topic Re: Rsyslog remote logging via tcp not working - plz help in Operating System - Linux

Rsyslog remote logging via tcp not working - plz help

likeguru — Tue, 11 Jun 2013 06:19:46 GMT

I have a "central syslog server" that listens on udp 1514 and tcp 1468

All SUSE Linux Servers are sending their logs to "central syslog server" via tcp(1468). SUSE servers uses

'syslog-ng', with following configuration

destination LOGHOST { tcp("IP.OF.Syslog.Server" port(1468)); };
log { source(src); destination(LOGHOST); };

But none of the rhel boxes are sending their logs over tcp 1468. rhel6.4 boxes are configured as:

*.info @@IP.OF.Syslog.Server:1468

it works when I configured the rhel boxes to send the logs over udp

*.info @IP.OF.Syslog.Server:1514

Please help

Re: Rsyslog remote logging via tcp not working - plz help

likeguru — Tue, 11 Jun 2013 15:33:16 GMT

quite strange if I configure the box to send logs via tcp, merely running "/etc/init.d/rsyslog start" does not work for me. But running rsyslog in foreground and debug mode via following command works.

rsyslogd -d -n

Also running rsyslog in foreground and with debugging mode, has its own issue, i.e rhel box is only sending following logs to "central syslog server"

Message: run-parts(/etc/cron.hourly)[4210 finished 0anacron
Message: (root) CMD (/etc/init.d/sshd restart)

while if I configure the rsyslog to send logs over udp it works properly i,e no need to run the rsyslog daemon in foreground and debug mode, also then rhel send all/every log to "central syslog server"

I think rsyslog(rhel6.4) works properly with udp only

Re: Rsyslog remote logging via tcp not working - plz help

Matti_Kurkela — Thu, 13 Jun 2013 06:05:17 GMT

Do you have SELinux in enforcing mode (as is the default) in your RHEL 6.4 environment?

The SELinux policy might be stopping a normally-started rsyslog daemon from using TCP, but running it in foreground and debug mode might be bypassing the restriction.

Check /var/log/audit/audit.log. If it indicates that rsyslog's TCP connections are being denied, it indicates that SELinux is causing your problem. In that case, you might have to add customized SELinux rules for custom rsyslog configurations like yours. The "audit2allow" command might be very helpful here: feed it the audit.log lines caused by the rsyslog TCP connection attempt, and it will produce the necessary SELinux rules to allow it.

Re: Rsyslog remote logging via tcp not working - plz help

likeguru — Fri, 14 Jun 2013 10:22:27 GMT

Thanks Matti_Kurkella for pointing the SELinux part, which I really didn't notice till reading your reply.

I didnt try audit2allow command yet.. I'll try it after a while, but I simply disabled the selinux, and logs started receiving on "central log server" via tcp ;-)

Thanks once again.