Rsyslog / CentOS 8 / no write logs|no catch?

Question

I use rsyslog (8.37.0-13) on CentOS 8 (CentOS Linux release 8.1.1911) and I've type error with my configuration.

My rsyslog.conf is :

module(load="imuxsock")
module(load="imjournal")
module(load="imtcp")
module(load="imudp")
global(workDirectory="/var/lib/rsyslog")
include(file="/etc/rsyslog.d/*.conf")
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

My subconf is :

template(name="template1" type="string" string="/data/%HOSTNAME%-%FROMHOST-IP%.log")
ruleset(name="ruleset1"){
                action(type="omfile" dynaFile="template1")
                action(type="omfwd" protocol="tcp" target="10.10.10.1" port="2020")
}
input(type="imudp" port="2020" ruleset="ruleset1")

The rsyslog check :

# rsyslogd -N1
rsyslogd: version 8.37.0-13.el8, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

I receive logs on UDP 2020 :

02:56:22.363426 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 751
02:56:22.363434 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 878
02:56:22.363438 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 705
02:56:22.363443 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 695
02:56:22.363448 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363454 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 627
02:56:22.363459 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363466 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363472 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363509 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 861
02:56:22.363518 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 710
02:56:22.363523 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 622
02:56:22.363527 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626

But I've no logs write in /data folder and nothing forward to 10.10.10.1_TCP2020 :

# pwd
/data/
# ls -Ral
.:
total 0
drw-r--r--. 2 root adm  6  5 mai   10:03 .
drw-r--r--. 5 root adm 50  5 mai   10:03 ..

]# tcpdump -i any tcp -nn port 2020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
> Nothing

if in doubt, I have disabled SELinux, but same issue.

Someone have any idea to fix it ?

Thanks

EDIT :

After all disabling SELinux, reboot, and restart services it's OK.

Now, I search to allow with Selinux. I do this :

# chcon -R --reference /var/log /data/
# chcon -R --reference /etc/rsyslog.conf /etc/rsyslog.d/
# systemctl restart rsyslog

No change ... I reboot and no change

EDIT 2 :

I've checked audit log :

# sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

EDIT 3 :

The behavior is random. After a reboot, I thought of a SELinux problem. However, having deactivated SELinux again and restarted, it no longer works. It's intriguing, I don't understand what is causing this ...

EDIT 4 :

It's firewalld the problem ...

# firewall-offline-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# nft list table filter
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}
# nft list table security
table ip security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
# nft list table raw
table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
# nft list table mangle
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority -150; policy accept;
        }

        chain INPUT {
                type filter hook input priority -150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -150; policy accept;
        }

        chain OUTPUT {
                type route hook output priority -150; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority -150; policy accept;
        }
}
# nft list table nat
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority -100; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }
}
# nft list table bridge nat
table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 100; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority 300; policy accept;
        }
}

I'm surprised. For me, firewalld is an overlay of nftables or iptables. However, as seen in the previous commands, nothing is configured on each of them.

EDIT 5 :

After allow firewalld (but not understand because nft and iptables are empty) and allow on SELinux, I've another problem :

The new file create by rsyslog have system_u:object_r:default_t:s0 instead of system_u:object_r:var_log_t:s0. How to do so that each file created has this context?

Do you have any ideas?

I've tested your configuration, with the only difference, /tmp/ iso. /data/, and it works perfectly. "ls -alZ /data" should tell you if SELinux is involved. Is /data a separate filesystem? If so, can you add the output of "mount" to your question? — Gerard H. Pille, May 11 '20 at 14:09

score 0 · Answer 1 · answered May 11 '20 at 10:37

0

You need to load the "omfwd" module. Perhaps the entire ruleset is discarded because of an action that can't be executed?

answered May 11 '20 at 10:37

Gerard H. Pille

2,469
1
12
10

If I had this : module(load="omfwd") I've : # rsyslogd -N1 rsyslogd: version 8.37.0-13.el8, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: could not load module '/usr/lib64/rsyslog/omfwd.so', dlopen: /usr/lib64/rsyslog/omfwd.so: cannot open shared object file: No such file or directory [v8.37.0-13.el8 try http://www.rsyslog.com/e/2066 ] – celine May 11 '20 at 10:49
[omfwd](https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html) is usually builtin these days and does not need loading. – meuh May 11 '20 at 11:40

Rsyslog / CentOS 8 / no write logs|no catch?

1 Answers1