the group of the file to any group of which that owner
> > is a member. A privileged process (Linux: with CAP_CHOWN) may
> > change the group arbitrarily.
> >
> > So if your rsyslogd is an unprivileged process (it does not have
> > CAP_CHOWN granted explicitly and it does not run as root user), you won'
> > be able to create files as a different user.
> >
> > MK
> >
> > On 6.04.2024 07:20, David Lang via rsyslog wrote:
> > > if you are using the action() syntax, you set the ownership as part of
> > > the action.
> > >
> > > if you post your full config (including included files) we can better
> > > guess what's wrong with it.
> > >
> > > David Lang
> > >
> > > On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
> > >
> > >> I am running multiple servers on RHEL-7.9 at work and with no option
> to
> > >> upgrade to a newer major version.
> > >>
> > >> I have a server collecting (consolidating) logs from other (remote)
> > >> servers
> > >> and need to store the various independently generated logfiles but
> > >> also set
> > >> the Group-owner to something other than root.
> > >>
> > >> I thought the proper syntax to do this was to set:
> > >> $FileOwner somegroup
> > >>
> > >> But rsyslogd upon restart fails to accept this directive.
> > >>
> > >> Can someone tell me what directive I should be using because
> > >> attempting to
> > >> find the Rsyslog documentation specific to my RHEL-7.9 in combination
> to
> > >> answering this query at *rsyslog.com <http://rsyslog.com> *
> > >> is not proving to be useful.
> > >>
> > >> Thank you in advance for your assistance,
> > >>
> > >> --------------------------
> > >> Warron French
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > >> POST if you DON'T LIKE THAT.
> > >>
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > > if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I see you're trying to send data to Splunk and thus probably want the
files read as a user running the Universal Forwarder.

Instead of writing files locally you can send them straight to HEC input
using the omhttp module. (which gives you additional flexibility since
you can dynamically overwrite the metadata on the fly).

But anyway, if your rsyslogd doesn't start, check with "rsyslogd -N1"
where's the problem in your config. (you can give a config filename with
-f option if you're not using standard /etc/rsyslog.conf).

