[SOLVED] configuring rsyslog to send tcp via non-default port

rgsurfs · 04-22-2014, 08:57 AM

My rsyslog client running on RHEL 5.10 can transmit data both UDP and TCP via port 514 to my syslog server.

I change reporting in the /etc/rsyslog.conf file, to go out via port 50000, both UDP and TCP and restarted services.

@x.x.x.x:50000
@@x.x.x.x:50000

I receive traffic on my syslog server, via the UDP, but not the TCP.

I added 50000 to the /etc/services file for both udp and tcp.

I have tcpdump monitoring port 50000, nothing.

Firewall is off.

=======================================
The only way I can get tcp to xmit via a non standard port is to set the configuration in /etc/rsyslog.conf and manually type:

/sbin/rsyslogd -c4 -dn

data will transmit and I will receive on my syslog server and then the daemon terminates.
========================================

Any ideas why rsyslog will not send TCP over a different port when running normally and not having to manaully force it????

tks

Robert

Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action??

unSpawn · 04-22-2014, 06:23 PM

Quote:

Originally Posted by rgsurfs

Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action??

If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post

Code:

grep rsyslog /var/log/audit/audit.log|audit2allow -v

output or whatever setroubleshootd suggested?

rgsurfs · 04-22-2014, 09:14 PM

tks. I will check in the morning. I put selinux to permissive and I did service rsyslog restart and the data was immediately going out tcp over 50000. I turned selinux back to enforcing and restarted rsyslog and data is no longer transmitting.

Robert

rgsurfs · 05-15-2014, 01:59 AM

"If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post

Code:

grep rsyslog /var/log/audit/audit.log|audit2allow -v

output or whatever setroubleshootd suggested?"

tks for reply.

I poked around the selinux policy area and found that port 50000 was already assigned to hplip. I tried deleting, but was not able to since it is a default policy.

I then ran audit2allow -a -m rsyslog50000 > /temp/rsyslog50000.te
there was one entry in my /temp/rsyslog50000.te file, looked like this:

module rsyslog50000 1.0;

require {
type syslogd_t;
type hplip_port_t
class tcp_socket name_connect;
}
#====================== syslogd_t =====================
allow syslogd_t hplip_port_t:tcp_socket name_connect

so I ran:
checkmodule -M -m -o rsyslog50000.mod rsyslog50000.te
semodule_package -o rsyslog50000.pp -m rsyslog50000.mod
semodule -i rsyslog50000.pp

And wallah, I started seeing the tcp rsyslog data coming into my server via tcp 50000.