#!/bin/bash set -eu echo "* Checking logcheck rules" # tell rsyslog to output to a file other than /var/log/syslog to isolate # rsyslog messages. nb that rsyslog.service is hardened so this file # cannot be in /tmp (#1053898) cat > /etc/rsyslog.d/rsyslog-logcheck.conf < /var/log/test-rsyslog-syslog.log echo "** Starting and stopping rsyslog" # if rsyslog is already running then merely doing 'start+stop' # will not reload the new config systemctl stop rsyslog 2>&1 #(redirect stderr becuase systemd tells us that syslog.socket will restart rsyslog) systemctl start rsyslog systemctl stop rsyslog 2>&1 echo "** rsyslog generated the following lines in syslog:" cat /var/log/test-rsyslog-syslog.log if [ ! -s /var/log/test-rsyslog-syslog.log ]; then echo >&2 "ERROR: rsyslog produced no syslog entries (in /var/log/test-rsyslog-syslog.log) at all" echo "/var/log/syslog contained:" cat /var/log/syslog fi echo "** rsyslog generated the following lines in the systemd journal:" journalctl --since=-5min _COMM=rsyslogd \ | tee /tmp/test-rsyslog-journal.log if [ ! -s /tmp/test-rsyslog-journal.log ]; then echo >&2 "ERROR: rsyslog produced no journal entries at all" fi echo "** Running logcheck" # check both syslog and journal lines with logcheck # no need to change config, but set -o and hide state and logfiles-list-directory cat > /tmp/logcheck.logfiles <&2 "* FAIL: unmatched lines - logcheck rules may need updating" else echo "* OK: no unmatched lines" fi cat /tmp/test-rsyslog-unmatched rm -rf \ /etc/rsyslog.d/rsyslog-logcheck.conf \ /tmp/logcheck.state /tmp/logcheck.logfiles \ /tmp/test-rsyslog-journal.log \ /var/log/test-rsyslog-syslog.log \ /tmp/test-rsyslog-unmatched