MK

On 15.04.2024 15:59, warron.french via rsyslog wrote:
> At David, Mariusz, and Attila, here is my attempt to provide the syntax
> (again). I am thinking you might not have received it because it came in
> image form before.
>
> Snippets of my Rsyslog.conf
>
> $ModLoad imudp
>
> $UDPServerRun 514
>
>
>
> ########## UDG-specific; Start
>
> # $ModLoad omfile; Wfrench; 28FEB2024; does not work, error 3003
>
> Module(load=”builtin:omfile”)
>
> $CreateDirs on
>
> $DirCreateMode 0700
>
> #$dirGroup root
>
> #$dirOwner root
>
> $FileCreateMode 0600
>
> #$FileGroup splunk
>
> #$FileOwner root
>
> ########## UDG-specific; End
>
>
> ############### Syntax with Templates and Conditionals
> needed #################
>
> ################## TEMPLATES
> #############################
>
> $template CATC,”/var/log/remote/%HOSTNAME%.log”
>
> $template SECU,”/var/log/remote/%HOSTNAME%/secure”
>
> $template MESG,”/var/log/remote/%HOSTNAME%/messages”
>
> #################### CONDITIONALS ########################
>
> if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains
> ‘172.20.245.101’) then {
>
>
> authpriv.*
> -?SECU
>
>
> *.info;mail.none;authpriv.none;cron.none
> -?MESG
>
> & stop
>
> } else if ( $fromhost contains ‘i42tskvm’ ) then {
>
>
> *.*
> -?MESG
>
> stop
>
> } else {
>
>
> *.*
> /var/log/messages
>
> stop
>
> }
>
> #
>
> ####### End all Custom Directives to support TGS Rsyslog forwarding to
> MNTR01 in support of CDP-initiative
>
>
> I am not permitted to provide the entire Rsyslog Configuration, but we are
> not using /etc/rsyslog.d/ files at all, we do not have any files in there.
>
>
> --------------------------
> Warron French
>
>
>
> On Mon, Apr 15, 2024 at 9:53?AM warron.french <warron.french@gmail.com>
> wrote:
>
>> Did you not see the full config? I provided it as an image. Was the
>> image blocked at your end, from being received?
>>
>> --------------------------
>> Warron French
>>
>>
>>
>> On Sat, Apr 6, 2024 at 3:04?AM David Lang via rsyslog <
>> rsyslog@lists.adiscon.com> wrote:
>>
>>> it's common for rsyslog configs to drop privileges, and if it does so, it
>>> can't
>>> then make use of those privileges to open files as other users, etc.
>>>
>>> This is why we need to see the full config, and any files included.
>>>
>>> David Lang
>>>
>>> On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:
>>>
>>>> Also remember that in Linux system (quoting the man 2 chown):
>>>>
>>>> Only a privileged process (Linux: one with the CAP_CHOWN
>>>> capability) may change the owner of a file. The owner of a file may
>>>> change the group of the file to any group of which that owner
>>>> is a member. A privileged process (Linux: with CAP_CHOWN) may
>>>> change the group arbitrarily.
>>>>
>>>> So if your rsyslogd is an unprivileged process (it does not have
>>>> CAP_CHOWN granted explicitly and it does not run as root user), you
>>> won'
>>>> be able to create files as a different user.
>>>>
>>>> MK
>>>>
>>>> On 6.04.2024 07:20, David Lang via rsyslog wrote:
>>>>> if you are using the action() syntax, you set the ownership as part of
>>>>> the action.
>>>>>
>>>>> if you post your full config (including included files) we can better
>>>>> guess what's wrong with it.
>>>>>
>>>>> David Lang
>>>>>
>>>>> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
>>>>>
>>>>>> I am running multiple servers on RHEL-7.9 at work and with no option
>>> to
>>>>>> upgrade to a newer major version.
>>>>>>
>>>>>> I have a server collecting (consolidating) logs from other (remote)
>>>>>> servers
>>>>>> and need to store the various independently generated logfiles but
>>>>>> also set
>>>>>> the Group-owner to something other than root.
>>>>>>
>>>>>> I thought the proper syntax to do this was to set:
>>>>>> $FileOwner somegroup
>>>>>>
>>>>>> But rsyslogd upon restart fails to accept this directive.
>>>>>>
>>>>>> Can someone tell me what directive I should be using because
>>>>>> attempting to
>>>>>> find the Rsyslog documentation specific to my RHEL-7.9 in combination
>>> to
>>>>>> answering this query at *rsyslog.com <http://rsyslog.com> *
>>>>>> is not proving to be useful.
>>>>>>
>>>>>> Thank you in advance for your assistance,
>>>>>>
>>>>>> --------------------------
>>>>>> Warron French
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>>>>> POST if you DON'T LIKE THAT.
>>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>> if you DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of
>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T
>>>> LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Mariusz, you are correct, this is for SPLUNK related activities.
I was told not to use omhttp, but at the time I did not know that term and
thought he meant "http."

I ran the "*rsyslogd -N1*" command. The response I got was:

ID for group ‘ ’ could not be found [v8.24.0-57.el7_9.3 try
http://www.rsyslog.com/e/3003 ]



--------------------------
Warron French



On Mon, Apr 15, 2024 at 10:52?AM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> I see you're trying to send data to Splunk and thus probably want the
> files read as a user running the Universal Forwarder.
>
> Instead of writing files locally you can send them straight to HEC input
> using the omhttp module. (which gives you additional flexibility since
> you can dynamically overwrite the metadata on the fly).
>
> But anyway, if your rsyslogd doesn't start, check with "rsyslogd -N1"
> where's the problem in your config. (you can give a config filename with
> -f option if you're not using standard /etc/rsyslog.conf).
>
> MK
>
> On 15.04.2024 15:59, warron.french via rsyslog wrote:
> > At David, Mariusz, and Attila, here is my attempt to provide the syntax
> > (again). I am thinking you might not have received it because it came in
> > image form before.
> >
> > Snippets of my Rsyslog.conf
> >
> > $ModLoad imudp
> >
> > $UDPServerRun 514
> >
> >
> >
> > ########## UDG-specific; Start
> >
> > # $ModLoad omfile; Wfrench; 28FEB2024; does not work, error 3003
> >
> > Module(load=”builtin:omfile”)
> >
> > $CreateDirs on
> >
> > $DirCreateMode 0700
> >
> > #$dirGroup root
> >
> > #$dirOwner root
> >
> > $FileCreateMode 0600
> >
> > #$FileGroup splunk
> >
> > #$FileOwner root
> >
> > ########## UDG-specific; End
> >
> >
> > ############### Syntax with Templates and Conditionals
> > needed #################
> >
> > ################## TEMPLATES
> > #############################
> >
> > $template CATC,”/var/log/remote/%HOSTNAME%.log”
> >
> > $template SECU,”/var/log/remote/%HOSTNAME%/secure”
> >
> > $template MESG,”/var/log/remote/%HOSTNAME%/messages”
> >
> > #################### CONDITIONALS
> ########################
> >
> > if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains
> > ‘172.20.245.101’) then {
> >
> >
> > authpriv.*
> > -?SECU
> >
> >
> > *.info;mail.none;authpriv.none;cron.none
> > -?MESG
> >
> > & stop
> >
> > } else if ( $fromhost contains ‘i42tskvm’ ) then {
> >
> >
> > *.*
> > -?MESG
> >
> > stop
> >
> > } else {
> >
> >
> > *.*
> > /var/log/messages
> >
> > stop
> >
> > }
> >
> > #
> >
> > ####### End all Custom Directives to support TGS Rsyslog forwarding to
> > MNTR01 in support of CDP-initiative
> >
> >
> > I am not permitted to provide the entire Rsyslog Configuration, but we
> are
> > not using /etc/rsyslog.d/ files at all, we do not have any files in
> there.
> >
> >
> > --------------------------
> > Warron French
> >
> >
> >
> > On Mon, Apr 15, 2024 at 9:53?AM warron.french <warron.french@gmail.com>
> > wrote:
> >
> >> Did you not see the full config? I provided it as an image. Was the
> >> image blocked at your end, from being received?
> >>
> >> --------------------------
> >> Warron French
> >>
> >>
> >>
> >> On Sat, Apr 6, 2024 at 3:04?AM David Lang via rsyslog <
> >> rsyslog@lists.adiscon.com> wrote:
> >>
> >>> it's common for rsyslog configs to drop privileges, and if it does so,
> it
> >>> can't
> >>> then make use of those privileges to open files as other users, etc.
> >>>
> >>> This is why we need to see the full config, and any files included.
> >>>
> >>> David Lang
> >>>
> >>> On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:
> >>>
> >>>> Also remember that in Linux system (quoting the man 2 chown):
> >>>>
> >>>> Only a privileged process (Linux: one with the CAP_CHOWN
> >>>> capability) may change the owner of a file. The owner of a file may
> >>>> change the group of the file to any group of which that owner
> >>>> is a member. A privileged process (Linux: with CAP_CHOWN) may
> >>>> change the group arbitrarily.
> >>>>
> >>>> So if your rsyslogd is an unprivileged process (it does not have
> >>>> CAP_CHOWN granted explicitly and it does not run as root user), you
> >>> won'
> >>>> be able to create files as a different user.
> >>>>
> >>>> MK
> >>>>
> >>>> On 6.04.2024 07:20, David Lang via rsyslog wrote:
> >>>>> if you are using the action() syntax, you set the ownership as part
> of
> >>>>> the action.
> >>>>>
> >>>>> if you post your full config (including included files) we can better
> >>>>> guess what's wrong with it.
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
> >>>>>
> >>>>>> I am running multiple servers on RHEL-7.9 at work and with no option
> >>> to
> >>>>>> upgrade to a newer major version.
> >>>>>>
> >>>>>> I have a server collecting (consolidating) logs from other (remote)
> >>>>>> servers
> >>>>>> and need to store the various independently generated logfiles but
> >>>>>> also set
> >>>>>> the Group-owner to something other than root.
> >>>>>>
> >>>>>> I thought the proper syntax to do this was to set:
> >>>>>> $FileOwner somegroup
> >>>>>>
> >>>>>> But rsyslogd upon restart fails to accept this directive.
> >>>>>>
> >>>>>> Can someone tell me what directive I should be using because
> >>>>>> attempting to
> >>>>>> find the Rsyslog documentation specific to my RHEL-7.9 in
> combination
> >>> to
> >>>>>> answering this query at *rsyslog.com <http://rsyslog.com> *
> >>>>>> is not proving to be useful.
> >>>>>>
> >>>>>> Thank you in advance for your assistance,
> >>>>>>
> >>>>>> --------------------------
> >>>>>> Warron French
> >>>>>> _______________________________________________
> >>>>>> rsyslog mailing list
> >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com/professional-services/
> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >>>>>> POST if you DON'T LIKE THAT.
> >>>>>>
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST
> >>>>> if you DON'T LIKE THAT.
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>> myriad of
> >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T
> >>>> LIKE THAT.
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T LIKE THAT.
> >>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.