Already checked that by temporarily disabling SElinux temporarily. This did not change the issue with rsyslog not being able to access the file. I also checked the logs on the server , and there are no signs of SElinux being the reason. -Ole
On Wed, 30 Aug 2023 at 10:19, Lennard Klein <lennard.kl...@eu.equinix.com> wrote: > FWIW, consider checking if selinux rather than just file permissions are > triggering the permission denied. > > Regards, > Lennard > > On 30/08/2023, 10:07, "rsyslog on behalf of Ole Froslie via rsyslog" < > rsyslog-boun...@lists.adiscon.com <mailto: > rsyslog-boun...@lists.adiscon.com> on behalf of rsyslog@lists.adiscon.com > <mailto:rsyslog@lists.adiscon.com>> wrote: > > > Since rsyslog is running as root, I thought it should be able to read any > file on the system, regardless file permissions? > Adding rsyslog to the dirsrv group does not solve the problem since the > file permissions for the access file only allows the user dirsrv to read > /write, not the group dirsrv. > -rw-------. 1 dirsrv dirsrv 6007159 Aug 29 10:56 *access* > > > -Ole > > > > > On Tue, 29 Aug 2023 at 19:25, David Lang <da...@lang.hm <mailto: > da...@lang.hm>> wrote: > > > > you have already identified the problem, the files are being created with > > permissions that prohibit rsyslog from reading them. > > > > you may be able to add root to the group dirsrv to allow rsyslog to read > > them, > > otherwise you need to figure out a way to create the files with different > > permissions. > > > > David Lang > > > > On Tue, 29 Aug 2023, Ole Froslie via rsyslog wrote: > > > > > Hi, > > > I am setting up centralized logging from FreeIPA version 4.10.1 running > > on > > > CentOs. > > > I have tried to set up the logging, initially just the access log, > using > > > this config (with domain and ips obfuscated) > > > > > > module(load="imfile") > > > > > > > > > input(type="imfile" File="/var/log/dirsrv/slapd-MY_DOMAIN/access" > > > Tag="ipa-security-log" Facility="local0") > > > > > > # Forward local facilities > > > > > > if $syslogfacility >= 16 then @my_ip_adress:514 > > > > > > When restarting rsyslog with this config , I get error message (with > > > servername and domains obfuscated): > > > > > > Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Starting System > > Logging > > > Service... > > > > > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: on > > startup > > > file '/var/log/dirsrv/slapd-MY-DOMAIN/access' does not exist but is > > > configured in static file monitor - this may indicate a > misconfiguration. > > > If the file appears at a later time, it will automatically be > processed. > > > Reason: Permission denied [v8.2102.0-109.el9]* > > > > > > Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Started System > Logging > > > Service. > > > > > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: [origin > > > software="rsyslogd" swVersion="8.2102.0-109.el9" x-pid="12607" x-info=" > > > > https://urldefense.com/v3/__https://www.rsyslog.com__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBuE9UiJI$ > < > https://urldefense.com/v3/__https://www.rsyslog.com__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBuE9UiJI$> > "] start > > > > > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: error > > > accessing file '/var/log/dirsrv/slapd-MY-DOMAIN/access': Permission > > denied > > > [v8.2102.0-109.el9]* > > > > > > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imjournal: > > journal > > > files changed, reloading... [v8.2102.0-109.el9 try > > > > https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$ > < > https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$> > < > https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$ > < > https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$> > > ]* > > > > > > > > > I have observed the following, following tips on various threads and > info > > > found on internet. > > > > > > > > > - rsyslog is working as intended when exporting the standard linux logs > > > - rsyslog is running as root. There is no drop privileges configured. I > > > have checked this in the /etc/rsyslog.conf, and I also see that > > rsyslog is > > > running as root when using ps -ef | grep rsyslogd > > > - running as root should enable it to read any file > > > - > > > - I have tried to turn off SELinix, the problem remains the same. I > > have > > > also checked logs , but there are no signs of SELinux being the cause > > of > > > the problem. > > > > > > > > > - FreeIPA is using its system user dirsrv when creating the files. > > > - The ownership of the directories and files are as follows: > > > > > > drwxr-xr-x. 3 root root 28 Aug 23 15:23 *dirsrv* > > > > > > drwxrwx--x. 2 dirsrv dirsrv 4096 Aug 28 16:55 *slapd-MY-DOMAIN* > > > > > > -rw-------. 1 dirsrv dirsrv 6007159 Aug 29 10:56 *access* > > > > > > > > > - I have tried to manually change the access rights of the access file > > > with chmod o+r access and set chmod o+x on the slapd-directory. This > > > removes the error after restart of rsyslog, and rsyslog exports the > > logs as > > > expected. > > > - However, due to the FreeIpa log rotation set-up, new files are > > created > > > and rotated removing the read access for others, and the logging stops > > > again. > > > > > > > > > Has anyone seen anything similar, does anyone have any clues about what > > the > > > cause of this could be? > > > > > > regards, > > > Ole > > > _______________________________________________ > > > rsyslog mailing list > > > > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$ > < > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$ > > > > > > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$ > < > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$ > > > > > What's up with rsyslog? Follow > https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$ > < > https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$ > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > > > > _______________________________________________ > rsyslog mailing list > > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$ > < > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$ > > > > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$ > < > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$ > > > What's up with rsyslog? Follow > https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$ > < > https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$ > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > > This email is from Equinix (EMEA) B.V. or one of its associated companies > in the territory from where this email has been sent. This email, and any > files transmitted with it, contains information which is confidential, is > solely for the use of the intended recipient and may be legally privileged. > If you have received this email in error, please notify the sender and > delete this email immediately. Equinix (EMEA) B.V.. Registered Office: > Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The > Netherlands No. 57577889. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
