• [6.x.x] rsyslog filters do not affect local syslog


    doron
    • Annoyance

    This is in fact applicable to all 6.x versions including stable, just thought it'd be nice if it could be fixed in 6.9 (small effort).

     

    Issue: Any filter (or other rsyslog script) you deposit in /etc/rsyslog.d/ does not affect the local syslog files. It does affect remote syslog streams, if configured(*).

     

    Reason: /etc/rsyslog.conf, as configured by the webGui scripts, looks like this (excerpt):

    (...)
    $Umask 0022
    
    #
    # Include all config files in /etc/rsyslog.d/
    # limetech - ok
    #
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    ###############
    #### RULES ####
    ###############
    
    # limetech - everything goes to syslog.
    $RuleSet local
    *.debug                                                 -/var/log/syslog
    (...)

    Note that the "$IncludeConfig" directive precedes the "$RuleSet local" directive.

    This means that when files from /etc/rsyslog.d/ are included, they are applied within the applicable default RuleSet at that moment - "RSYSLOG_DefaultRuleset". The net result is that under the "local" ruleset, the filters are not applied.

     

    If the user configures a remote syslog facility, then another section is added to rsyslog.conf, with "$RuleSet remote", within which the content of /etc/rsyslog.d/ is read again(!), so the filters are applied on remote syslog, but not local.

     

    Solution: Place the "$RuleSet local" directive above the "$IncludeConfig /etc/rsyslog.d/*.conf" directive.

    This needs to be fixed in the Dynamix script (syslog setting UI), since the vanilla Unraid /etc/rsyslog.conf seems to not contain $RuleSet directives at all.

     

    Sample patch to /etc/local/emhttp/webGui/scripts/rsyslog_config:

     

    --- rsyslog_config      2021-01-09 19:02:20.528996624 +0200
    +++ rsyslog_config-n    2021-01-09 19:58:06.434929884 +0200
    @@ -14,7 +14,7 @@
    
     # create local ruleset
     if ! grep -q '^\$RuleSet local$' $ETC; then
    -  sed -ri '/^# limetech - everything goes to syslog.$/a$RuleSet local' $ETC
    +  sed -ri '/^# Include all config files/a$RuleSet local' $ETC
       sed -ri '/^#?\*\.\* @@?.*:[0-9]+$/a$DefaultRuleset local' $ETC
     fi

    (*) Actually, the instantiation is a bit more complex: This issue is created only if the user has, at any time, used the Settings/Syslog Server dialog. As distributed, the Unraid /etc/rsyslog.conf does not have a RuleSet configured, so does not have the issue.




    User Feedback

    Recommended Comments

    12 minutes ago, SimonF said:

    Is this change planned for 6.9? Or is there a work around if you want to use filters

    I've built a workaround in the SAS Spindown plugin, when latter is installed in versions 6.7-6.8. The workaround is complex and rather involved, to make sure it's "safe" even if the user reconfigures the syslog settings in the webGui (e.g. includes a background process that waits on modifications to syslog.conf and, when triggered, reconfigures the filters). While it's done and working quite elegantly, I'd not recommend going that path.

     

    This is really quite broken right now, so if it can be fixed in 6.9 it would be great.

    • Thanks 1
    Link to comment

    I've made the correction and moved the ruleset definition before the include.

     

    Note

    To make this work, the user has to delete the files /config/rsyslog.conf and /config/rsyslog.cfg from the USB device.

    Reboot the server and reconfigure the syslog service in the GUI again.

     

    • Like 1
    • Thanks 1
    Link to comment
    1 hour ago, bonienl said:

    I've made the correction and moved the ruleset definition before the include.

    That's great - thanks!!

    Link to comment

    So with Unraid 6.10 it should work by adding this to the Go file?

     

    echo ":msg,contains,\"Router Advertisement from\"" stop > /etc/rsyslog.d/02-custom.conf
    /etc/rc.d/rc.rsyslogd restart

     

     

    Link to comment
    6 hours ago, mgutt said:

    So with Unraid 6.10 it should work by adding this to the Go file?

     

    Yes, that will work.

    Alternatively you can append the line to the existing file 01-blocklist.conf (which contains are messages to suppress)

     

     

    • Thanks 1
    Link to comment

    HI 

     

    Just to confirm that this should all I need to have in my script?

     

    # USBIP

     

    $RuleSet local

     

    if $msg contains "usbip: info: connect:" and  $.usbipdone != 1 then {

        set $.usbipdone = 1 ;

        ^/usr/local/emhttp/plugins/usb_manager/scripts/syslog_process.sh;

        }

       

    Also any other way to save the user having to reboot delete and reboot?

     

    To make this work, the user has to delete the files /config/rsyslog.conf and /config/rsyslog.cfg from the USB device.

    Reboot the server and reconfigure the syslog service in the GUI again.

    Edited by SimonF
    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.