David, I checked the SELinux tags, and they are exactly the same. Here is the output of that ( my apologies for all the redacting ):
*server1:* [root@REDACTED~]# ls -dZ /usr /usr/local /usr/local/REDACTED /usr/local/REDACTED/REDACTED /usr/local/REDACTED/REDACTED/logs /usr/local/REDACTED/REDACTED/logs/REDACTED.log drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local drwxr-xr-x REDACTED REDACTED ? /usr/local/REDACTED drwxrwxr-x REDACTED REDACTED ? /usr/local/REDACTED/REDACTED drwxrwxr-x REDACTED REDACTED ? /usr/local/REDACTED/REDACTED/logs -rw-rw-r-- REDACTED REDACTED ? /usr/local/REDACTED/REDACTED/logs/REDACTED.log *server2:* [root@REDACTED ~]# ls -dZ /usr /usr/local /usr/local/REDACTED /usr/local/REDACTED/REDACTED /usr/local/REDACTED/REDACTED/logs /usr/local/REDACTED/REDACTED/logs/REDACTED.log drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local drwxr-xr-x REDACTED REDACTED ? /usr/local/REDACTED drwxrwxr-x REDACTED REDACTED ? /usr/local/REDACTED/REDACTED drwxrwxr-x REDACTED REDACTED ? /usr/local/REDACTED/REDACTED/logs -rw-r--r-- REDACTED REDACTED ? /usr/local/REDACTED/REDACTED/logs/REDACTED.log The normal system logs forward just fine (e.g. messages, maillogs, etc.). It's the custom log that I am attempting to forward that works on our non-production environment and then the one that doesn't work is on our production environment. Unfortunately I am unable to capture the debug log as this would mean restarting the service in debug mode. To do this I would need to request a change control which will take long than I would like. This is the reason why I thought about just emailing the mailing list and see if someone would be able to assist without having to go through my companies process of changing anything in production. On Thu, May 12, 2016 at 2:12 PM, David Lang <[email protected]> wrote: > On Thu, 12 May 2016, Thomas Lowry wrote: > > Hello, >> >> I am having an issue where I have two identical servers and a central log >> server. We will call the identical servers "server1" and "server2" and the >> log server "logserver". I have a custom log on both "server1" and >> "server2" >> is picked up by Rsyslog to forward the messages to the "logserver". This >> works fine on "server1", but not on "server2" which are configured exactly >> the same way. Here are the configurations for these servers: >> >> The custom configuration file for "server1" and "server2": >> http://pastebin.com/raw/KxjWqbun >> >> The rsyslog.conf for "server1" and "server2": >> http://pastebin.com/raw/QWJUrLu7 >> >> And finally, here is my rsyslog.conf for the "logserver": >> http://pastebin.com/raw/57eEF8BW >> >> Is there something I have configured incorrectly? I have compared down to >> the MD5 sums of each file and they are exactly the same. I am using RPM >> version 5.8.10-8 of Rsyslog on a 64 bit CentOS 6.6. >> > > The first thing I would check is the SELinux tags on all the directories > and files (ls -Z) if those are different it can make it so that you can't > read the file. > > Just to be sure I understand your situation, normal logs from both files > work, it's the imfile section that works on one and not on the other, > correct? > > you can try starting rsyslog in debug mode (rsyslogd -dn) and see if the > log gives you any errors about that file/directory (it's a VERY detailed > log, so capture it to a file and look through it after a few min) > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Sincerely, Thomas Lowry 281.975.9540 Connect With Me on LinkedIn <https://www.linkedin.com/pub/johnny-lowry/52/937/29> _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
