At David, Mariusz, and Attila, here is my attempt to provide the syntax
(again). I am thinking you might not have received it because it came in
image form before.
Snippets of my Rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
########## UDG-specific; Start
# $ModLoad omfile; Wfrench; 28FEB2024; does not work, error 3003
Module(load=”builtin:omfile”)
$CreateDirs on
$DirCreateMode 0700
#$dirGroup root
#$dirOwner root
$FileCreateMode 0600
#$FileGroup splunk
#$FileOwner root
########## UDG-specific; End
############### Syntax with Templates and Conditionals
needed #################
################## TEMPLATES
#############################
$template CATC,”/var/log/remote/%HOSTNAME%.log”
$template SECU,”/var/log/remote/%HOSTNAME%/secure”
$template MESG,”/var/log/remote/%HOSTNAME%/messages”
#################### CONDITIONALS ########################
if ($fromhost-ip startswith ‘172.20.245.5’ or $fromhost-ip contains
‘172.20.245.101’) then {
authpriv.*
-?SECU
*.info;mail.none;authpriv.none;cron.none
-?MESG
& stop
} else if ( $fromhost contains ‘i42tskvm’ ) then {
*.*
-?MESG
stop
} else {
*.*
/var/log/messages
stop
}
#
####### End all Custom Directives to support TGS Rsyslog forwarding to
MNTR01 in support of CDP-initiative
I am not permitted to provide the entire Rsyslog Configuration, but we are
not using /etc/rsyslog.d/ files at all, we do not have any files in there.
--------------------------
Warron French
On Mon, Apr 15, 2024 at 9:53?AM warron.french <warron.french@gmail.com>
wrote:
> Did you not see the full config? I provided it as an image. Was the
> image blocked at your end, from being received?
>
> --------------------------
> Warron French
>
>
>
> On Sat, Apr 6, 2024 at 3:04?AM David Lang via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> it's common for rsyslog configs to drop privileges, and if it does so, it
>> can't
>> then make use of those privileges to open files as other users, etc.
>>
>> This is why we need to see the full config, and any files included.
>>
>> David Lang
>>
>> On Sat, 6 Apr 2024, Mariusz Kruk via rsyslog wrote:
>>
>> > Also remember that in Linux system (quoting the man 2 chown):
>> >
>> > Only a privileged process (Linux: one with the CAP_CHOWN
>> > capability) may change the owner of a file. The owner of a file may
>> > change the group of the file to any group of which that owner
>> > is a member. A privileged process (Linux: with CAP_CHOWN) may
>> > change the group arbitrarily.
>> >
>> > So if your rsyslogd is an unprivileged process (it does not have
>> > CAP_CHOWN granted explicitly and it does not run as root user), you
>> won'
>> > be able to create files as a different user.
>> >
>> > MK
>> >
>> > On 6.04.2024 07:20, David Lang via rsyslog wrote:
>> >> if you are using the action() syntax, you set the ownership as part of
>> >> the action.
>> >>
>> >> if you post your full config (including included files) we can better
>> >> guess what's wrong with it.
>> >>
>> >> David Lang
>> >>
>> >> On Sat, 6 Apr 2024, warron.french via rsyslog wrote:
>> >>
>> >>> I am running multiple servers on RHEL-7.9 at work and with no option
>> to
>> >>> upgrade to a newer major version.
>> >>>
>> >>> I have a server collecting (consolidating) logs from other (remote)
>> >>> servers
>> >>> and need to store the various independently generated logfiles but
>> >>> also set
>> >>> the Group-owner to something other than root.
>> >>>
>> >>> I thought the proper syntax to do this was to set:
>> >>> $FileOwner somegroup
>> >>>
>> >>> But rsyslogd upon restart fails to accept this directive.
>> >>>
>> >>> Can someone tell me what directive I should be using because
>> >>> attempting to
>> >>> find the Rsyslog documentation specific to my RHEL-7.9 in combination
>> to
>> >>> answering this query at *rsyslog.com <http://rsyslog.com> *
>> >>> is not proving to be useful.
>> >>>
>> >>> Thank you in advance for your assistance,
>> >>>
>> >>> --------------------------
>> >>> Warron French
>> >>> _______________________________________________
>> >>> rsyslog mailing list
>> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>> http://www.rsyslog.com/professional-services/
>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> >>> POST if you DON'T LIKE THAT.
>> >>>
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com/professional-services/
>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>> >> if you DON'T LIKE THAT.
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of
>> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T
>> > LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.