Hi, This is CentOS 6.5 (Final).
Indeed it was SELinux. Silenced it via echo 0 > /selinux/enforce and now rsyslog is happy. Thanks David! Otis -- Monitoring * Alerting * Anomaly Detection * Centralized Log Management Solr & Elasticsearch Support * http://sematext.com/ On Mon, Feb 2, 2015 at 6:56 PM, David Lang <[email protected]> wrote: > On Mon, 2 Feb 2015, Otis Gospodnetic wrote: > > This may be related, from /var/log/audit/audit.log: >> >> type=AVC msg=audit(1422920373.711:10802239): avc: denied { read } for >> pid=4704 comm="in:imfile" path="inotify" dev=inotifyfs ino=1 >> scontext=unconfined_u:system_r:syslogd_t:s0 >> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir >> type=SYSCALL msg=audit(1422920373.711:10802239): arch=c000003e syscall=0 >> success=no exit=-13 a0=4 a1=7faa0438e930 a2=2000 a3=f items=0 ppid=1 >> pid=4704 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >> tty=(none) ses=484294 comm="in:imfile" exe="/sbin/rsyslogd" >> subj=unconfined_u:system_r:syslogd_t:s0 key=(null) >> >> I found this after noticing log message started appearing in >> /var/log/messages every 5 seconds (after I added the imfile input listed >> below) causing /var/log/audit/audit.log to grow rapidly and rotate every 5 >> seconds or so: >> >> Feb 2 23:40:04 logsene-reports auditd[18337]: Audit daemon rotating log >> files >> >> >> Anyone knows what this is about? >> > > that looks like a SELinux or AppArmor permission problem. > > David Lang > > Thanks, >> Otis >> -- >> Monitoring * Alerting * Anomaly Detection * Centralized Log Management >> Solr & Elasticsearch Support * http://sematext.com/ >> >> >> On Mon, Feb 2, 2015 at 6:34 PM, Otis Gospodnetic < >> [email protected] >> >>> wrote: >>> >> >> Hi, >>> >>> Trying to tell the latest 8.7.0 rsyslog's imfile as follows, but it's >>> complaining about Permission denied.... which looks wrong... >>> >>> module(load="imfile" mode="inotify" PollingInterval="10") >>> >>> input(type="imfile" >>> File="/mnt/opt/jetty/logs/jetty.stderrout.log" >>> Tag="jetty:" >>> ReadMode="0") >>> >>> Feb 2 23:28:12 qqq-reports rsyslogd-2046: imfile warning: directory >>> '/mnt/opt/jetty/logs': Permission denied [try >>> http://www.rsyslog.com/e/2046 ] >>> >>> ec2-user@qqq-reports ~]$ ls -al /mnt/opt/ | grep jetty >>> drwxr-xr-x. 12 root root 4096 Jan 31 13:48 jetty >>> >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/ | grep logs >>> drwxr-xr-x. 2 root root 12288 Jan 31 22:14 logs >>> >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/logs/jetty.log >>> -rw-r--r--. 1 root root 194510 Jan 31 22:18 /mnt/opt/jetty/logs/jetty.log >>> >>> I don't see any info in /var/log/messages about rsyslog dropping >>> privileges when I restart it. >>> Plus, everything is readable and the parent directory has the +x for >>> everyone on it. >>> >>> What am I doing wrong? >>> >>> Thanks, >>> Otis >>> -- >>> Monitoring * Alerting * Anomaly Detection * Centralized Log Management >>> Solr & Elasticsearch Support * http://sematext.com/ >>> >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
