Re: Help ! No syslog anymore
Michael, You are a star. I dont know what I did before but I re-installed rsyslog and changed the PrivateTmp to no It works now. I can see /tmp/server.log is now pushing syslog contents Thank you very much. On Mon, Nov 13, 2023 at 10:24 AM Michael Biebl wrote: > Am 13.11.23 um 10:13 schrieb Bhasker C V: > > I forgot to answer the question on why I am doing this > > I am experimenting on a no-log system where there is no writes > > what-so-ever to /var/log (except for mails) or systemd journal > > (currently kept volatile) > > /tmp/ is tmpfs mounted > > Attached is the rsyslog config as-it-is being used now. > > > > With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log > to /run/server.log correctly (verified locally). > > I can only assume you didn't follow my instructions properly. > > Please make sure after following my instruction that you have afterwards > # systemctl show -P PrivateTmp rsyslog.service > no > > Btw, for your use case, a subdirectory in /run would be more suitable, > like say /run/syslog/. > > Also, you currently have > *.* -/tmp/server.log > *and* > *.=info;*.=notice;*.=warn;\ > auth,authpriv.none;\ > cron,daemon.none;\ > mail,audit,news.none-/tmp/server.log > > This doesn't make any sense. > This will basically duplicate the log messages in /tmp/server.log and > interleave them. > > Either you split up the logs facilities and log them to separate files > or you only keep a single log rule like > > *.* -/tmp/server.log > > which simply logs everything to /tmp/server.log > >
Re: Help ! No syslog anymore
Am 13.11.23 um 10:13 schrieb Bhasker C V: I forgot to answer the question on why I am doing this I am experimenting on a no-log system where there is no writes what-so-ever to /var/log (except for mails) or systemd journal (currently kept volatile) /tmp/ is tmpfs mounted Attached is the rsyslog config as-it-is being used now. With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log to /run/server.log correctly (verified locally). I can only assume you didn't follow my instructions properly. Please make sure after following my instruction that you have afterwards # systemctl show -P PrivateTmp rsyslog.service no Btw, for your use case, a subdirectory in /run would be more suitable, like say /run/syslog/. Also, you currently have *.* -/tmp/server.log *and* *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,audit,news.none-/tmp/server.log This doesn't make any sense. This will basically duplicate the log messages in /tmp/server.log and interleave them. Either you split up the logs facilities and log them to separate files or you only keep a single log rule like *.* -/tmp/server.log which simply logs everything to /tmp/server.log OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Help ! No syslog anymore
I forgot to answer the question on why I am doing this I am experimenting on a no-log system where there is no writes what-so-ever to /var/log (except for mails) or systemd journal (currently kept volatile) /tmp/ is tmpfs mounted Attached is the rsyslog config as-it-is being used now. On Sun, Nov 12, 2023 at 1:46 PM Michael Biebl wrote: > Am 12.11.23 um 08:18 schrieb Bhasker C V: > > Hi, > > I have tried removing PrivateTmp=no in the rsyslog service file and it > > still doesnt work > > I assume you mean PrivateTmp=yes? > > > I have removed the service file which I had created too. > > I found that when I run the daemon manually, it works well. Hence I have > > disabled rsyslog and I have put the daemon startup in my rc-local > > > > But yes, removing PrivateTmp doesnt help. > > I am happy to troubleshoot this if anyone wants me to be a QA for this. > > As a first step, please share your complete rsyslog config *verbatim* > > > Michael > > [Not subsribed to debian-user, so please CC on replies] > rsyslog.conf Description: Binary data
Re: Help ! No syslog anymore
Am 12.11.23 um 08:18 schrieb Bhasker C V: Hi, I have tried removing PrivateTmp=no in the rsyslog service file and it still doesnt work I assume you mean PrivateTmp=yes? I have removed the service file which I had created too. I found that when I run the daemon manually, it works well. Hence I have disabled rsyslog and I have put the daemon startup in my rc-local But yes, removing PrivateTmp doesnt help. I am happy to troubleshoot this if anyone wants me to be a QA for this. As a first step, please share your complete rsyslog config *verbatim* Michael [Not subsribed to debian-user, so please CC on replies] OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Help ! No syslog anymore
Hi, I have tried removing PrivateTmp=no in the rsyslog service file and it still doesnt work I have removed the service file which I had created too. I found that when I run the daemon manually, it works well. Hence I have disabled rsyslog and I have put the daemon startup in my rc-local But yes, removing PrivateTmp doesnt help. I am happy to troubleshoot this if anyone wants me to be a QA for this. On Fri, Nov 10, 2023 at 3:55 PM Michael Biebl wrote: > The service file you posted is not a good idea. Please remove it again. > > > If moving the log file out of /tmp is not an option, please run > systemctl edit rsyslog.service > and disable PrivateTmp via > > [Service] > PrivateTmp=no >
Re: Help ! No syslog anymore
The service file you posted is not a good idea. Please remove it again. If moving the log file out of /tmp is not an option, please run systemctl edit rsyslog.service and disable PrivateTmp via [Service] PrivateTmp=no OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Help ! No syslog anymore
Thanks very much. Adding bind path did not help. I found that if I run rsyslog from command-line as unconfined_t, it works well. It is just the extra systemd locks which fail I have since written a simple systemd unit file to make rsyslog work and it has started working # /etc/systemd/system/user-rsyslog.service [Unit] Description=Simple Rsyslog service After=network.target auditd.service [Service] Type=simple ExecStart=pkill -9 -f rsyslogd;/usr/sbin/rsyslogd -n -iNONE [Install] WantedBy=multi-user.target On Wed, Nov 8, 2023 at 4:47 PM Sven Joachim wrote: > On 2023-11-08 08:26 +, Bhasker C V wrote: > > > I moved my syslog to a different location '/tmp/server.log' > > A rather strange decision, since /tmp is usually pruned on reboot. > > > This was working all fine until I moved to selinux in enforcing mode. > > > > I have tried putting selinux in permissive state and that too did not > help > > Most likely your problem has nothing to do with selinux, but is rather > due to the hardening features implemented in rsyslog 8.2310.0-1. Among > other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes > in rsyslog.service) which is not shared with other processes. > > > Please could someone help ? Or if there is a procedure to move syslog > file > > /var/log/syslog to a different location, I am happy to follow ... > > If you insist on moving it to /tmp, one possibility is to use a bind > mount for /tmp/server.log. Run "systemctl edit rsyslog.service" and put > the following two lines in the file: > > [Service] > BindPaths=-/tmp/server.log > > You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on > reboot if it does not exist. > > Good luck, > Sven > >
Re: Help ! No syslog anymore
On 2023-11-08 08:26 +, Bhasker C V wrote: > I moved my syslog to a different location '/tmp/server.log' A rather strange decision, since /tmp is usually pruned on reboot. > This was working all fine until I moved to selinux in enforcing mode. > > I have tried putting selinux in permissive state and that too did not help Most likely your problem has nothing to do with selinux, but is rather due to the hardening features implemented in rsyslog 8.2310.0-1. Among other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes in rsyslog.service) which is not shared with other processes. > Please could someone help ? Or if there is a procedure to move syslog file > /var/log/syslog to a different location, I am happy to follow ... If you insist on moving it to /tmp, one possibility is to use a bind mount for /tmp/server.log. Run "systemctl edit rsyslog.service" and put the following two lines in the file: [Service] BindPaths=-/tmp/server.log You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on reboot if it does not exist. Good luck, Sven
Help ! No syslog anymore
Hi, I moved my syslog to a different location '/tmp/server.log' This was working all fine until I moved to selinux in enforcing mode. I have the file context as system_u:object_r:syslogd_runtime_t:s0 now, the file is empty Strangely ... lsof shows rsyslog is using this file rsyslogd 25561 root4r CHR1,9 0t0 18 /dev/urandom rsyslogd 25561 root5r REG 0,440 4026532059 /proc/kmsg rsyslogd 25561 root6u unix 0xc5984619 0t0 136109 type=DGRAM (CONNECTED) rsyslogd 25561 root7w REG 0,35 8952 4873 /tmp/server.log rsyslogd 25561 root8w REG 0,35 8952 4873 /tmp/server.log rsyslogd 25561 root9w REG 0,35 8952 4873 /tmp/server.log But, the file says it is not being used by rsyslog $ sudo lsof /tmp/server.log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME tail24848 bcv3r REG 0,35 39 37 /tmp/server.log There are also no messages in the kernel which I can use to audit any access/deny issues for selinux. I have tried putting selinux in permissive state and that too did not help Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location, I am happy to follow ...
