Package: rsyslog Version: 8.2112.0-2ubuntu2.2 Severity: normal In order to work around a bug in scanbd (#901695), I tried to add a property-based filter as /etc/rsyslog.d/99-scanbd.conf:
:msg, regex, "/usr/sbin/scanbd: abandon polling of" ^/usr/local/sbin/restart-scanbd The filter appeared to trigger correctly, but my program was not being run. In syslog, I found messages like this: syslog:Jan 29 13:49:15 femur systemd[1]: rsyslog.service: Got notification message from PID 1608569, but reception only permitted for main PID 1608338 I had to add the following override stanza with 'sudo systemctl edit rsyslog': [Service] NotifyAccess=all It may be that 'NotifyAccess=cgroup' would have sufficed; unfortunately I didn't have time to test that. It may be that for security reasons it is not possible to have property-based filters working OOTB; in that case, it would be good to document this and the configuration change required in rsyslog.conf(5). If on the other hand it's OK to allow them, it would be good to fix this functionality. (As an aside, I also considered using the omprog output module to run my program, but it seemed that this would feed all of rsyslog's output to the program, which would then have to do its own matching, whereas property-based filters did exactly what I wanted with much simpler code at my end.) -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-58-generic (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rsyslog depends on: ii adduser 3.118ubuntu5 ii libc6 2.35-0ubuntu3.1 ii libestr0 0.1.10-2.1build3 ii libfastjson4 0.99.9-1build2 ii libsystemd0 249.11-0ubuntu3.6 ii libuuid1 2.37.2-4ubuntu3 ii ucf 3.0043 ii zlib1g 1:1.2.11.dfsg-2ubuntu9.2 Versions of packages rsyslog recommends: ii logrotate 3.19.0-1ubuntu1.1 Versions of packages rsyslog suggests: ii apparmor 3.0.4-2ubuntu2.1 pn rsyslog-doc <none> pn rsyslog-gssapi <none> pn rsyslog-mongodb <none> pn rsyslog-mysql | rsyslog-pgsql <none> pn rsyslog-openssl | rsyslog-gnutls <none> pn rsyslog-relp <none> -- Configuration Files: /etc/logcheck/ignore.d.server/rsyslog [Errno 13] Permission denied: '/etc/logcheck/ignore.d.server/rsyslog' -- no debconf information
