Bug#1030140: marked as done (rsyslog: Property-basesd filters are prevented from working by systemd config)

Debian Bug Tracking System Tue, 23 May 2023 10:42:16 -0700

Your message dated Tue, 23 May 2023 19:39:42 +0200
with message-id <[email protected]>
and subject line Re: Bug#1030140: rsyslog: Property-basesd filters are 
prevented from working by systemd config
has caused the Debian Bug report #1030140,
regarding rsyslog: Property-basesd filters are prevented from working by 
systemd config
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1030140: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030140
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: rsyslog
Version: 8.2112.0-2ubuntu2.2
Severity: normal

In order to work around a bug in scanbd (#901695), I tried to add a
property-based filter as /etc/rsyslog.d/99-scanbd.conf:

:msg, regex, "/usr/sbin/scanbd: abandon polling of" 
^/usr/local/sbin/restart-scanbd

The filter appeared to trigger correctly, but my program was not being
run.

In syslog, I found messages like this:

syslog:Jan 29 13:49:15 femur systemd[1]: rsyslog.service: Got notification 
message from PID 1608569, but reception only permitted for main PID 1608338

I had to add the following override stanza with 'sudo systemctl edit rsyslog':

[Service]
NotifyAccess=all

It may be that 'NotifyAccess=cgroup' would have sufficed;
unfortunately I didn't have time to test that.

It may be that for security reasons it is not possible to have
property-based filters working OOTB; in that case, it would be good to
document this and the configuration change required in
rsyslog.conf(5). If on the other hand it's OK to allow them, it would
be good to fix this functionality.

(As an aside, I also considered using the omprog output module to run
my program, but it seemed that this would feed all of rsyslog's output
to the program, which would then have to do its own matching, whereas
property-based filters did exactly what I wanted with much simpler
code at my end.)

-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), 
(100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-58-generic (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rsyslog depends on:
ii  adduser       3.118ubuntu5
ii  libc6         2.35-0ubuntu3.1
ii  libestr0      0.1.10-2.1build3
ii  libfastjson4  0.99.9-1build2
ii  libsystemd0   249.11-0ubuntu3.6
ii  libuuid1      2.37.2-4ubuntu3
ii  ucf           3.0043
ii  zlib1g        1:1.2.11.dfsg-2ubuntu9.2

Versions of packages rsyslog recommends:
ii  logrotate  3.19.0-1ubuntu1.1

Versions of packages rsyslog suggests:
ii  apparmor                          3.0.4-2ubuntu2.1
pn  rsyslog-doc                       <none>
pn  rsyslog-gssapi                    <none>
pn  rsyslog-mongodb                   <none>
pn  rsyslog-mysql | rsyslog-pgsql     <none>
pn  rsyslog-openssl | rsyslog-gnutls  <none>
pn  rsyslog-relp                      <none>

-- Configuration Files:
/etc/logcheck/ignore.d.server/rsyslog [Errno 13] Permission denied: 
'/etc/logcheck/ignore.d.server/rsyslog'

-- no debconf information

--- End Message ---

--- Begin Message ---

On Sat, 4 Feb 2023 23:10:44 +0000 Reuben Thomas <[email protected]> wrote:

On Wed, 1 Feb 2023 at 17:04, Michael Biebl <[email protected]> wrote:

> Am 31.01.23 um 16:05 schrieb Reuben Thomas:
> > Package: rsyslog
> > Version: 8.2112.0-2ubuntu2.2
>
> This appears to be an Ubuntu version not known in the Debian archive
>

Apologies.


> > Severity: normal
> >
> > In order to work around a bug in scanbd (#901695), I tried to add a
> > property-based filter as /etc/rsyslog.d/99-scanbd.conf:
> >
> > :msg, regex, "/usr/sbin/scanbd: abandon polling of"
> ^/usr/local/sbin/restart-scanbd
>
> What exactly does restart-scanbd do? Does it call systemctl?
>

Yes it does. I see what you're saying: it's running systemctl "recursively"
that causes the error? If so, sorry, I got confused.

Without knowing what exactly this script does, it's impossible to further diagnose this.

But calling a reload/restart of rsyslog from a rsyslog rule is indeed not a good idea. You are pulling away the rug you are standing on.

OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Bug#1030140: marked as done (rsyslog: Property-basesd filters are prevented from working by systemd config)

Reply via email to