LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   configuring rsyslog to send tcp via non-default port (https://www.linuxquestions.org/questions/linux-general-1/configuring-rsyslog-to-send-tcp-via-non-default-port-4175502568/)

rgsurfs 04-22-2014 08:57 AM
configuring rsyslog to send tcp via non-default port
 
My rsyslog client running on RHEL 5.10 can transmit data both UDP and TCP via port 514 to my syslog server.

I change reporting in the /etc/rsyslog.conf file, to go out via port 50000, both UDP and TCP and restarted services.

@x.x.x.x:50000
@@x.x.x.x:50000

I receive traffic on my syslog server, via the UDP, but not the TCP.

I added 50000 to the /etc/services file for both udp and tcp.

I have tcpdump monitoring port 50000, nothing.

Firewall is off.

=======================================
The only way I can get tcp to xmit via a non standard port is to set the configuration in /etc/rsyslog.conf and manually type:

/sbin/rsyslogd -c4 -dn

data will transmit and I will receive on my syslog server and then the daemon terminates.
========================================

Any ideas why rsyslog will not send TCP over a different port when running normally and not having to manaully force it????

tks

Robert

Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action??

unSpawn 04-22-2014 06:23 PM
Quote:
Originally Posted by rgsurfs (Post 5157080)
Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action??
If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post
Code:
grep rsyslog /var/log/audit/audit.log|audit2allow -v
output or whatever setroubleshootd suggested?

rgsurfs 04-22-2014 09:14 PM
tks. I will check in the morning. I put selinux to permissive and I did service rsyslog restart and the data was immediately going out tcp over 50000. I turned selinux back to enforcing and restarted rsyslog and data is no longer transmitting.

Robert

rgsurfs 05-15-2014 01:59 AM
"If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post
Code:
grep rsyslog /var/log/audit/audit.log|audit2allow -v
output or whatever setroubleshootd suggested?"

tks for reply.

I poked around the selinux policy area and found that port 50000 was already assigned to hplip. I tried deleting, but was not able to since it is a default policy.

I then ran audit2allow -a -m rsyslog50000 > /temp/rsyslog50000.te
there was one entry in my /temp/rsyslog50000.te file, looked like this:

module rsyslog50000 1.0;

require {
type syslogd_t;
type hplip_port_t
class tcp_socket name_connect;
}
#====================== syslogd_t =====================
allow syslogd_t hplip_port_t:tcp_socket name_connect

so I ran:
checkmodule -M -m -o rsyslog50000.mod rsyslog50000.te
semodule_package -o rsyslog50000.pp -m rsyslog50000.mod
semodule -i rsyslog50000.pp

And wallah, I started seeing the tcp rsyslog data coming into my server via tcp 50000.


All times are GMT -5. The time now is 02:51 PM.