Issue with "syslogseverity" variable of rsyslog

[ssharma12]

The severity of the messages logged by rsyslog is always 7 which is debug.

For Centos 7 we use the rsyslog-8.24.0-12.el7.src.rpm for logging messages. In the rsyslog.conf file(attached), we have custom patches added one of which is

$template MY_MSG_local99_FORMAT,"%TIMESTAMP% %HOSTNAME% local7 %syslogseverity% %APP-NAME%:%MSG%\n"

local99.* |/usr/local/cm/misc/MYSyslogFifo;MY_MSG_local99_FORMAT
local99.* /var/log/active/syslog/MYSyslog;MY_MSG_local99_FORMAT

The variables used for template are already present in rsyslog rpm code and we just utilize it for forming the message. The variable syslogseverity value is passed by the function

syslog(LOG_LOCAL99|severity,"%s",_buffer);

In order to confirm we are sending the correct severity, I have attached a test code which will send the severity as 1. As per rsyslog.conf, the messages will be logged in /var/log/active/syslog/MYSyslog.

When I open MYSylog file, I can see that
Apr 5 10:34:34 padnaik6-lnx local7 7 : #012Alarm Interface Test Pgm ---Message distributed by syslogd

The severity sent by the test code is 1 but message shows 7. The same test code when we run on RHEL 6 server, it comes proper.

[TrevorH]

For Centos 7 we use the rsyslog-8.24.0-12.el7.src.rpm for logging messages.

That version of rsyslog is from CentOS 7.2 which is from 2015. That has been unsupported since the release of 7.3 in 2016 so you are more than 2 years out of date and maybe as much as 3. You need to run yum update more often than every 3 years - I would suggest once a week. There are patches released all the time and many of those fix security vulnerabilities. Your system is not safe unless it is up to date.

The current rsyslog is 8.24.0-34.el7 and there are 175 lines of output from rpm -q --changelog rsyslog between the current version and the one you are running. Update to 7.6 and try to recreate your problem.

[ssharma12]

Hi,

I have installed lates version then retried, but same problem occuring.

[TrevorH]

local99 is not valid, the range is 0-7.

Code: Select all

# cat /etc/rsyslog.d/testing.conf 
$template MY_MSG_local99_FORMAT,"%TIMESTAMP% %HOSTNAME% local7 %SYSLOGSEVERITY% %APP-NAME%:%MSG%\n"

local7.* /var/log/messages;MY_MSG_local99_FORMAT
# sc restart rsyslog
# logger -p local7.1 test
# grep local7 /var/log/messages
Apr 12 12:13:57 centos7 local7 1 trevor:test

[MartinR]

I'm probably missing something here, but where is LOG_LOCAL99 set? I can't see provision for it in either syslog(3) or /usr/include/sys/syslog.h.

[ssharma12]

Hi,


In rsyslog.conf i have creatednew entry, it was working fine in Centos 6.

$template MY_MSG_FORMAT,"%TIMESTAMP% %HOSTNAME% %syslogfacility-text% %syslogseverity% %APP-NAME%:%MSG%\n"
$template MY_MSG_local99_FORMAT,"%TIMESTAMP% %HOSTNAME% local7 %syslogseverity% %APP-NAME%:%MSG%\n"
$template MY_MSG_local6_FORMAT,"%TIMESTAMP% %HOSTNAME% local6 %syslogseverity% %APP-NAME%:%MSG%\n"


and i have set MACRO #define LOG_LOCAL99 (24<<3)

[MartinR]

In /usr/include/sys/syslog.h there is the line:

Code: Select all

#define LOG_NFACILITIES 24

which may be stopping syslog from accepting your extra facility.

[ssharma12]

No this is not causing any issue, because, log is written in file, which i have mentioned in rsyslog.conf file, but i severity level is always coming 7, as i have printed.

$template MY_MSG_local99_FORMAT,"%TIMESTAMP% %HOSTNAME% local7 %syslogseverity% %APP-NAME%:%MSG%\n"

%syslogseverity% is always priinting 7
as i have passed 1.

[TrevorH]

As I said before and MartinR has found in the source, log level 99 is not valid. If you change it to use local 7 then it just works.

[ssharma12]

Yes, but the severity is not updating, as i am passing severity level 1 but its always coming 7.