Rsyslogd – Not Listening on Port

I installed rsyslogd on ubuntu server, started it and everything looks fine, but the port the server should listen on is not opened.

ubuntu@node7:~$ sudo service rsyslog restart
rsyslog stop/waiting
rsyslog start/running, process 14114

Netstat shows it is not listening:

ubuntu@node7:~$ netstat -tlan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0    320 172.22.0.17:22          10.8.8.38:61335         ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::2776                 :::*                    LISTEN     
tcp6       0      0 :::2777                 :::*                    LISTEN     
tcp6       0      0 172.22.0.17:2777        172.22.0.11:56554       ESTABLISHED
tcp6       0      0 172.22.0.17:2776        172.22.0.11:39780       ESTABLISHED

This is how /etc/rsyslog.conf looks like (most comments omitted):

ubuntu@node7:~$ cat /etc/rsyslog.conf     
#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

$ModLoad imtcp
$InputTCPServerRun 514

###########################
#### GLOBAL DIRECTIVES ####
###########################

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup adm

$IncludeConfig /etc/rsyslog.d/*.conf

In /etc/rsyslog.d/35-server-per-host.conf I have following lines, and I suspect this can be the cause. What does it mean?

# Stop processing of all non-local messages. You can process remote messages
# on levels less than 35.
:fromhost-ip,!isequal,"127.0.0.1" ~

and if it is, how could I change it to have server listening and receiving and logging messages?

UPDATE:

I commented out suspected line, but still it's not listening on port 514

Best Answer

AppArmor is possibly blocking rsyslogd from listening on this port. You can verify this by looking in the system log:

grep apparmor /var/log/syslog

If you see lines mentioning rsyslog then this is probably the cause. Edit /etc/apparmor.d/local/usr.sbin.rsyslogd (or /etc/apparmor.d/usr.sbin.rsyslogd if that doesn't exist) and add this between the curly braces:

network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,

Then run service apparmor reload and service rsyslog restart.

Best Answer

Related Solutions

Rsyslogd not monitoring all files

Cisco – Syslog does not record logs received over TCP to a file

Related Topic