configurationrsyslogsystemd-journald

Can't attach a ruleset for imuxsock in rsyslog


I use rsyslog 8.23 together with systemd-journald so I use the following configuration in rsyslog.conf (relevant portions of it) and it works this way with no problem - I can see all messages in my-debug.log:

module(load="imuxsock"
       SysSock.Use="on"
       SysSock.Name="/run/systemd/journal/syslog"
      )

module(load="builtin:omfile"
       Template="RSYSLOG_TraditionalFileFormat"
       FileOwner="root"
       FileGroup="adm"
       dirOwner="root"
       dirGroup="adm"
       FileCreateMode="0640"
       DirCreateMode="0755"
      )


### Global Directives ###

global(workDirectory="/var/spool/rsyslog"
       umask="0022"
       preserveFQDN="on"
       localHostname="node1"
       AbortOnUncleanConfig="on"
       Shutdown.enable.ctlc = "on"
      )

# Direct all auth* log messages to local file
if ($syslogfacility-text == "auth" or $syslogfacility-text == "authpriv") then {
    action(type="omfile" file="/var/log/auth.log")
}

# Just for debug purposes only:
action(type="omfile" file="/var/log/my-debug.log")

But if I attach a ruleset to imuxsock - I have no messages in target log file (/var/log/my-debug.log):

module(load="imuxsock"
       SysSock.Use="on"
       SysSock.Name="/run/systemd/journal/syslog"
      )

module(load="builtin:omfile"
       Template="RSYSLOG_TraditionalFileFormat"
       FileOwner="root"
       FileGroup="adm"
       dirOwner="root"
       dirGroup="adm"
       FileCreateMode="0640"
       DirCreateMode="0755"
      )


### Global Directives ###

global(workDirectory="/var/spool/rsyslog"
       umask="0022"
       preserveFQDN="on"
       localHostname="node1"
       AbortOnUncleanConfig="on"
       Shutdown.enable.ctlc = "on"
      )

# Direct all auth* log messages to local file
if ($syslogfacility-text == "auth" or $syslogfacility-text == "authpriv") then {
    action(type="omfile" file="/var/log/auth.log")
}

### ALL CHANGES HERE ###
input(type="imuxsock" Socket="/run/systemd/journal/syslog" ruleset="MyRuleset1")

ruleset(name="MyRuleset1") {
  action(type="omfile" file="/var/log/my-debug.log")
}

At first, I don't fully understand why does rsyslog make me put 'socket' directive in 'input' statement once more as I have already one in module declaration& What is 'SysSock.Name' in module declaration then for? And what is wrong with my second configuration - I have no clue. I think I followed a documentation strictly enough. I would appreciate any help. Thank you!


Solution

  • First, it's important to know that in rsyslog, the order of the directives in the configuration matters (See: Rsyslog Basic Structure):

    "Directives are processed from the top of rsyslog.conf to the bottom. Order matters. For example, if you stop processing of a message, obviously all statements after the stop statement are never evaluated."

    The issue seems to be due to the structure of your configuration. So, simply swapping your ruleset and input should fix your problem.

    ### ALL CHANGES HERE ###
    ruleset(name="MyRuleset1") {
      action(type="omfile" file="/var/log/my-debug.log")
    }
    
    input(type="imuxsock" Socket="/run/systemd/journal/syslog" ruleset="MyRuleset1")
    

    Regarding your question about the socket configuration:

    When setting SysSock.Name in the imuxsock module, it sets a global listener for syslog messages on that socket. This is a "catch-all" setup, which means any syslog message sent to this socket is processed by rsyslog following the global rules.

    module(load="imuxsock"
           SysSock.Use="on"
           SysSock.Name="/run/systemd/journal/syslog"
          )
    
    action(type="omfile" file="/var/log/my-debug.log")
    

    However, you have to specify the socket again in the input statement if you use a ruleset, as you're essentially telling rsyslog to handle messages from this socket in a special way, separate from the global rules. Rsyslog treats inputs with an attached ruleset as separate streams of logs. When using the input statement, you have to specify the socket again, as you're creating a new, distinct path for these messages, even though the physical socket in your case is the same.

    input(type="imuxsock" Socket="/run/systemd/journal/syslog" ruleset="MyRuleset1")
    

    This means, with your current configuration, you can e.g. remove SysSock.Name from the global directive, or you can remove the input statement and define a global rule, which achieves the same result.