First off, thanks for spending the time to have a look at this issue, its much appreciated.
I've had the attached rsyslog.conf configuration running for sometime now until today when I had to restart rsyslog as a disk was getting full. The result is that rsyslog is now logging to a new location (upated in .conf file) with all the previous permissions (currently root|root rw to be testing safe).
The issue I'm facing is that no matter what I try, rsyslog does not output a file. I've run a tcpdump and I'm still receiving data. The matching criteria (host IP address) shouldn't have changes and the config hasn't changed either.
Any help, particularly debug commands I can run would be greatly appreciated. I would rather learn something new (like rsyslog) than uninstall it and just use syslog-ng instead…
Here is the config:
### Modules
$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
### Set log file permissions
$FileOwner root
$FileGroup root
$FileCreateMode 0777
$DirCreateMode 0777
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root
### Listeners
# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
# and activate it:
$InputTCPServerRun 514
$InputUDPServerBindRuleset remote
$UDPServerRun 514
### Templates
#Format the message correctly
$template MsgFormat,"%msg%\n"
# log every host in its own directory
##$template TESTLOG,"/opt/rsyslog/var/log/test.log"
### Rulesets
# Local Logging
# N/A None required at this point in time
#
# Remote Logging
$RuleSet remote
#---MY MATCHING RULE---#
if ($fromhost-ip == "192.168.1.1") then ?TESTLOG
Thanks in advanced 🙂
Best Answer
You are using a customized path for your log file, so selinux is blocking you. Try to issue
setenforce 0
and to restart rsyslog. If it now work, it is confirmed that your problem was selinux.To permanently correct that while continue to use selinux, you need to issue
semanage fcontext -a -t var_log_t '/opt/rsyslog(/.*)?'; restorecon -RF /opt/rsyslog
After that, restart rsyslog.