Remote sysloging (rsyslog) of Hypervisor

Latest response

Hi,

Has anyone been able to configure remote logging on a Hypervisor using tcp. When I configure rsyslog and start it using init scripts, it doesn’t seem to work the same way as on a standard enterprise rhel 6.2

When debugging it look like the module lmnsd_ptcp doesn’t get loaded properly. And a tcpdump shows no packes is send.

The same result is produced if I try using’-f’ to define configurationfile. I allso compare /etc/init.d/rsyslog and /etc/init.d/functions wit at rhel6.2 and they do not differ.

 

Any help is appreciated.

**/etc/rsyslog.conf**
*.* @@RsyslogServerIP:10775

**Fail to work: Doesn’t send tcp messages**
# service rsyslog restart
# /etc/inet.d/rsyslog restart

**This works: Sends tcp messages**
# /sbin/rsyslogd -i /var/run/syslogd.pid -c 4

**NOT working debug cut**
caller requested object 'nsd_ptcp', not found (iRet -3003)
Requested to load module 'lmnsd_ptcp'
loading module '/lib64/rsyslog/lmnsd_ptcp.so'
source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 3
module of type 2 being loaded.
source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1
file netstrms.c released module 'lmnsd_ptcp', reference count now 0
module 'lmnsd_ptcp' has zero reference count, unloading...
Unloading module lmnsd_ptcp
file nsd_ptcp.c released module 'lmnetstrms', reference count now 2
Action requested to be suspended, done that.

**Working debug cut**
caller requested object 'nsd_ptcp', not found (iRet -3003)
Requested to load module 'lmnsd_ptcp'
loading module '/lib64/rsyslog/lmnsd_ptcp.so'
source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 3
module of type 2 being loaded.
source file netstrms.c requested reference for module 'lmnsd_ptcp', reference count now 1
Entry(7fe86cc26f20): type 1, (CONSTANT), value: '<'
…….
Loaded Module: Name='lmnsd_ptcp', IFVersion=5, type=library module.
Entry points:
queryEtryPt:        0x7fe869209750
doAction:           0x0
parseSelectorAct:   0x0
dbgPrintInstInfo:   0x0
freeInstance:       0x0

 

Responses

Hi,

 

If you are using RHEV-H, I think this KB can help: https://access.redhat.com/knowledge/solutions/56108

 

Hi,

I'm using RHEV-H.

The article claims remote logging is not supported. A bit odd because one can configure remote logging via the graphical interface you get if logging on as admin (console or ssh).

It’s not persistent if rhev-h is rebooted. This can however be solved:
# cp /etc/rsyslog.conf /config/etc/
# echo '/etc/rsyslog.conf' >> /config/files

Hmm, looks like the kbase has no version, and it's probably valid for 2.2, I'll make sure it's updated.

 

ok, so I have managed to reproduce the non-persistency problem on an older version on RHEV-H (20120119.1.el6_2) but not in the most recent one. (BTW, no need to copy anything into /config, we have a command for that - called persist)

 

As for the original issue, still investigating.

OK, first of all thanks for bringing this up, this uncovered a minor bug actually, which should be fixed in the next version.

 

To work around it:

1. mkdir /var/spool/rsyslog >> /etc/rc.local

2. persist /etc/rc.local

3. persist /etc/rsyslog.conf

 

rsyslog has to be set up from the admin menu of course.

 

Just to be clear on step 1:

 

mkdir /var/spool/rsyslog

echo "mkdir /var/spool/rsyslog" >> /etc/rc.local

 

Step 2 and 3 are correct.

 

Mike

Hi,

 

Thanks. Did a similar work around.

 

Regading to spooling (/var/spool/rsyslog). I just trying want to figure it out. Is /var using lvm /dev/HostVG/Logging. Now that $ActionQueueMaxDiskSpace is set to 10m. I just se a couple of lvm in HostVG but only config is mounted.

 

The problem that i can use tcp is coursed by a sepolicy. is you set selinux to permissive 'setenforce 0'. Reconfigure rsyslog to use tcp then it works.

 

I can't change add or modify the policy becaurse 'semanage'  isn't avaliable. Think the command is something like 'semanage port -a -t syslogd_port_t -p tcp 10777'. That is my guess anyway -> I have no experience with selinux policies at all. Just read some man pages

Here is a HowTo to a workaround if want rsyslog to use tcp, when logging to a remote server. There is proberly a more fance/right way of implementing the se-module so it is persintent after boot, but this works for me.

 

** On RHEV-H 6.2 (20120510.0.el6_2) **
# vi /etc/rc.local
-->
   ### Workaround for rsyslog
   mkdir /etc/rsyslog.d /var/spool/rsyslog /config/MyFiles
   # reinstall sepolicy rsyslog_tcp_rhev_workaround
   semodule -i /config/MyFiles/rsyslog_tcp_rhev_workaround.pp

# persist /etc/rc.local
# persist /etc/rsyslog.conf
# mkdir /config/MyFiles
# ausearch -x rsyslogd -sv no -o port_t --just-one > /tmp/ausearch_rsyslog.tmp
# scp /tmp/ausearch_rsyslog.tmp Rhel6Srv:/tmp/

** On some RHEL 6.2 **
# yum -y install policycoreutils-python
# semanage port -l | grep syslogd (Just if you want to see port list)
# cat /tmp/ausearch_rsyslog.tmp | audit2allow -m local > /tmp/rsyslog_tcp_rhev_workaround.te
# sed -i 's/module local 1.0/module rsyslog_tcp_rhev_workaround 1.0/g' /tmp/rsyslog_tcp_rhev_workaround.te
# checkmodule -M -m -o /tmp/rsyslog_tcp_rhev_workaround.mod /tmp/rsyslog_tcp_rhev_workaround.te
# semodule_package -o /tmp/rsyslog_tcp_rhev_workaround.pp -m /tmp/rsyslog_tcp_rhev_workaround.mod
# scp /tmp/rsyslog_tcp_rhev_workaround.pp RhevHost:/config/MyFiles/

** On RHEV-H 6.2 (20120510.0.el6_2) **
# semodule -i /config/MyFiles/rsyslog_tcp_rhev_workaround.pp
# semodule -l | grep rsyslog (Just to check if installed)

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.