HPE Community
Operating System - Linux
1820590 Members
2470 Online
109626 Solutions
New Discussion

Rsyslog remote logging via tcp not working - plz help

 
SOLVED
Go to solution
likeguru
Occasional Contributor

‎06-10-2013 11:19 PM

‎06-10-2013 11:19 PM

Rsyslog remote logging via tcp not working - plz help

I have a "central syslog server" that listens on udp 1514 and tcp 1468

 

All SUSE Linux Servers are sending their logs to "central syslog server"  via tcp(1468). SUSE servers uses

'syslog-ng', with following configuration

 

destination LOGHOST { tcp("IP.OF.Syslog.Server" port(1468)); };
log { source(src); destination(LOGHOST); };

 

But none of the rhel boxes are sending their logs over tcp 1468.  rhel6.4 boxes are configured as:

 

*.info   @@IP.OF.Syslog.Server:1468

 

it works when I configured the rhel boxes to send the logs over udp

 

*.info   @IP.OF.Syslog.Server:1514

 

Please help

0 Kudos
Reply
3 REPLIES 3
likeguru
Occasional Contributor

‎06-11-2013 08:33 AM

‎06-11-2013 08:33 AM

Re: Rsyslog remote logging via tcp not working - plz help

quite strange if I configure the box to send logs via tcp, merely running "/etc/init.d/rsyslog start" does not work for me. But  running rsyslog in foreground and debug mode via following command works.

 

rsyslogd -d -n

 

 

 

 

Also running rsyslog in foreground and with debugging mode, has its own issue, i.e rhel box is only sending following logs to "central syslog server"

 

 

Spoiler
Message: run-parts(/etc/cron.hourly)[4210 finished 0anacron
Message: (root) CMD (/etc/init.d/sshd restart)

 


while if I configure the rsyslog to send logs over udp it works properly i,e no need to run the rsyslog daemon in foreground and debug mode, also then rhel send all/every log to "central syslog server"

I think rsyslog(rhel6.4) works properly with udp only

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎06-12-2013 11:05 PM

‎06-12-2013 11:05 PM

Solution

Re: Rsyslog remote logging via tcp not working - plz help

Do you have SELinux in enforcing mode (as is the default) in your RHEL 6.4 environment?

 

The SELinux policy might be stopping a normally-started rsyslog daemon from using TCP, but running it in foreground and debug mode might be bypassing the restriction.

 

Check /var/log/audit/audit.log. If it indicates that rsyslog's TCP connections are being denied, it indicates that SELinux is causing your problem. In that case, you might have to add customized SELinux rules for custom rsyslog configurations like yours. The "audit2allow" command might be very helpful here: feed it the audit.log lines caused by the rsyslog TCP connection attempt, and it will produce the necessary SELinux rules to allow it.

 

MK
0 Kudos
Reply
likeguru
Occasional Contributor

‎06-14-2013 03:22 AM

‎06-14-2013 03:22 AM

Re: Rsyslog remote logging via tcp not working - plz help

Thanks Matti_Kurkella for pointing the SELinux part, which I really didn't notice till reading your reply.

 

I didnt try audit2allow command yet.. I'll try it after a while, but I simply disabled the selinux, and logs started receiving on "central log server" via tcp ;-)

 

Thanks once again.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.