I use rsyslog 8.23 together with systemd-journald so I use the following configuration in rsyslog.conf (relevant portions of it) and it works this way with no problem - I can see all messages in my-debug.log:
module(load="imuxsock"
SysSock.Use="on"
SysSock.Name="/run/systemd/journal/syslog"
)
module(load="builtin:omfile"
Template="RSYSLOG_TraditionalFileFormat"
FileOwner="root"
FileGroup="adm"
dirOwner="root"
dirGroup="adm"
FileCreateMode="0640"
DirCreateMode="0755"
)
### Global Directives ###
global(workDirectory="/var/spool/rsyslog"
umask="0022"
preserveFQDN="on"
localHostname="node1"
AbortOnUncleanConfig="on"
Shutdown.enable.ctlc = "on"
)
# Direct all auth* log messages to local file
if ($syslogfacility-text == "auth" or $syslogfacility-text == "authpriv") then {
action(type="omfile" file="/var/log/auth.log")
}
# Just for debug purposes only:
action(type="omfile" file="/var/log/my-debug.log")
But if I attach a ruleset to imuxsock - I have no messages in target log file (/var/log/my-debug.log):
module(load="imuxsock"
SysSock.Use="on"
SysSock.Name="/run/systemd/journal/syslog"
)
module(load="builtin:omfile"
Template="RSYSLOG_TraditionalFileFormat"
FileOwner="root"
FileGroup="adm"
dirOwner="root"
dirGroup="adm"
FileCreateMode="0640"
DirCreateMode="0755"
)
### Global Directives ###
global(workDirectory="/var/spool/rsyslog"
umask="0022"
preserveFQDN="on"
localHostname="node1"
AbortOnUncleanConfig="on"
Shutdown.enable.ctlc = "on"
)
# Direct all auth* log messages to local file
if ($syslogfacility-text == "auth" or $syslogfacility-text == "authpriv") then {
action(type="omfile" file="/var/log/auth.log")
}
### ALL CHANGES HERE ###
input(type="imuxsock" Socket="/run/systemd/journal/syslog" ruleset="MyRuleset1")
ruleset(name="MyRuleset1") {
action(type="omfile" file="/var/log/my-debug.log")
}
At first, I don't fully understand why does rsyslog make me put 'socket' directive in 'input' statement once more as I have already one in module declaration& What is 'SysSock.Name' in module declaration then for? And what is wrong with my second configuration - I have no clue. I think I followed a documentation strictly enough. I would appreciate any help. Thank you!
First, it's important to know that in rsyslog, the order of the directives in the configuration matters (See: Rsyslog Basic Structure):
The issue seems to be due to the structure of your configuration. So, simply swapping your
rulesetandinputshould fix your problem.Regarding your question about the socket configuration:
When setting
SysSock.Namein theimuxsockmodule, it sets a global listener for syslog messages on that socket. This is a "catch-all" setup, which means any syslog message sent to this socket is processed by rsyslog following the global rules.However, you have to specify the socket again in the input statement if you use a ruleset, as you're essentially telling rsyslog to handle messages from this socket in a special way, separate from the global rules. Rsyslog treats inputs with an attached ruleset as separate streams of logs. When using the
inputstatement, you have to specify the socket again, as you're creating a new, distinct path for these messages, even though the physical socket in your case is the same.This means, with your current configuration, you can e.g. remove
SysSock.Namefrom the global directive, or you can remove theinputstatement and define a global rule, which achieves the same result.