configuring rsyslog to send tcp via non-default port
My rsyslog client running on RHEL 5.10 can transmit data both UDP and TCP via port 514 to my syslog server.
I change reporting in the /etc/rsyslog.conf file, to go out via port 50000, both UDP and TCP and restarted services. @x.x.x.x:50000 @@x.x.x.x:50000 I receive traffic on my syslog server, via the UDP, but not the TCP. I added 50000 to the /etc/services file for both udp and tcp. I have tcpdump monitoring port 50000, nothing. Firewall is off. ======================================= The only way I can get tcp to xmit via a non standard port is to set the configuration in /etc/rsyslog.conf and manually type: /sbin/rsyslogd -c4 -dn data will transmit and I will receive on my syslog server and then the daemon terminates. ======================================== Any ideas why rsyslog will not send TCP over a different port when running normally and not having to manaully force it???? tks Robert Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action?? |
Quote:
Code:
grep rsyslog /var/log/audit/audit.log|audit2allow -v |
tks. I will check in the morning. I put selinux to permissive and I did service rsyslog restart and the data was immediately going out tcp over 50000. I turned selinux back to enforcing and restarted rsyslog and data is no longer transmitting.
Robert |
"If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post
Code:
grep rsyslog /var/log/audit/audit.log|audit2allow -v tks for reply. I poked around the selinux policy area and found that port 50000 was already assigned to hplip. I tried deleting, but was not able to since it is a default policy. I then ran audit2allow -a -m rsyslog50000 > /temp/rsyslog50000.te there was one entry in my /temp/rsyslog50000.te file, looked like this: module rsyslog50000 1.0; require { type syslogd_t; type hplip_port_t class tcp_socket name_connect; } #====================== syslogd_t ===================== allow syslogd_t hplip_port_t:tcp_socket name_connect so I ran: checkmodule -M -m -o rsyslog50000.mod rsyslog50000.te semodule_package -o rsyslog50000.pp -m rsyslog50000.mod semodule -i rsyslog50000.pp And wallah, I started seeing the tcp rsyslog data coming into my server via tcp 50000. |
All times are GMT -5. The time now is 02:51 PM. |