Comment 4 for bug 1761630

Hmmm.... is rsyslog failing to write things to files?

Apr 07 15:15:01 sochi rsyslogd[2023]: action 'action 6' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.32.0 try http://www.rsyslog.co
Apr 07 15:15:01 sochi rsyslogd[2023]: action 'action 6' resumed (module 'builtin:omfile') [v8.32.0 try http://www.rsyslog.com/e/2359 ]

I see a lot of stuff like that from rsyslog.

syslog 2023 0.0 0.0 347096 5648 ? Ssl Apr06 0:08 /usr/sbin/rsyslogd -n

$ ls -latr auth.log
-rw-r----- 1 root adm 0 Jul 14 2014 auth.log

How can a syslog user write to a root owned file?

<insert mem gif of geometry confusion / does not compute>

$ sudo chown syslog:adm /var/log/auth.log; sudo systemctl restart rsyslog

Seems to fix things for me, and auth.log is getting entries... My guess is that /usr/lib/tmpfiles.d/00rsyslog.conf is incomplete? and that we need to override more permissions in it?

In that case, it sounds like a bug in rsyslog, for not having right permissions specified in tmpfiles.d?