LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices



Reply
 
Search this Thread
Old 04-02-2008, 09:49 AM   #1
c_mitulescu
Member
 
Registered: Nov 2003
Location: London
Distribution: Ubuntu
Posts: 35

Rep: Reputation: 15
getting syslog to write to other file than /var/log/messages


Hi,

I have been trying to get RedHat Linux 4 Enterprise Server Update 4 to output all the messages to a different directory other than /var/log/messages and have no luck. I tried changing the string that id pointing to /var/log/messages to point to /root/messages (newly created file) and restarted syslog. I then tested it by running:

logger -p local0.warning "Test"

And nothing was added to either /var/log/messages or /root/messages. I then changed the syslog.conf file back to the default settings, restarted syslog and ran the same test. This time around the "Test" entry appeared in /var/log/messages. I also tried using a "," and listing two files for it to write to but the test failed again.

Is there a way to increase the "syslog" logging (the irony) to see where it fails?

Thank you


syslog.conf
-----------------------------------------------------------------------------------------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* /dev/console
# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /root/messages,/var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
 
Old 04-02-2008, 10:21 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
seeing rhel, i'd be wodnering about selinux..? the config looks ok, but syslog shouldn't be allowed to write to /root by the standard selinux policy.

btw, you might like to check out syslog-ng, much much nicer that sysklogd. it's one of the first things i do with a standard RHEL build...
 
Old 04-02-2008, 10:31 AM   #3
c_mitulescu
Member
 
Registered: Nov 2003
Location: London
Distribution: Ubuntu
Posts: 35

Original Poster
Rep: Reputation: 15
Unfortunately this is a live Oracle RAC box and our policy discourages installing additional software which is why I have to make do with what is installed.

When I built the server using the RHEL installer I selected "disabled" for SELinux. Could it still be affecting the location syslog outputs to?

Thank you
 
Old 04-02-2008, 10:42 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
pfffft, silly policy.

well as disabled yes that should be fine, but is there anything in dmesg in line with this? that's certainly where selinux issues would head.
 
Old 04-02-2008, 11:02 AM   #5
c_mitulescu
Member
 
Registered: Nov 2003
Location: London
Distribution: Ubuntu
Posts: 35

Original Poster
Rep: Reputation: 15
Still seems to be there in "permisive mode":

dmesg | grep -i selinux
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SELinux: Registering netfilter hooks
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev usbdevfs, type usbdevfs), uses genfs_contexts
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev sdb1, type vfat), uses genfs_contexts



And the last lines from dmesg. Unfortunately I can't see a timestamp:


audit(1206979692.714:10): user pid=11983 uid=0 auid=4294967295 msg='avc: 0 AV entries and 0/512 buckets used, longest chain length 0
: exe="/usr/bin/dbus-daemon-1" (sauid=0, hostname=?, addr=?, terminal=?)'
audit(1207046529.170:11): avc: denied { search } for pid=15872 comm="syslogd" name="media" dev=dm-0 ino=2850817 scontext=root:system_r:syslogd_t tcontext=system_ubject_r:mnt_t tclass=dir
audit(1207046699.359:12): avc: denied { search } for pid=15998 comm="syslogd" name="media" dev=dm-0 ino=2850817 scontext=root:system_r:syslogd_t tcontext=system_ubject_r:mnt_t tclass=dir
audit(1207046699.359:13): avc: denied { search } for pid=15998 comm="syslogd" name="media" dev=dm-0 ino=2850817 scontext=root:system_r:syslogd_t tcontext=system_ubject_r:mnt_t tclass=dir
 
Old 04-02-2008, 11:08 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
you can't see a timestamp? tsk...

1207046529 = Tue, 01 Apr 2008 10:42:09 GMT

http://www.onlineconversion.com/unix_time.htm



So that's definitely selinux, so it is running. was that when you last restarted syslog? 10am yesterday? It depends how syslogd is programmed as to what style of selinux error you'll get, here it should be opening the file and keeping it open, so it'd be a single open that would fail, rather than an error on each log going into it.
 
Old 04-02-2008, 11:17 AM   #7
c_mitulescu
Member
 
Registered: Nov 2003
Location: London
Distribution: Ubuntu
Posts: 35

Original Poster
Rep: Reputation: 15
I have so much to learn.

I have restarted syslog quite a number of times since 10 am.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/syslog messages. gbowden Slackware 2 02-25-2006 06:00 PM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 07:39 PM
No output to /var/log/messages or ~syslog eelriver Slackware 5 07-18-2004 06:13 AM
HELP!!!! /var/log/messages & syslog 350MB and growing!! nemat0de Mandriva 1 05-29-2004 07:08 AM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 04:35 AM


All times are GMT -5. The time now is 12:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration