[rsbac] creating secoff and logging to rsyslog, was: rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper

Palon Setin palons at danwin1210.me
Tue Dec 11 20:04:00 CET 2018 


Palon Setin:
...
>> The line in /etc/rsyslog.conf reads, as per the default:
>> *.*;auth,authpriv.none      -/var/log/syslog
>> ...
>> to modify it to read:
>>
>> *.*;auth,authpriv.none,kern.warn      -/var/log/syslog
These do contain more than 3 hours of the logs before I modified in as
suggestd. Sorry! My mistake.
> Script started on 2018-12-11 09:30:56+00:00
> # ls -l /var/log/{kern.log,messages,syslog}
> -rw-r----- 1 root root 70597434 2018-12-11 09:30 /var/log/kern.log
> -rw-r----- 1 root adm  70056548 2018-12-11 09:30 /var/log/messages
> -rw-r----- 1 root root 70977868 2018-12-11 09:30 /var/log/syslog
...

But here it is all really after the change and the "service rsyslog
restart". And I just did another one restart. Hope I don't need to reboot?

So that I'm not comparing two complete and one incomplete log:

# ls -l /var/log/syslog /var/log/syslog.1 /var/log/messages
/var/log/kern.log
-rw-r----- 1 root root 91651776 2018-12-11 18:30 /var/log/kern.log
-rw-r----- 1 root adm  90910140 2018-12-11 18:30 /var/log/messages
-rw-r----- 1 root root 20921188 2018-12-11 18:30 /var/log/syslog
-rw-r----- 1 root root 71165862 2018-12-11 12:45 /var/log/syslog.1
#
I'll cat the previous and the current syslog together:
# cat /var/log/syslog.1 /var/log/syslog > syslog_ALL
# ls -l syslog_ALL /var/log/messages /var/log/kern.log
-rw-r--r-- 1 root root 92087050 2018-12-11 18:35 syslog_ALL
-rw-r----- 1 root root 91651776 2018-12-11 18:30 /var/log/kern.log
-rw-r----- 1 root adm  90910140 2018-12-11 18:30 /var/log/messages
#

I picked an entry, "2018-12-11T09:30:57.146767", that all three have.

# grep -A300000 2018-12-11T09:30:57.146767 /var/log/kern.log | wc -l
65163
# grep -A300000 2018-12-11T09:30:57.146767 /var/log/messages | wc -l
63632
# grep -A300000 2018-12-11T09:30:57.146767 syslog_ALL | wc -l
65700
#

# grep -A300000 2018-12-11T09:30:57.146767 syslog_ALL >
syslog_ALL_after_2018-12-11T09:30:57.146767

# grep -A300000 2018-12-11T09:30:57.146767 /var/log/kern.log >
kern.log_after_2018-12-11T09\:30\:57.146767

# grep -A300000 2018-12-11T09:30:57.146767 /var/log/messages >
messages_after_2018-12-11T09\:30\:57.146767

# ls -l *_after_2018-12-11T09\:30\:57.146767
-rw-r--r-- 1 root root 21055278 2018-12-11 18:39
kern.log_after_2018-12-11T09:30:57.146767
-rw-r--r-- 1 root root 20854528 2018-12-11 18:39
messages_after_2018-12-11T09:30:57.146767
-rw-r--r-- 1 root root 21109510 2018-12-11 18:38
syslog_ALL_after_2018-12-11T09:30:57.146767
#

Yup! It doesn't work. If needed, I can show redacted fractions of the
above logs. The line from my:

# ls -l /etc/rsyslog.conf
-rw-r--r-- 1 root root 2288 2018-12-10 13:08 /etc/rsyslog.conf

shown with context:

# grep '/syslog' /etc/rsyslog.conf
*.*;auth,authpriv.none,kern.warn                -/var/log/syslog
# grep -C3 '/syslog' /etc/rsyslog.conf
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none,kern.warn                -/var/log/syslog
cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log

didn't do the intended deduplication.

The below are still my roadmap:
> 
> I'm working through the rsbac handbook, to try to properly use it (as
> soon as, or just soon after, this logging issue is --maybe just
> somewhat-- resolved).
> 
> rsyslog also has pretty extensive documentation. Could be some of its bugs?
> 

sincerely,
Palon Setin

More information about the rsbac mailing list