2015-02-03 4:40 GMT+01:00 Jeremy Hoel <[email protected]>: > You should really fix the ACL and turn selinux back on. Depending on the > path you are trying to read, it's not to hard to add some permissions based > on the audit.log and make the module needed to let rsyslog run happily. > > would someone willing to provide some instructions on how to do this (in cookbook terms) -- or even add this to the rsyslog doc?
If someone has a website link that just explains what to do, this may be sufficient (we could link to it from a couple of relevant pages of the doc). Rainer > On Mon, Feb 2, 2015 at 8:37 PM, Otis Gospodnetic < > [email protected] > > wrote: > > > Hi, > > > > This is CentOS 6.5 (Final). > > > > Indeed it was SELinux. Silenced it via echo 0 > /selinux/enforce and now > > rsyslog is happy. > > > > Thanks David! > > > > Otis > > -- > > Monitoring * Alerting * Anomaly Detection * Centralized Log Management > > Solr & Elasticsearch Support * http://sematext.com/ > > > > > > On Mon, Feb 2, 2015 at 6:56 PM, David Lang <[email protected]> wrote: > > > > > On Mon, 2 Feb 2015, Otis Gospodnetic wrote: > > > > > > This may be related, from /var/log/audit/audit.log: > > >> > > >> type=AVC msg=audit(1422920373.711:10802239): avc: denied { read } > for > > >> pid=4704 comm="in:imfile" path="inotify" dev=inotifyfs ino=1 > > >> scontext=unconfined_u:system_r:syslogd_t:s0 > > >> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > >> type=SYSCALL msg=audit(1422920373.711:10802239): arch=c000003e > syscall=0 > > >> success=no exit=-13 a0=4 a1=7faa0438e930 a2=2000 a3=f items=0 ppid=1 > > >> pid=4704 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 > > >> tty=(none) ses=484294 comm="in:imfile" exe="/sbin/rsyslogd" > > >> subj=unconfined_u:system_r:syslogd_t:s0 key=(null) > > >> > > >> I found this after noticing log message started appearing in > > >> /var/log/messages every 5 seconds (after I added the imfile input > listed > > >> below) causing /var/log/audit/audit.log to grow rapidly and rotate > > every 5 > > >> seconds or so: > > >> > > >> Feb 2 23:40:04 logsene-reports auditd[18337]: Audit daemon rotating > log > > >> files > > >> > > >> > > >> Anyone knows what this is about? > > >> > > > > > > that looks like a SELinux or AppArmor permission problem. > > > > > > David Lang > > > > > > Thanks, > > >> Otis > > >> -- > > >> Monitoring * Alerting * Anomaly Detection * Centralized Log Management > > >> Solr & Elasticsearch Support * http://sematext.com/ > > >> > > >> > > >> On Mon, Feb 2, 2015 at 6:34 PM, Otis Gospodnetic < > > >> [email protected] > > >> > > >>> wrote: > > >>> > > >> > > >> Hi, > > >>> > > >>> Trying to tell the latest 8.7.0 rsyslog's imfile as follows, but it's > > >>> complaining about Permission denied.... which looks wrong... > > >>> > > >>> module(load="imfile" mode="inotify" PollingInterval="10") > > >>> > > >>> input(type="imfile" > > >>> File="/mnt/opt/jetty/logs/jetty.stderrout.log" > > >>> Tag="jetty:" > > >>> ReadMode="0") > > >>> > > >>> Feb 2 23:28:12 qqq-reports rsyslogd-2046: imfile warning: directory > > >>> '/mnt/opt/jetty/logs': Permission denied [try > > >>> http://www.rsyslog.com/e/2046 ] > > >>> > > >>> ec2-user@qqq-reports ~]$ ls -al /mnt/opt/ | grep jetty > > >>> drwxr-xr-x. 12 root root 4096 Jan 31 13:48 jetty > > >>> > > >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/ | grep logs > > >>> drwxr-xr-x. 2 root root 12288 Jan 31 22:14 logs > > >>> > > >>> [ec2-user@qqq-reports ~]$ ls -al /mnt/opt/jetty/logs/jetty.log > > >>> -rw-r--r--. 1 root root 194510 Jan 31 22:18 > > /mnt/opt/jetty/logs/jetty.log > > >>> > > >>> I don't see any info in /var/log/messages about rsyslog dropping > > >>> privileges when I restart it. > > >>> Plus, everything is readable and the parent directory has the +x for > > >>> everyone on it. > > >>> > > >>> What am I doing wrong? > > >>> > > >>> Thanks, > > >>> Otis > > >>> -- > > >>> Monitoring * Alerting * Anomaly Detection * Centralized Log > Management > > >>> Solr & Elasticsearch Support * http://sematext.com/ > > >>> > > >>> > > >>> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > >> DON'T LIKE THAT. > > >> > > >> _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
