Comment 20 for bug 407862

For me it is busted as soon as I start up the machine unless I change
the ownership on the /var/log/* files to syslog:syslog and then it
will work fine.

I've just done the same as you after a fresh install of rsyslog to
make sure I'm on the latest repository version.

 * tail /var/log/syslog
 * sudo /etc/init.d/rsyslog restart
 * plug in usb stick
 * sudo /etc/init.d/rsyslog reload
 * pull usb stick out

I get the kernel messages after the restart but not the reload.

Is your /var/log the same permissions as default? Mine is owned
root:root mode 755 and the /var/log/syslog is owned root:adm with mode

Rsyslog is supposed to close all the files on reload, so if a
syslog:syslog owned process can reopen a 640 mode file with root:adm
ownership then the kernel probably has a security hole :-)

This may be a thread sync problem. I'm on AMD 64 with 2 cores. Is
your architecture similar?

2009/8/31 Michael Terry <email address hidden>:
> OK, so I finally got time to sit down and look at this, and I can't
> reproduce the problem (files that rsyslog can log stop being logged
> after reload).

Neil Wilson