LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-07-2019, 08:38 AM   #1
bradvan
Member
 
Registered: Mar 2009
Posts: 367

Rep: Reputation: 61
CentOS 7 sending audit logs through rsyslogd


Have the system set up to send audit logs through the audisp daemon to the rsyslog daemon to be forwarded to a central audit reduction server. This has been working. Now, for some reason, one of the servers is no longer sending. I've checked the configuration and can't find anything wrong. The /etc/audisp/plugins.d/syslog.conf has active set to yes and args set to "LOG_INFO LOG_LOCAL2." In the /etc/rsyslog.conf, I have:
Code:
$PreserveFQDN on
$template REDT,"<%PRI%>%TIMESTAMPT% %HOSTNAME% %syslogtag% %msg% id:23855911
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdREDT
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.*   @@1.2.3.4:514;REDT
I'm running a tcpdump watching "dst host 1.2.3.4 and dst port 514" and don't see anything going out unless I run: "logger -p info --server 1.2.3.4 test." I've checked the /var/lib/rsyslog directory and don't see anything queued. Any other ideas what to check to see why this server is not sending out any logs?
 
Old 03-08-2019, 08:42 AM   #2
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 243

Rep: Reputation: Disabled
Maybe it is selinux? Have you checked your local audit logs to see if selinux is preventing rsyslog from receiving the entries?
 
Old 03-08-2019, 11:28 AM   #3
bradvan
Member
 
Registered: Mar 2009
Posts: 367

Original Poster
Rep: Reputation: 61
Yes. Not selinux. It was working fine until someone put some entries into salt and pushed it that way. Ever since it has not worked. I've been checking every file, and can't find any problems. But, have been running tcpdump on the outgoing port and never see anything go unless I specifically send it with logger. I'm going to re-trace the setup steps on Monday and see if I can find any error.
 
Old 04-01-2019, 07:14 AM   #4
bradvan
Member
 
Registered: Mar 2009
Posts: 367

Original Poster
Rep: Reputation: 61
Finally got it working, but have no idea how? I commented out the forwarding block, then restarted the rsyslog daemon. Everything started flowing to the /var/log files. I then started to uncomment each line of the forwarding block, then restarted rsyslogd. After each restart, the data was still flowing to the /var/log files. Once I finished uncommenting the forward block, /var/log files were still getting updated. I then ran tcpdump and saw the outgoing data to the central log server. Have no idea what could have been the problem in the first place nor why commenting out some code and then just removing the comments fixed it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to get local timestamp msg=audit(Mon Jan 21 23:47:38 2019.689:1866319) in audit.log instead of msg=audit(1548145864.461:1866430) naveen.kumar2512 Linux - Newbie 1 01-22-2019 07:24 AM
[SOLVED] CentOS 7 rsyslogd not accepting logs from client machines dcsst28 Linux - Server 2 01-16-2015 10:48 PM
rsyslogd crashes while running as rsyslogd(rsyslogd -M /lib/rsyslog running well) vipul prajapati Linux - Server 1 03-22-2014 03:02 AM
[SOLVED] usr.sbin.rsyslogd apparmor audit.log /var/rsyslog/work/dbq.00000001 problem masuch Linux - Newbie 2 11-05-2012 09:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration