RSyslog – Fixing Issues with Log Files Outside /var/log

rsyslogsyslog

I am unable to get rsyslog to write to a log file located in a directory other than /var/log.

The server is RHELS 5.6 and for the most part with a default configuration. Other than the rsyslog specific changes (rules added to iptables, etc.)

It WORKS if I specify the following in /etc/rsyslog.conf:

local6.* /var/log/MyLog.log

However, it DOES NOT WORK if I were to create a log file at the location /Testing/MyLog.log, chmod -R 777 on it, and then update the configuration to:

local6.* /Testing/MyLog.log

I'm baffled because I set /Testing/MyLog.log (and the directory) with chown and chmod to have identical user:group and permissions as the log /var/log/MyLog.log (according to the output of ls -la).

What am I doing wrong? Is this even possible? I've even tried making a symbolic link in /var/log, nothing I've tried seems to work. I've played around with all sorts of configuration options documented on the rsyslog website.

Best Answer

SELinux will prevent processes that are labeled syslogd_t to write to files that are (probably) labeled default_t. You need to label the file with something syslogd_t can write to. Files in /var/log are mostly labeled var_log_t, a type syslogd_t can surely write to.

You should not just relabel the files in /Testing to var_log_t, because that's bound to break at some point, when somebody executes an autorelabel at the next boot or runs restorecon -FvR /.

Instead, write a little policy that automatically and consistently labels your files in /Testing. Something to get your started. Your policy file could look similar to this:

/Testing(/.*)?    --    gen_context(system_u:object_r:var_log_t)

SELinux policy writing however, is a tad tricky. Which is why you should put stuff at the default location for that stuff.

However, I personally feel that logging should really go into /var/log. It's there for a reason. No matter how good you think your reason is for writing to /Testing, it's probably better to write to something like /var/log/testing.

Edit: no, no, no, no, no. That won't do. That was silly. You do not want to write a policy to allow syslogd_t to write to var_log_t, because that is already allowed by the default policy. You need to write filecontext rules (a .fc file), like my new snippet above, to label /Testing as var_log_t if you must...

Related Solutions

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

OK, solved it. I changed the config entry in my custom 22-remote.conf file in /etc/rsyslog.d/ from this:

:msg, contains, "AMAZONA-COMPUTERNAME1" /var/log/dbm/server-1.log
& ~
:msg, contains, "AMAZONA-COMPUTERNAME2" /var/log/dbm/server2.log
& ~

To this:

if $fromhost-ip == '10.11.12.12' then /var/log/dbm/server-1.log
& ~
if $fromhost-ip == '10.11.13.13' then /var/log/dbm/server2.log
& ~

How to you filter mail.info from syslog

From the man rsyslog.conf page:

Rsyslogd has a syntax extension to the original BSD source, that makes its use more intuitively. You may precede every priority with an equals sign (=) to specify only this single priority and not any of the above. You may also (both is valid, too) precede the priority with an exclamation mark (!) to ignore all that priorities, either exact this one or this and any higher priority. If you use both extensions than the exclamation mark must occur before the equals sign, just use it intuitively.

So mail.!info means that you are ignoring info priority and any higher priority. Try this:

*.*;auth,authpriv.none;mail.warn,mail.!=info -/var/log/syslog

Best Answer

Related Solutions

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

How to you filter mail.info from syslog

Related Topic