Right, I am afraid I am going to have to have a entire change control setup just to request putting this in debug mode. Not something I really wanted to do though. Oh well ^_^. As far as I can tell I looked at all the files and directories associated with it and the SELinux tags are the same as well. Yeah 5.8 is a bit old and I would like to go to version 6 or 7, but I have to work with what I get :(. I'll let you know what I find once I can put it in debug mode.
On Thu, May 12, 2016 at 4:12 PM, David Lang <[email protected]> wrote: > On Thu, 12 May 2016, Thomas Lowry wrote: > > >> David, >> >> I checked the SELinux tags, and they are exactly the same. Here is the >> output of that ( my apologies for all the redacting ): >> >> *server1:* >> [root@REDACTED~]# ls -dZ /usr /usr/local /usr/local/REDACTED >> /usr/local/REDACTED/REDACTED /usr/local/REDACTED/REDACTED/logs >> /usr/local/REDACTED/REDACTED/logs/REDACTED.log >> drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr >> drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local >> drwxr-xr-x REDACTED REDACTED ? >> /usr/local/REDACTED >> drwxrwxr-x REDACTED REDACTED ? >> /usr/local/REDACTED/REDACTED >> drwxrwxr-x REDACTED REDACTED ? >> /usr/local/REDACTED/REDACTED/logs >> -rw-rw-r-- REDACTED REDACTED ? >> /usr/local/REDACTED/REDACTED/logs/REDACTED.log >> >> *server2:* >> [root@REDACTED ~]# ls -dZ /usr /usr/local >> /usr/local/REDACTED /usr/local/REDACTED/REDACTED >> /usr/local/REDACTED/REDACTED/logs >> /usr/local/REDACTED/REDACTED/logs/REDACTED.log >> drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr >> drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local >> drwxr-xr-x REDACTED REDACTED ? >> /usr/local/REDACTED >> drwxrwxr-x REDACTED REDACTED ? >> /usr/local/REDACTED/REDACTED >> drwxrwxr-x REDACTED REDACTED ? >> /usr/local/REDACTED/REDACTED/logs >> -rw-r--r-- REDACTED REDACTED ? >> /usr/local/REDACTED/REDACTED/logs/REDACTED.log >> >> >> The normal system logs forward just fine (e.g. messages, maillogs, etc.). >> It's the custom log that I am attempting to forward that works on our >> non-production environment and then the one that doesn't work is on our >> production environment. >> >> Unfortunately I am unable to capture the debug log as this would mean >> restarting the service in debug mode. To do this I would need to request a >> change control which will take long than I would like. This is the reason >> why I thought about just emailing the mailing list and see if someone >> would >> be able to assist without having to go through my companies process of >> changing anything in production. >> > > unfortunantly, if you have two computers running identical code with > identical configs behaving differently, the problem is tracking down what > isn't actually identical between them :-/ > > the fact that normal logs are flowing is a good thing in that it means the > problem is just on the sending side. > > check the SELinux tags on the files, not just the directories. > > I've seen many cases where some file was created by a process running as > root, and ends up with different SELinux tags than the same process would > have when running at startup. > > unfortunantly 5.8 is ancient enough that figuring out exactly how it > worked for something like this is a non-trivial amount of work. We can give > you pointers on where to find the answers. > > David Lang > > > On Thu, May 12, 2016 at 2:12 PM, David Lang <[email protected]> wrote: >> >> On Thu, 12 May 2016, Thomas Lowry wrote: >>> >>> Hello, >>> >>>> >>>> I am having an issue where I have two identical servers and a central >>>> log >>>> server. We will call the identical servers "server1" and "server2" and >>>> the >>>> log server "logserver". I have a custom log on both "server1" and >>>> "server2" >>>> is picked up by Rsyslog to forward the messages to the "logserver". This >>>> works fine on "server1", but not on "server2" which are configured >>>> exactly >>>> the same way. Here are the configurations for these servers: >>>> >>>> The custom configuration file for "server1" and "server2": >>>> http://pastebin.com/raw/KxjWqbun >>>> >>>> The rsyslog.conf for "server1" and "server2": >>>> http://pastebin.com/raw/QWJUrLu7 >>>> >>>> And finally, here is my rsyslog.conf for the "logserver": >>>> http://pastebin.com/raw/57eEF8BW >>>> >>>> Is there something I have configured incorrectly? I have compared down >>>> to >>>> the MD5 sums of each file and they are exactly the same. I am using RPM >>>> version 5.8.10-8 of Rsyslog on a 64 bit CentOS 6.6. >>>> >>>> >>> The first thing I would check is the SELinux tags on all the directories >>> and files (ls -Z) if those are different it can make it so that you can't >>> read the file. >>> >>> Just to be sure I understand your situation, normal logs from both files >>> work, it's the imfile section that works on one and not on the other, >>> correct? >>> >>> you can try starting rsyslog in debug mode (rsyslogd -dn) and see if the >>> log gives you any errors about that file/directory (it's a VERY detailed >>> log, so capture it to a file and look through it after a few min) >>> >>> David Lang >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> >> >> >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Sincerely, Thomas Lowry _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
