Timeline for SELinux causing issue with syslog-ng
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 15 at 11:30 | comment | added | Janos Szigetvari | @user3271408 If you are hesitant to share any further details on company infra in this public space, please consider joining our Discord server where we can potentially help you further. Please see the Support section of our documentation for further details: axoflow.com/docs/axosyslog-core/#support | |
| Oct 15 at 5:28 | comment | added | Janos Szigetvari | @user3271408 (contd.) * could you attempt an upgrade to the latest syslog-ng (open-source) version? I believe the one you get with RHEL is pretty old by now. Perhaps you would get some more error messages, that you could use. - could you duplicate your local log flow somewhere under the local /var/log? (Perhaps syslog-ng complains about something, like being unable to write to a file, or something.) For now, these are my best tips to track down this problem. | |
| Oct 15 at 5:26 | comment | added | Janos Szigetvari | @user3271408 Without your (anonymized) config I can't say much. It sure looks like SELinux is at play at some point in this. I would recommend the following to you: * could you reproduce the problem on a non-prod system, where you would be more free to experiment with the setup? * on that other machine, could you try installing this script, to build a syslog-ng SELinux module? (I wrote it originally, but the script has been left unmaintained for some years now, since I left that company behind syslog-ng.) ... | |
| Oct 14 at 15:22 | comment | added | user3271408 |
The logs don’t stop to the localserver /var/log. Only stops to the /data/logs/localserver directory.
|
|
| Oct 14 at 15:20 | comment | added | user3271408 | I have the open source version of syslog-ng. | |
| Oct 14 at 5:34 | comment | added | Janos Szigetvari |
And yes, the fact that when you set setenforce 0 syslog-ng begins to log would indicate that the problem is somehow SELinux related. On the other hand there were no deny logs in the audit log, which hint that it's probably not FS labeling related. There may be configurations where logs are sent to multiple destinations and flow-control would stop the log flow for both destinations if one was stuck for some reason.
|
|
| Oct 14 at 5:23 | comment | added | Janos Szigetvari |
Yes, either syslog-ng --version or rpm -qa | fgrep syslog-ng may tell you that information.
|
|
| Oct 13 at 14:50 | comment | added | Robert Fekete |
IIRC the output of syslog-ng --version should include whether it's the open-source or the commercial version.
|
|
| Oct 13 at 13:29 | comment | added | user3271408 |
If I change setenforce 0, it immediately starts writing to the /data/logs/localserver/ directory. So is that not a clear indication that the problem is SELinux related? And that the syslog-ng config is working? I assume it is the open-source syslog-ng. But the person that set it up left the organization 4 years ago. No one still here would have had any way to know.
|
|
| Oct 13 at 6:00 | history | answered | Janos Szigetvari | CC BY-SA 4.0 |