/etc/rsyslog.conf sends authpriv logs to /var/log/messages rather than /var/log/secure

[j-kits]

In most other distros, rsyslog is configured to send authpriv logs to /var/log/secure rather than the standard log location, presumably for security reasons (e.g. https://www.rsyslog.com/doc/master/historical/multi_ruleset_legacy_format_samples.html ).

# The authpriv file has restricted access.   
authpriv.*                                              /var/log/secure

In Mariner, /etc/rsyslog.conf instead sends authpriv logs to /var/log/messages.

# The authpriv file has restricted access.   
authpriv.*                                              /var/log/messages

Is there a reason for this difference?

[eric-desrochers]

It seems like the rsyslog configuration was part of massive initial commit into Github (~2 years ago).

I'll let the engineers provide rationale if any. However, I think your request is valid, and we should do the exercise to ask us the question if we should consider a switch to /var/log/secure. to follow security standard.

My point of view is that
authpriv is use for security/authorization messages.

and

/var/log/secure store all security-related events such as logins, root user actions, ...

Plus you are right, both RHEL and Centos uses /var/log/secure (Their rsyslog downstream configuration for CentOS and RedHat are available upstream) :
https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/rsyslog.conf#L51-L52
https://github.com/rsyslog/rsyslog/blob/master/platform/redhat/centos/rsyslog.conf#L56-L57

As oppose to current Mariner rsyslog configuration:
https://github.com/microsoft/CBL-Mariner/blob/main/SPECS/rsyslog/rsyslog.conf#L34-L35

[bureado]

https://cs.github.com/?scopeName=All+repos&scope=&q=%2Fauthpriv%5C.%5C*%5Cs%2B.var.log.messages%2F

[christopherco]

Thanks for filing the issue! Fixed in 435738f