0

I installed rsyslog on my Alpine-based system to replace busybox syslogd. After completely disabling syslogd in openrc, enabling ryslog at boot and rebooting, all services correctly started logging to rsyslog.

However, using the logger utility (provided by busybox, but I've ralso tried replacing it by installing the logger package - it didn't change anything) still logs to /var/log/messages (no matter which facility I log to), which is the default file used by busybox syslogd.

To my understanding, logger should not log to a file directly but use syslog protocol, so rsyslogd should pick up the message and treat it according to the rules defined. However, despite the only rule in rsyslog to log to /var/log/messages contains mail.none, logger still logs to that file when I use mail.info as facility/severity.

What's going on and how do I fix it?

--

/etc/rsyslog.conf:

# rsyslog configuration file
#
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### Global directives ####
 
# Sets the directory that rsyslog uses for work files.
$WorkDirectory /var/lib/rsyslog

# Sets default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

# Check config syntax on startup and abort if unclean (default off).
#$AbortOnUncleanConfig on

# Reduce repeating messages (default off).
#$RepeatedMsgReduction on

#### Modules ####

# Provides --MARK-- message capability.
module(load="immark")

# Provides support for local system logging (e.g. via logger command).
module(load="imuxsock")

# Reads kernel messages.
module(load="imklog")

#### Rules ####
# Log all kernel messages to kern.log.
kern.*                                                  /var/log/kern.log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# NOTE: The minus sign in front of filename disables buffer flush.
*.info;authpriv.none;cron.none;kern.none;mail.none      -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/auth.log

# Log all the mail messages in one place.
mail.*                                                  -/var/log/mail.log

# Log cron stuff.
cron.*                                                  -/var/log/cron.log

# Everybody gets emergency messages.
*.emerg                                                 :omusrmsg:*

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

#### Config files ####

# Include all config files in /etc/rsyslog.d/.
include(file="/etc/rsyslog.d/*.conf" mode="optional")

rc-update show:

   apache2 |      default
  bootmisc | boot
     crond |      default
     devfs |                                 sysinit
   dovecot |      default
  fail2ban |      default
  loadkmap | boot
      mdev |                                 sysinit
networking |      default
  opendkim |      default
  openntpd |      default
  php-fpm7 |      default
   postfix |      default
postgresql |      default
  postgrey |      default
    rspamd |      default
   rsyslog | boot default
      sshd |      default
       ufw |      default

rc-status:

Runlevel: default
  rsyslog          [  started  ]
  ufw              [  started  ]
  networking       [  started  ]
  openntpd         [  started  ]
  postgresql       [  started  ]
  dovecot          [  started  ]
  opendkim         [  started  ]
  postgrey         [  started  ]
  sshd             [  started  ]
  rspamd           [  started  ]
  crond            [  started  ]
  postfix          [  started  ]
  apache2          [  started  ]
  fail2ban         [  started  ]
  php-fpm7         [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
  hostname         [  started  ]
  localmount       [  started  ]
  sysfs            [  started  ]
Dynamic Runlevel: manual
Improve this question

1 Answer 1

Reset to default
1

This works as expected for me.

Disable busybox syslog and install rsyslog, configuring rsyslog to log to /var/log/syslog instead of /var/log/messages to avoid confusion:

/ # rc-service syslog stop
 * WARNING: you are stopping a boot service
 * Caching service dependencies ...    [ ok ]
 * Stopping busybox crond ...          [ ok ]
 * Stopping busybox syslog ...         [ ok ]
/ # apk add rsyslog
(1/5) Installing libestr (0.1.11-r1)
(2/5) Installing libfastjson (0.99.9-r0)
(3/5) Installing libuuid (2.37-r0)
(4/5) Installing rsyslog (8.2012.0-r1)
(5/5) Installing rsyslog-openrc (8.2012.0-r1)
Executing busybox-1.33.1-r3.trigger
OK: 10 MiB in 25 packages
/ # grep /var/log/messages /etc/rsyslog.conf
*.info;authpriv.none;cron.none;kern.none;mail.none      -/var/log/messages
/ # sed -i '/\/var\/log\/messages/s/messages/syslog/' /etc/rsyslog.conf
/ # rc-service rsyslog start
 * Caching service dependencies ...    [ ok ]
 * Starting rsyslog ...                [ ok ]
/ # tail /var/log/syslog
2021-09-12T04:30:50.071691+00:00 CT555 : [origin software="rsyslogd" swVersion="8.2012.0" x-pid="709" x-info="https://www.rsyslog.com"] start

Log with (the default) user.notice and mail.info using the built-in busybox logger:

/ # logger foo bar
/ # logger -p mail.info logging at mail.info
/ # tail /var/log/syslog
2021-09-12T04:30:50.071691+00:00 CT555 : [origin software="rsyslogd" swVersion="8.2012.0" x-pid="709" x-info="https://www.rsyslog.com"] start
2021-09-12T04:31:26.066703+00:00 CT555 root: foo bar

The mail.info message wasn't logged to /var/log/syslog.

Confirm it didn't end up in /var/log/messages:

/ # tail /var/log/messages
Sep 12 04:29:06 CT555 daemon.info init: starting pid 368, tty '/dev/tty1': '/sbin/getty 38400 tty1'
Sep 12 04:29:06 CT555 daemon.info init: starting pid 369, tty '/dev/tty2': '/sbin/getty 38400 tty2'
Sep 12 04:29:43 CT555 daemon.warn /etc/init.d/syslog[407]: WARNING: you are stopping a boot service
Sep 12 04:29:43 CT555 user.debug : Will stop /usr/sbin/crond
Sep 12 04:29:43 CT555 user.debug : Will stop PID 360
Sep 12 04:29:43 CT555 user.debug : Sending signal 15 to PID 360
Sep 12 04:29:43 CT555 user.debug : Will stop /sbin/syslogd
Sep 12 04:29:43 CT555 user.debug : Will stop PID 332
Sep 12 04:29:43 CT555 user.debug : Sending signal 15 to PID 332
Sep 12 04:29:43 CT555 syslog.info syslogd exiting

Tested on Alpine 3.14.2.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .