Linux – rsyslog server listen only on tcp 514

amazon ec2linuxredhatrsyslogtcp

I'm trying to set rsyslog client- server to listen to tcp messages with port other then 514, however it doesn't work. Only when using 514 it receives messages. I'm using EC2 vms.

input(type="imtcp" port="20514" ruleset="test")


ruleset(name="test") {
action(type="omfile" file="/var/log/test")
}

I open all the ports for tcp (using the security group) and run tests both with nc utility (manage to send and receive tcp messages) and gnsutls (gnutls-serv and gnutls-cli and it completed the handshake successfully).

nc 10.0.0.51 20515 # client
nc -l 20515 # server

sudo gnutls-cli -d 5 10.0.0.51 -p 20514 --x509cafile="/etc/rsyslog.d/ca.pem" --x509keyfile="/etc/rsyslog.d/client-key.pem" --x509certfile="/etc/rsyslog.d/client-cert.pem"

sudo gnutls-serv --priority=NORMAL -p 20514 --x509cafile="/etc/rsyslog.d/ca.pem" --x509keyfile="/etc/rsyslog.d/server-key.pem" --x509certfile="/etc/rsyslog.d/server-cert.pem"

So the ports are open, why can it be that rsyslog on EC2 cannot listen on port other then 514?

I made a complete test out of AWS (locall VMs) and it work smoothly

Best Answer

I manage to solve the issue as follows:

The issue was due to SELinux. Should manage it. e.g. sudo semanage port -a -t syslogd_port_t -p tcp 20514

Related Solutions

How to restart rsyslog daemon on ubuntu

sudo service rsyslog restart

That should do it.

Python CGI on Amazon AWS EC2 micro-instance — a how-to!

(Strange post, so hopefully this won't be as strange a reply).

On the subject of security flaws: it is considered general bad practice to store cgi-bin scripts within the document root of the web server. Even the W3C eludes to it under "Are compiled languages such as C safer ..." in their World Wide Web Security FAQ:

Consider the following scenario. For convenience's sake, you've decided to identify CGI scripts to the server using the .cgi extension. Later on, you need to make a small change to an interpreted CGI script. You open it up with the Emacs text editor and modify the script. Unfortunately the edit leaves a backup copy of the script source code lying around in the document tree. Although the remote user can't obtain the source code by fetching the script itself, he can now obtain the backup copy by blindly requesting the URL:
    http://your-site/a/path/your_script.cgi~
(This is another good reason to limit CGI scripts to cgi-bin and to make sure that cgi-bin is separate from the document root.)

This is not as significant a threat as the ability to write a file within the document root. However, an attacker could obtain the source code of the cgi, devise a directed attack against it, and use it as a stepping stone into the server.

To mitigate this, you can add the following lines to the lighttpd.conf (or some variation therein) to direct cgi-bin to a directory separate from the /var/www/lighttpd document root.

$HTTP["url"] =~ "/cgi-bin/" { cgi.assign = ( "" => "" ) }
alias.url = ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )

This requires both the cgi and alias modules for lighttpd.

Related Topic

Rsyslogd not listening udp 514