I installed rsyslogd on ubuntu server, started it and everything looks fine, but the port the server should listen on is not opened.
ubuntu@node7:~$ sudo service rsyslog restart
rsyslog stop/waiting
rsyslog start/running, process 14114
Netstat shows it is not listening:
ubuntu@node7:~$ netstat -tlan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 320 172.22.0.17:22 10.8.8.38:61335 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::2776 :::* LISTEN
tcp6 0 0 :::2777 :::* LISTEN
tcp6 0 0 172.22.0.17:2777 172.22.0.11:56554 ESTABLISHED
tcp6 0 0 172.22.0.17:2776 172.22.0.11:39780 ESTABLISHED
This is how /etc/rsyslog.conf looks like (most comments omitted):
ubuntu@node7:~$ cat /etc/rsyslog.conf
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imtcp
$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup adm
$IncludeConfig /etc/rsyslog.d/*.conf
In /etc/rsyslog.d/35-server-per-host.conf
I have following lines, and I suspect this can be the cause. What does it mean?
# Stop processing of all non-local messages. You can process remote messages
# on levels less than 35.
:fromhost-ip,!isequal,"127.0.0.1" ~
and if it is, how could I change it to have server listening and receiving and logging messages?
UPDATE:
I commented out suspected line, but still it's not listening on port 514
Best Answer
AppArmor is possibly blocking rsyslogd from listening on this port. You can verify this by looking in the system log:
If you see lines mentioning rsyslog then this is probably the cause. Edit
/etc/apparmor.d/local/usr.sbin.rsyslogd
(or/etc/apparmor.d/usr.sbin.rsyslogd
if that doesn't exist) and add this between the curly braces:Then run
service apparmor reload
andservice rsyslog restart
.