Filter Netatalk logs with rsyslogd scripts

[hnagasawa]

Logs are written to /var/log/syslog in Netatalk's debug mode. The average capacity is 5GB per hour. "To record logs only in a specific file"

/etc/rsyslog.d/filter.conf if \ ($msg contains 'debug:AFPDaemon' and $msg contains 'cname') \ then \ -/var/log/netatalk.log & ~

rsyslog.conf local2.* -/var/log/netatalk.log It is written as follows.

I tried to extract the line and look at it, but the content was the same as the log written by Netatalk. Is it not possible to modify netatalk logs with rsyslog?

[rdmark]

@hnagasawa To confirm that I understand correctly what you want to achieve: Log messages that match the condition in your filter.conf should be logged to file, and any other log messages should be dropped? Logged to syslog?

[hnagasawa]

Log messages that match the condition in your filter.conf should be logged to file, and any other log messages should be dropped? Yes Logged to syslog? syslog or /var/log/netatalk.log

[rdmark]

@hnagasawa I see. If the filtering doesn't work right now, I think it's safe to say that it's either a bug, or a missing implementation (rsyslog API that needs to be called?)

I will keep this ticket for future investigation into the rsyslog API.

For now, what netatalk can offer is the "log level" setting in afp.conf where you can increase or decrease the loglevel per each logtype. Multiple loglevels can be defined with a comma separated list.

https://netatalk.sourceforge.io/3.1/htmldocs/afp.conf.5.html

log level = type:level [type:level ...] (G), log level = type:level,[type:level, ...] (G)

Specify that any message of a loglevel up to the given log level should be logged.

By default afpd logs to syslog with a default logging setup equivalent to default:note

logtypes: default, afpdaemon, logger, uamsdaemon

loglevels: severe, error, warn, note, info, debug, debug6, debug7, debug8, debug9, maxdebug

[hnagasawa]

@rdmark

I see. If the filtering doesn't work right now, I think it's safe to say that it's either a bug, or a missing implementation (rsyslog >API that needs to be called?) I will keep this ticket for future investigation into the rsyslog API.

Do you plan to reflect the investigation and fix results of this issue in next netatalk new version 3.20 or later ? Please let me know if you know more details.

[rdmark]

@hnagasawa As you certainly know, this project is volunteer driven, so I cannot guarantee anything.

When I have some time later this month I plan to read up on rsyslogd APIs to understand what is needed. After that I should be able to say whether it’s feasible to modify the netatalk logger module without a complete rewrite.

[hnagasawa]

@rdmark I understand this project is volunteer driven,

When I have some time later this month I plan to read up on rsyslogd APIs to understand what is needed. After that I >should be able to say whether it’s feasible to modify the netatalk logger module without a complete rewrite.

I am waiting for your result.

[rdmark]

@hnagasawa Thanks for waiting patiently. I was able to look closer at this issue today.

The one potential error that I saw, is that rsyslogd threw a warning that the & ~ syntax is deprecated, and you should use stop instead. But maybe you are using an older version of rsyslogd? I'm testing this on an Ubuntu 22.04 system.

With this configuration:

$ cat /etc/rsyslog.d/10-netatalk.conf 
if
($msg contains 'loading' and $msg contains 'uam')
then
-/var/log/netatalk.log
stop

I got this result:

$ cat /var/log/netatalk.log 
Apr  1 10:49:26 buntu afpd[21043]: uam: loading (/usr/local/lib/netatalk/uams_dhx.so)
Apr  1 10:49:26 buntu afpd[21043]: uam: loading (/usr/local/lib/netatalk/uams_dhx2.so)

Is this in line with your expectations?

I referenced the official documentation for the syntax. https://www.rsyslog.com/doc/configuration/filters.html

[hnagasawa]

@rdmark

I installed under RockyLinux 9.3. I will try.

[rdmark]

I really hope that solves your problem!

[hnagasawa]

@rdmark

Today, I installed Netatalk under RockyLinux Ver9.3

I have any questions.

There was no /etc/rsyslog.d/10-netatalk.conf file in RockyLinux9.x.

The one potential error that I saw, is that rsyslogd threw a warning that the & ~ syntax is deprecated,

Is "the & ~" a description in the netatalk source? Is it rsyslog?

[rdmark]

@rdmark

Today, I installed Netatalk under RockyLinux Ver9.3

I have any questions.

There was no /etc/rsyslog.d/10-netatalk.conf file in RockyLinux9.x.

You have to create this file.

The one potential error that I saw, is that rsyslogd threw a warning that the & ~ syntax is deprecated,

Is "the & ~" a description in the netatalk source? Is it rsyslog?

The & ~ syntax is an rsyslog expression. But it was deprecated in rsyslog v7 according to the documentation:

https://www.rsyslog.com/doc/compatibility/v7compatibility.html

Now, I found an error in my example above. The correct syntax should be:

if
($msg contains 'loading' and $msg contains 'uam')
then
-/var/log/netatalk.log
& stop

[rdmark]

@hnagasawa Were you able to run further tests on your RockyLinux system? I'm curious to hear if you are seeing a different behavior or not.

[hnagasawa]

I created /etc/rsyslog.d/10-netatalk.conf . I restarted netatalk and rsyslog. But netalak.logfile was empty. rsyslog version is rsyslog-8.2102.0-117.el9.x86_64 under RockyLnux9.3

[rdmark]

That’s odd. Can you please share exactly what is in your conf?

You can also try the other types of rsyslogd syntax that is described in the documentation page above. There is a simpler declarative syntax that is less error prone than the expression syntax we’re using now.

[hnagasawa]

@rdmark

Can you please share exactly what is in your conf?

[root@RockyLinux ~]# cat /etc/rsyslog.d/10-netatalk.conf if ($msg contains 'loading' and $msg contains 'uam') then -/var/log/netatalk.log & stop

What do I miss ?

[rdmark]

@hnagasawa Can you share what your afp.conf looks like? Do you know for fact that you are getting log messages containing both "loading" and "uam"?

[hnagasawa]

@rdmark

I unistalled and I reinstalled. This issue fixed.

Thank you for your support.

[rdmark]

I'm relieved to hear that you resolved your issue!