Trying to write syslog to /opt
Hi I'm trying to write the following log to /opt/ in which I am unable to: in syslog-ng.conf I have the following: #filter f_local { facility(local0, local1, local2, local3, # local4, local5, local6, local7); }; filter f_local { facility( local1, local2, local3, local4, local5, local7); }; filter f_sol { facility(local0); }; # Log SOL messages in a separate log destination solmessages { file("/opt/solLOG/sol.log"); }; log { source(src); filter(f_sol); destination(solmessages); }; #destination solmessages { file("/var/log/sol.log"); }; #log { source(src); filter(f_sol); destination(solmessages); }; The above does not work but if I comment out: #destination solmessages { file("/opt/solLOG/sol.log"); }; #log { source(src); filter(f_sol); destination(solmessages); }; destination solmessages { file("/var/log/sol.log"); }; log { source(src); filter(f_sol); destination(solmessages); }; The log is written to /var/log/sol.log, is there a reason why the destination path could only be /var/log/? Thank you in advance. Johnny
Hello, On 08/17/2010 10:13 PM, Johnny Lapenna wrote:
The log is written to /var/log/sol.log, is there a reason why the destination path could only be /var/log/?
Most likely some kind of MAC is in effect, on RedHat & Co. it is SELinux, on SuSE & Ubuntu it is Apparmor. Try to disable these, either just for syslog-ng, or globally (which is usually easier), and see if it helps. I can help you with Apparmor (or fetch info for SELinux). Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
This worked, thanks. Do you know if there's a way to disable Apparmor just for syslog-ng on SuSE10? Thanks again, Johnny On Tue, Aug 17, 2010 at 4:30 PM, Peter Czanik <czanik@balabit.hu> wrote:
Hello,
On 08/17/2010 10:13 PM, Johnny Lapenna wrote:
The log is written to /var/log/sol.log, is there a reason why the destination path could only be /var/log/?
Most likely some kind of MAC is in effect, on RedHat & Co. it is SELinux, on SuSE & Ubuntu it is Apparmor. Try to disable these, either just for syslog-ng, or globally (which is usually easier), and see if it helps. I can help you with Apparmor (or fetch info for SELinux). Bye,
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On 08/17/2010 11:43 PM, Johnny Lapenna wrote:
This worked, thanks. Do you know if there's a way to disable Apparmor just for syslog-ng on SuSE10? The ugly way is to move out sbin.syslog-ng from /etc/apparmor.d/ and restart Apparmor, which will disable syslog-ng protection for Apparmor completely. But I'd rather suggest to leave it there and modify it to add support for that directory. Looking at your original post, you should add a line like this to that file:
/opt/solLOG/** w, and restart Apparmor. Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
participants (2)
-
Johnny Lapenna
-
Peter Czanik