Mailing List Archive

FWIW, consider checking if selinux rather than just file permissions are triggering the permission denied.

Regards,
Lennard

?On 30/08/2023, 10:07, "rsyslog on behalf of Ole Froslie via rsyslog" <rsyslog-bounces@lists.adiscon.com <mailto:rsyslog-bounces@lists.adiscon.com> on behalf of rsyslog@lists.adiscon.com <mailto:rsyslog@lists.adiscon.com>> wrote:


Since rsyslog is running as root, I thought it should be able to read any
file on the system, regardless file permissions?
Adding rsyslog to the dirsrv group does not solve the problem since the
file permissions for the access file only allows the user dirsrv to read
/write, not the group dirsrv.
-rw-------. 1 dirsrv dirsrv 6007159 Aug 29 10:56 *access*


-Ole




On Tue, 29 Aug 2023 at 19:25, David Lang <david@lang.hm <mailto:david@lang.hm>> wrote:


> you have already identified the problem, the files are being created with
> permissions that prohibit rsyslog from reading them.
>
> you may be able to add root to the group dirsrv to allow rsyslog to read
> them,
> otherwise you need to figure out a way to create the files with different
> permissions.
>
> David Lang
>
> On Tue, 29 Aug 2023, Ole Froslie via rsyslog wrote:
>
> > Hi,
> > I am setting up centralized logging from FreeIPA version 4.10.1 running
> on
> > CentOs.
> > I have tried to set up the logging, initially just the access log, using
> > this config (with domain and ips obfuscated)
> >
> > module(load="imfile")
> >
> >
> > input(type="imfile" File="/var/log/dirsrv/slapd-MY_DOMAIN/access"
> > Tag="ipa-security-log" Facility="local0")
> >
> > # Forward local facilities
> >
> > if $syslogfacility >= 16 then @my_ip_adress:514
> >
> > When restarting rsyslog with this config , I get error message (with
> > servername and domains obfuscated):
> >
> > Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Starting System
> Logging
> > Service...
> >
> > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: on
> startup
> > file '/var/log/dirsrv/slapd-MY-DOMAIN/access' does not exist but is
> > configured in static file monitor - this may indicate a misconfiguration.
> > If the file appears at a later time, it will automatically be processed.
> > Reason: Permission denied [v8.2102.0-109.el9]*
> >
> > Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Started System Logging
> > Service.
> >
> > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: [origin
> > software="rsyslogd" swVersion="8.2102.0-109.el9" x-pid="12607" x-info="
> > https://urldefense.com/v3/__https://www.rsyslog.com__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBuE9UiJI$ <https://urldefense.com/v3/__https://www.rsyslog.com__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBuE9UiJI$> "] start
> >
> > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imfile: error
> > accessing file '/var/log/dirsrv/slapd-MY-DOMAIN/access': Permission
> denied
> > [v8.2102.0-109.el9]*
> >
> > Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: *imjournal:
> journal
> > files changed, reloading... [v8.2102.0-109.el9 try
> > https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$ <https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$> <https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$ <https://urldefense.com/v3/__https://www.rsyslog.com/e/0__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBEfjoWNk$> > ]*
> >
> >
> > I have observed the following, following tips on various threads and info
> > found on internet.
> >
> >
> > - rsyslog is working as intended when exporting the standard linux logs
> > - rsyslog is running as root. There is no drop privileges configured. I
> > have checked this in the /etc/rsyslog.conf, and I also see that
> rsyslog is
> > running as root when using ps -ef | grep rsyslogd
> > - running as root should enable it to read any file
> > -
> > - I have tried to turn off SELinix, the problem remains the same. I
> have
> > also checked logs , but there are no signs of SELinux being the cause
> of
> > the problem.
> >
> >
> > - FreeIPA is using its system user dirsrv when creating the files.
> > - The ownership of the directories and files are as follows:
> >
> > drwxr-xr-x. 3 root root 28 Aug 23 15:23 *dirsrv*
> >
> > drwxrwx--x. 2 dirsrv dirsrv 4096 Aug 28 16:55 *slapd-MY-DOMAIN*
> >
> > -rw-------. 1 dirsrv dirsrv 6007159 Aug 29 10:56 *access*
> >
> >
> > - I have tried to manually change the access rights of the access file
> > with chmod o+r access and set chmod o+x on the slapd-directory. This
> > removes the error after restart of rsyslog, and rsyslog exports the
> logs as
> > expected.
> > - However, due to the FreeIpa log rotation set-up, new files are
> created
> > and rotated removing the read access for others, and the logging stops
> > again.
> >
> >
> > Has anyone seen anything similar, does anyone have any clues about what
> the
> > cause of this could be?
> >
> > regards,
> > Ole
> > _______________________________________________
> > rsyslog mailing list
> > https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$ <https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$>
> > https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$ <https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$>
> > What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$ <https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$>
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$ <https://urldefense.com/v3/__https://lists.adiscon.net/mailman/listinfo/rsyslog__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBTMQ1aHY$>
https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$ <https://urldefense.com/v3/__http://www.rsyslog.com/professional-services/__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXB0LeQw94$>
What's up with rsyslog? Follow https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$ <https://urldefense.com/v3/__https://twitter.com/rgerhards__;!!PcPv50trKLWG!zsYLkxIfq9q9oLeqzhVBOMGwuj1MpM-l-hytGSpiHYN109ffFuhiPjlak8YQuqV0X4XFL4OCtScmKge_EuXBzHMKo2U$>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.



This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.