尝试使用系统日志中的输出通道指定文件权限
我正在尝试使用带有输出通道的 syslog 来创建一些日志文件,并且我需要它们具有特定的所有者和权限
在 /etc/rsyslog 中我正在编写以下内容:
$umask 0027
$FileGroup the-mothers-of-invention
$outchannel rotate1,/path/mylog.log, 10000000,/path/my-rotate-script.sh /path mylog 99 .log 10000000
$template myTemplate,"%timegenerated:1:23:date-rfc3339%+%timegenerated:28:36:date-rfc3339% %syslogpriority-text:1:2:uppercase%hostname%:%msg%\n"
if $app-name == 'MYAPP' then {
*.* :omfile:$rotate1;myTemplate
stop
}
使用此配置,我看到第一个 mylog .log 文件是使用权限 640 和 groupID the-mothers-of-invention 创建的,但在达到 10mb 后,脚本被正确执行(我使用mv 命令)和我看到文件 mylog__.log 已创建,并且它继承了原始 mylog.log 文件的所有者和权限(到目前为止,一切正常),但是,当新的mylog.log 文件由 syslog 自动创建,它是使用默认所有者 (root:root) 和权限 (644) 创建的。
我已经阅读了很多信息&手册(rsyslog 手册),但我没有看到任何有关组合权限更改和输出通道的信息。
有什么猜测吗?
谢谢!
I'm trying to use syslog with output channels to create some log files and I need them to have specific owners and permissions
Within the /etc/rsyslog I'm writing the following:
$umask 0027
$FileGroup the-mothers-of-invention
$outchannel rotate1,/path/mylog.log, 10000000,/path/my-rotate-script.sh /path mylog 99 .log 10000000
$template myTemplate,"%timegenerated:1:23:date-rfc3339%+%timegenerated:28:36:date-rfc3339% %syslogpriority-text:1:2:uppercase%hostname%:%msg%\n"
if $app-name == 'MYAPP' then {
*.* :omfile:$rotate1;myTemplate
stop
}
With this configuration, I see the first mylog.log file is created with permission 640 and groupID the-mothers-of-invention, but after reaching the 10mb, the script is correctly executed (I used the mv command) and I see the file mylog__.log is created and it inherits the owner and permissions from the original mylog.log file (so far, everything ok), but, when the new mylog.log file is automatically created by syslog, it is created with the default owner (root:root) and permissions (644).
I've been reading a lot of information & manuals (the rsyslog ones), but I don't see any information on combining the permissions change and the output channels.
Any guess?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
$FileCreateMode 参数允许指定 rsyslogd 创建新文件的创建模式。它允许 rsyslog 创建仅对其运行的用户具有读写访问权限的文件。
首先,去掉对rsyslog的任何限制:
然后可以设置创建模式:
如果有一个监听器必须绑定到
1024以下的网络端口,rsyslogd总是需要启动作为根用户。例如,UDP 侦听器通常需要侦听
514,因此rsyslogd需要以 root 身份启动。这意味着如果您有如上所述的任何侦听器,则无法更改文件所有者 - 至少在使用 rsyslog 创建文件时是这样。
如果情况并非如此,您可以使用
$PrivDropToGroup和/或$PrivDropToUser配置参数来指定rsyslogd的组和/或用户应降至初始化后。The
$FileCreateModeparameter allows to specify the creation mode with which rsyslogd creates new files. It lets rsyslog create files with read and write access only for the users it runs under.First, remove any restrictions for rsyslog:
Then you can set the creation mode:
If there is a listener who must bind to a network port below
1024,rsyslogdalways needs to start up as root.For example, the UDP listener usually needs to listen to
514and as suchrsyslogdneeds to start up as root.This means if you have any listener as described above, you can't change the fileowner - atleast if you're creating a file with rsyslog.
If that's not the case, you can use the
$PrivDropToGroupand/or$PrivDropToUserconfig params to specify a group and/or user thatrsyslogdshould drop to after initialization.正如 eDonkey 所说,由于我没有使用任何 UDP 侦听器,因此在实例化 outChannel 之前我包含了 FileGroup 和 PrivDropToGroup,如下所示:
非常感谢!
As eDonkey said, since I'm not using any UDP listener, I included the FileGroup and PrivDropToGroup before instantiating the outChannel, as this:
Thanks a lot!