On Thu, 12 May 2016, Thomas Lowry wrote:
David,
I checked the SELinux tags, and they are exactly the same. Here is the
output of that ( my apologies for all the redacting ):
*server1:*
[root@REDACTED~]# ls -dZ /usr /usr/local /usr/local/REDACTED
/usr/local/REDACTED/REDACTED /usr/local/REDACTED/REDACTED/logs
/usr/local/REDACTED/REDACTED/logs/REDACTED.log
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local
drwxr-xr-x REDACTED REDACTED ?
/usr/local/REDACTED
drwxrwxr-x REDACTED REDACTED ?
/usr/local/REDACTED/REDACTED
drwxrwxr-x REDACTED REDACTED ?
/usr/local/REDACTED/REDACTED/logs
-rw-rw-r-- REDACTED REDACTED ?
/usr/local/REDACTED/REDACTED/logs/REDACTED.log
*server2:*
[root@REDACTED ~]# ls -dZ /usr /usr/local
/usr/local/REDACTED /usr/local/REDACTED/REDACTED
/usr/local/REDACTED/REDACTED/logs
/usr/local/REDACTED/REDACTED/logs/REDACTED.log
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local
drwxr-xr-x REDACTED REDACTED ?
/usr/local/REDACTED
drwxrwxr-x REDACTED REDACTED ?
/usr/local/REDACTED/REDACTED
drwxrwxr-x REDACTED REDACTED ?
/usr/local/REDACTED/REDACTED/logs
-rw-r--r-- REDACTED REDACTED ?
/usr/local/REDACTED/REDACTED/logs/REDACTED.log
The normal system logs forward just fine (e.g. messages, maillogs, etc.).
It's the custom log that I am attempting to forward that works on our
non-production environment and then the one that doesn't work is on our
production environment.
Unfortunately I am unable to capture the debug log as this would mean
restarting the service in debug mode. To do this I would need to request a
change control which will take long than I would like. This is the reason
why I thought about just emailing the mailing list and see if someone would
be able to assist without having to go through my companies process of
changing anything in production.
unfortunantly, if you have two computers running identical code with identical
configs behaving differently, the problem is tracking down what isn't actually
identical between them :-/
the fact that normal logs are flowing is a good thing in that it means the
problem is just on the sending side.
check the SELinux tags on the files, not just the directories.
I've seen many cases where some file was created by a process running as root,
and ends up with different SELinux tags than the same process would have when
running at startup.
unfortunantly 5.8 is ancient enough that figuring out exactly how it worked for
something like this is a non-trivial amount of work. We can give you pointers on
where to find the answers.
David Lang
On Thu, May 12, 2016 at 2:12 PM, David Lang <[email protected]> wrote:
On Thu, 12 May 2016, Thomas Lowry wrote:
Hello,
I am having an issue where I have two identical servers and a central log
server. We will call the identical servers "server1" and "server2" and the
log server "logserver". I have a custom log on both "server1" and
"server2"
is picked up by Rsyslog to forward the messages to the "logserver". This
works fine on "server1", but not on "server2" which are configured exactly
the same way. Here are the configurations for these servers:
The custom configuration file for "server1" and "server2":
http://pastebin.com/raw/KxjWqbun
The rsyslog.conf for "server1" and "server2":
http://pastebin.com/raw/QWJUrLu7
And finally, here is my rsyslog.conf for the "logserver":
http://pastebin.com/raw/57eEF8BW
Is there something I have configured incorrectly? I have compared down to
the MD5 sums of each file and they are exactly the same. I am using RPM
version 5.8.10-8 of Rsyslog on a 64 bit CentOS 6.6.
The first thing I would check is the SELinux tags on all the directories
and files (ls -Z) if those are different it can make it so that you can't
read the file.
Just to be sure I understand your situation, normal logs from both files
work, it's the imfile section that works on one and not on the other,
correct?
you can try starting rsyslog in debug mode (rsyslogd -dn) and see if the
log gives you any errors about that file/directory (it's a VERY detailed
log, so capture it to a file and look through it after a few min)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
