LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-22-2014, 08:57 AM   #1
rgsurfs
LQ Newbie
 
Registered: May 2013
Posts: 17

Rep: Reputation: Disabled
configuring rsyslog to send tcp via non-default port


My rsyslog client running on RHEL 5.10 can transmit data both UDP and TCP via port 514 to my syslog server.

I change reporting in the /etc/rsyslog.conf file, to go out via port 50000, both UDP and TCP and restarted services.

@x.x.x.x:50000
@@x.x.x.x:50000

I receive traffic on my syslog server, via the UDP, but not the TCP.

I added 50000 to the /etc/services file for both udp and tcp.

I have tcpdump monitoring port 50000, nothing.

Firewall is off.

=======================================
The only way I can get tcp to xmit via a non standard port is to set the configuration in /etc/rsyslog.conf and manually type:

/sbin/rsyslogd -c4 -dn

data will transmit and I will receive on my syslog server and then the daemon terminates.
========================================

Any ideas why rsyslog will not send TCP over a different port when running normally and not having to manaully force it????

tks

Robert

Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action??

Last edited by rgsurfs; 04-22-2014 at 03:28 PM.
 
Old 04-22-2014, 06:23 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,390
Blog Entries: 55

Rep: Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563
Quote:
Originally Posted by rgsurfs View Post
Updated: 22 Apr: 4pm: The problem is with selinux. any recommendations on how to create a new rule to allow this action??
If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post
Code:
grep rsyslog /var/log/audit/audit.log|audit2allow -v
output or whatever setroubleshootd suggested?
 
Old 04-22-2014, 09:14 PM   #3
rgsurfs
LQ Newbie
 
Registered: May 2013
Posts: 17

Original Poster
Rep: Reputation: Disabled
tks. I will check in the morning. I put selinux to permissive and I did service rsyslog restart and the data was immediately going out tcp over 50000. I turned selinux back to enforcing and restarted rsyslog and data is no longer transmitting.

Robert
 
Old 05-15-2014, 01:59 AM   #4
rgsurfs
LQ Newbie
 
Registered: May 2013
Posts: 17

Original Poster
Rep: Reputation: Disabled
"If you've confirmed it is SELinux then you must have seen some setroubleshootd or /var/log/audit/audit.log messages. If the latter then maybe post
Code:
grep rsyslog /var/log/audit/audit.log|audit2allow -v
output or whatever setroubleshootd suggested?"

tks for reply.

I poked around the selinux policy area and found that port 50000 was already assigned to hplip. I tried deleting, but was not able to since it is a default policy.

I then ran audit2allow -a -m rsyslog50000 > /temp/rsyslog50000.te
there was one entry in my /temp/rsyslog50000.te file, looked like this:

module rsyslog50000 1.0;

require {
type syslogd_t;
type hplip_port_t
class tcp_socket name_connect;
}
#====================== syslogd_t =====================
allow syslogd_t hplip_port_t:tcp_socket name_connect

so I ran:
checkmodule -M -m -o rsyslog50000.mod rsyslog50000.te
semodule_package -o rsyslog50000.pp -m rsyslog50000.mod
semodule -i rsyslog50000.pp

And wallah, I started seeing the tcp rsyslog data coming into my server via tcp 50000.
 
  


Reply

Tags
rsyslog, tcp, udp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Rsyslog remote logging via tcp not working - plz help sh_lnx Linux - Server 9 06-14-2013 07:22 AM
[SOLVED] Send syslog log to rsyslog server? is possible? JohnV2 Slackware 9 10-13-2011 01:37 PM
[SOLVED] I can send syslog log to rsyslog server? how? JohnV2 Linux - Server 6 10-13-2011 08:55 AM
Default value for TCP send buffer size peer Linux - General 4 01-27-2009 07:21 AM
Open tcp port & mails that i do not send. jrfly Linux - General 1 02-02-2005 09:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 08:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration