I use rsyslog (8.37.0-13) on CentOS 8 (CentOS Linux release 8.1.1911) and I've type error with my configuration.
My rsyslog.conf is :
module(load="imuxsock")
module(load="imjournal")
module(load="imtcp")
module(load="imudp")
global(workDirectory="/var/lib/rsyslog")
include(file="/etc/rsyslog.d/*.conf")
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
My subconf is :
template(name="template1" type="string" string="/data/%HOSTNAME%-%FROMHOST-IP%.log")
ruleset(name="ruleset1"){
action(type="omfile" dynaFile="template1")
action(type="omfwd" protocol="tcp" target="10.10.10.1" port="2020")
}
input(type="imudp" port="2020" ruleset="ruleset1")
The rsyslog check :
# rsyslogd -N1
rsyslogd: version 8.37.0-13.el8, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
I receive logs on UDP 2020 :
02:56:22.363426 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 751
02:56:22.363434 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 878
02:56:22.363438 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 705
02:56:22.363443 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 695
02:56:22.363448 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363454 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 627
02:56:22.363459 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363466 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363472 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363509 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 861
02:56:22.363518 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 710
02:56:22.363523 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 622
02:56:22.363527 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
But I've no logs write in /data folder and nothing forward to 10.10.10.1_TCP2020 :
# pwd
/data/
# ls -Ral
.:
total 0
drw-r--r--. 2 root adm 6 5 mai 10:03 .
drw-r--r--. 5 root adm 50 5 mai 10:03 ..
]# tcpdump -i any tcp -nn port 2020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
> Nothing
if in doubt, I have disabled SELinux, but same issue.
Someone have any idea to fix it ?
Thanks
EDIT :
After all disabling SELinux, reboot, and restart services it's OK.
Now, I search to allow with Selinux. I do this :
# chcon -R --reference /var/log /data/
# chcon -R --reference /etc/rsyslog.conf /etc/rsyslog.d/
# systemctl restart rsyslog
No change …
I reboot and no change
EDIT 2 :
I've checked audit log :
# sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log
EDIT 3 :
The behavior is random. After a reboot, I thought of a SELinux problem. However, having deactivated SELinux again and restarted, it no longer works. It's intriguing, I don't understand what is causing this …
EDIT 4 :
It's firewalld the problem …
# firewall-offline-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# nft list table filter
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
# nft list table security
table ip security {
chain INPUT {
type filter hook input priority 150; policy accept;
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
}
}
# nft list table raw
table ip raw {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
}
}
# nft list table mangle
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
# nft list table bridge nat
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority 100; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority 300; policy accept;
}
}
I'm surprised. For me, firewalld is an overlay of nftables or iptables. However, as seen in the previous commands, nothing is configured on each of them.
EDIT 5 :
After allow firewalld (but not understand because nft and iptables are empty) and allow on SELinux, I've another problem :
The new file create by rsyslog have system_u:object_r:default_t:s0 instead of system_u:object_r:var_log_t:s0. How to do so that each file created has this context?
Do you have any ideas?
Best Answer
You need to load the "omfwd" module. Perhaps the entire ruleset is discarded because of an action that can't be executed?