RHEL6.8 - How to configure second instance of syslog
For HAProxy, we have to enable below parameters to redirect log entries from system log file(/var/log/messages).
Note: We have few other parameters too, but I'm focusing on only this two over here.
$ModLoad imudp
$UDPServerRun 514
Due to NIST security policy, our Infra top-level management not providing approval to enable this into /etc/rsyslog.conf file.
So is that possible to create second syslog daemon/config on the server using different port only for HAProxy service? If yes, can you please share sample procedure?
Responses
How about using rsync to sync up your log files using ssh? If this is allowed then it would accomplish the job and put this into cron. There may be many other ways to get this done, but alternative to syslog daemon, I don't think it is possible.
Guru
1450 points
I have not done this, but you could start with the following:
* create separate rsyslog config file
* copy rsyslog init script and modify it to use the -f option for your separate config file and the -i option to indicate dedicated pid-file
* enable and run the new init script
$ModLoad imtcp
$UDPServerRun 514
I don't quite understand... these two settings don't go together. When you're planning to receive syslog messages over UDP port 514, you'll use $ModLoad imudp with $UDPServerRun 514. The imtcpmodule has nothing to do with $UDPServerRun.
If you want to just send out the log messages received from kernel and syslog-using applications, you don't need any plugin for that.
===============
Ahh... after a bit of googling I begin to understand. Apparently in RHEL/CentOS 6.x, HAProxy has non-standard default settings. The /etc/haproxy/haproxy.cfg seems to have this:
global
log 127.0.0.1 local2
So HAProxy is logging over a network socket to localhost, using the syslog protocol (UDP port 514).
I'm guessing that HAProxy is chrooted by default, and thus cannot use the standard /dev/log unix socket to send its log messages to rsyslog.
If you want to have the HAProxy send its logs to the local rsyslog, you'll have basically two methods to choose from: either over the network sockets, or over the Unix sockets.
===============
If you want to use the network sockets, restricting the syslog socket to listen on localhost only might make it more acceptable to your top management. These three lines tell rsyslog to open a network socket for classic UDP syslog protocol, but for localhost only. The order of the lines is important:
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
==================
Alternatively, you might tell rsyslog to set up an extra Unix socket within the HAProxy chroot, so that HAProxy process(es) can use it. I have not tested this, but have used the same principle with other software. Since an Unix socket is located within the filesystem, it is always local by definition. This is a simple two-line addition to rsyslog.conf
# (after the standard $ModLoad imuxsock directive)
$InputUnixListenSocketHostName haproxy.jail # or whatever you want the hostname of the HAProxy log entries to be
$AddUnixListenSocket /var/lib/haproxy/dev/log
And then change the haproxy.cfg to send logs using that socket instead (remembering that HAProxy processes will be chrooted, so they will be seeing /var/lib/haproxy as /):
global
log /dev/log local0
log /dev/log local1 notice
If you are using SELinux, you'll also need to set some file context types to allow rsyslogd to set up its socket properly:
mkdir /var/lib/haproxy/dev
semanage fcontext -a -t device_t /var/lib/haproxy/dev
semanage fcontext -a -t devlog_t /var/lib/haproxy/dev/log
restorecon -R -v /var/lib/haproxy/dev
====================
If you really are completely forbidden from editing the standard /etc/rsyslog.conf, then you would have to change the log settings in haproxy.cfg to refer to a different port, for example port 6514:
global
log 127.0.0.1:6514 local2
And in the configuration file for your extra rsyslog daemon, you would either completely omit the $ModLoad imuxsock and $ModLoad imklog and any configuration lines associated with them, or - if you need the capability for unix socket logging for something else - add $OmitLocalLogging after the imuxsock module, so this extra rsyslog daemon won't compete with the main one for the real /dev/log. The configuration file for your custom rsyslog instance, e.g. /etc/rsyslog-custom.conf, would look like this:
# imuxsock and imklog are not needed in this custom rsyslog daemon
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 6514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# minimal rules configuration, since everything that comes here is from HAProxy
*.* /var/log/HAProxy.log
To start your custom rsyslog instance, you would use:
/sbin/rsyslogd -f /etc/rsyslog-custom.conf
You would want to create a proper start-up script for it, and ensure that it will start at boot before HAProxy is started.
Loading the modules should not be a problem: the module files are not secret, and file permissions won't stop any process from loading them. Of course you must then use an UDP port number that is greater than 1023, because port numbers 0-1023 are restricted to root-owned processes only.
I don't really know how SELinux might react to running a second copy of rsyslog as non-root process... it might be just fine with that, but if there are problems, you'll see messages about denied accesses in audit logs located in /var/log/audit. In that case, the audit2why and audit2allow tools might be useful... as always when doing serious customizing in a SELinux-enabled system.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.