Rsyslog is the default syslog package that is commonly found in current Linux distributions. It usually consists of a main configuration file (typically /etc/rsyslog.conf) and a directory (typically /etc/rsyslog.d/) where you can store in a structured form and separated by files the different filters and templates for processing rsyslog rules.
SELinux is a Linux feature that allows you to implement access control security policies in Linux systems. In distributions such as Fedora and RHEL, SELinux is in Enforcing mode by default.
Rsyslog is one of the system processes protected by SELinux. This means that rsyslog by default is not allowed to send to a port other than 514/udp (the standard syslog port) has limited access to other files and directories outside of their initial configurations.
To send information to Logz.io properly in a SELinux environment, it is necessary to add exceptions to allow:
- rsyslog to communicate with logz.io through the desired port
- rsyslog to access the files and directories needed for it to work properly
First things first -- let's validate that SELinux is the issue
The easiest way to do this is to disable SELinux temporarily and see if that solves the problem.
Let's check the current status of SELinux:
SElinux's status can be in any of the following states:
- Enforcing: SELinux is active and blocking the actions that do not match the policy
- Permissive: SELinux is active but is not blocking the actions that do not match the policy -- it only leaves logs indicating which actions had been performed
- Disable: SELinux is disabled
If SELinux is not in Enforcing mode, no other action is needed because it is not blocking communication to Logz.io
If SELinux is Enforced, try to disable it temporally and then restart rsyslog:
$ sudo setenforce 0 $ sudo service rsyslog restart
Check if rsyslog is working and that you see the logs in you account.
To re-enable SELinux, run:
$ sudo setenforce 1 $ sudo service rsyslog restart
Because it is a temporary change, it won't survive a reboot. To disable it completely, you will have to edit its configuration file. Although from a security point of view it's not recommended, if you want the changes to be permanent, edit the /etc/selinux/config file and restart the machine:
Adding exceptions to SELinux for logz.io
You will need to make sure that the semanage command is available. Try to install the policycoreutils and the setroubleshoot packages:
# Installing policycoreutils & setroubleshoot packages $ sudo yum install policycoreutils setroubleshoot
Now, you can see which syslog ports are allowed by SELinux (see the example):
$ sudo semanage port -l| grep syslog output: syslogd_port_t udp 514
Let's add a new port to policy for Logz.io:
# Adding a port to SELinux policies $ sudo semanage port -m -t syslogd_port_t -p tcp 5000
Depending on the distribution, it will also be necessary to authorize the /var/spool/rsyslog directory:
# instructing se to authorize the /var/spool/rsyslog directory $ sudo semanage fcontext -a -t syslogd_var_lib_t "/var/spool/rsyslog/*" $ sudo restorecon -R -v /var/spool/rsyslog
Again depending on the distribution, it will also be necessary to authorize the /etc/rsyslog.d/* directory:
# instructing se to authorize /etc/rsyslog.d/* $ sudo semanage fcontext -a -t syslog_conf_t "/etc/rsyslog.d/" $ sudo restorecon -R -v /etc/rsyslog.d/ $ sudo semanage fcontext -a -t etc_t "/etc/rsyslog.d" $ sudo restorecon -v /etc/rsyslog.d
Finally, restart rsyslog:
$ sudo service rsyslog restart