[syslog-ng] Syslog-ng, centos7 and systemd seem to hate each other

Jordan Ladora vicepresjoebiden at gmail.com
Fri Feb 17 17:19:48 UTC 2017 

Yes, selinux indeed was the issue. Not sure why my selinux config in the
past allowed this, but it was being blocked currently on the default port.

Updating the policy with-

sudo semanage port -a -t syslogd_port_t -p tcp 36598

...allows syslog-ng to log without having to start it manually from the
terminal (where, as you pointed out, it runs unconfined. Otherwise it runs
as syslogd_t and by default was limited to ports 514 & 601 and blocked on
the default tcp 36598).

Thank you!


On Thu, Feb 16, 2017 at 6:54 PM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> I have now tested this combination on centos 7, and collecting local log
> messages do seem to work for me.
>
> Please note that syslog-ng will detect whether it is running under systemd
> at runtime, and it does it this way:
> ```
>   if (lstat("/run/systemd/system/", &st) < 0 || !S_ISDIR(st.st_mode))
> ```
>
> e.g. it is checking whether /run/systemd/system is a directory. If it is,
> the system() source will use systemd-journal() as its source. If this does
> not exist, it will fall back to /dev/log.
>
> syslog-ng would report the result of this check with a debug level message:
> ```
>       msg_debug("Systemd is not detected as the running init system");
> ```
>
> or
>
> ```
>       msg_debug("Systemd is detected as the running init system");
> ```
>
> The program destination stuff should really be independent of the init
> system, but a different AppArmor/SELinux config might be the culprit
> though. When you launch it from the console, it would be unconfined, but
> with systemd, a policy might be applied that does NOT allow executing
> external programs.
>
> I hope this helps.
>
>
> --
> Bazsi
>
> On Mon, Feb 13, 2017 at 6:54 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>
>> On Fri, Feb 10, 2017 at 09:32:21PM +0000, Clayton Dukes wrote:
>> > If I do a 'systemctl stop syslog-ng' and then just simply type
>> 'syslog-ng' (no foreground, debug, etc. switches) from the command line, it
>> works fine.
>> > Rather confusing, but I can't see why the systemctl file is not working
>> as it should.
>> > Any ideas?
>>
>> try this: in a terminal run `journalctl -f` as root.
>> In another terminal, run `systemctl start syslog-ng`.
>>
>> If you don't see anything useful on the journalctl terminal, try
>> increasing
>> the verbosity of syslog-ng (either by editing `/etc/sysconfig/syslog-ng`,
>> or by modifying
>> `/lib/systemd/system/syslog-ng.service` and running `systemctl
>> daemon-reload`).
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170217/bc28f9fe/attachment.html>

More information about the syslog-ng mailing list