LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   getting syslog to write to other file than /var/log/messages (https://www.linuxquestions.org/questions/linux-enterprise-47/getting-syslog-to-write-to-other-file-than-var-log-messages-632450/)

c_mitulescu 04-02-2008 08:49 AM
getting syslog to write to other file than /var/log/messages
 
Hi,

I have been trying to get RedHat Linux 4 Enterprise Server Update 4 to output all the messages to a different directory other than /var/log/messages and have no luck. I tried changing the string that id pointing to /var/log/messages to point to /root/messages (newly created file) and restarted syslog. I then tested it by running:

logger -p local0.warning "Test"

And nothing was added to either /var/log/messages or /root/messages. I then changed the syslog.conf file back to the default settings, restarted syslog and ran the same test. This time around the "Test" entry appeared in /var/log/messages. I also tried using a "," and listing two files for it to write to but the test failed again.

Is there a way to increase the "syslog" logging (the irony) to see where it fails?

Thank you


syslog.conf
-----------------------------------------------------------------------------------------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* /dev/console
# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /root/messages,/var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

acid_kewpie 04-02-2008 09:21 AM
seeing rhel, i'd be wodnering about selinux..? the config looks ok, but syslog shouldn't be allowed to write to /root by the standard selinux policy.

btw, you might like to check out syslog-ng, much much nicer that sysklogd. it's one of the first things i do with a standard RHEL build...

c_mitulescu 04-02-2008 09:31 AM
Unfortunately this is a live Oracle RAC box and our policy discourages installing additional software which is why I have to make do with what is installed.

When I built the server using the RHEL installer I selected "disabled" for SELinux. Could it still be affecting the location syslog outputs to?

Thank you

acid_kewpie 04-02-2008 09:42 AM
pfffft, silly policy.

well as disabled yes that should be fine, but is there anything in dmesg in line with this? that's certainly where selinux issues would head.

c_mitulescu 04-02-2008 10:02 AM
Still seems to be there in "permisive mode":

dmesg | grep -i selinux
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SELinux: Registering netfilter hooks
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev usbdevfs, type usbdevfs), uses genfs_contexts
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev hda, type iso9660), uses genfs_contexts
SELinux: initialized (dev sdb1, type vfat), uses genfs_contexts



And the last lines from dmesg. Unfortunately I can't see a timestamp:


audit(1206979692.714:10): user pid=11983 uid=0 auid=4294967295 msg='avc: 0 AV entries and 0/512 buckets used, longest chain length 0
: exe="/usr/bin/dbus-daemon-1" (sauid=0, hostname=?, addr=?, terminal=?)'
audit(1207046529.170:11): avc: denied { search } for pid=15872 comm="syslogd" name="media" dev=dm-0 ino=2850817 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:mnt_t tclass=dir
audit(1207046699.359:12): avc: denied { search } for pid=15998 comm="syslogd" name="media" dev=dm-0 ino=2850817 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:mnt_t tclass=dir
audit(1207046699.359:13): avc: denied { search } for pid=15998 comm="syslogd" name="media" dev=dm-0 ino=2850817 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:mnt_t tclass=dir

acid_kewpie 04-02-2008 10:08 AM
you can't see a timestamp? tsk...

1207046529 = Tue, 01 Apr 2008 10:42:09 GMT

http://www.onlineconversion.com/unix_time.htm

;)

So that's definitely selinux, so it is running. was that when you last restarted syslog? 10am yesterday? It depends how syslogd is programmed as to what style of selinux error you'll get, here it should be opening the file and keeping it open, so it'd be a single open that would fail, rather than an error on each log going into it.

c_mitulescu 04-02-2008 10:17 AM
I have so much to learn. :)

I have restarted syslog quite a number of times since 10 am.


All times are GMT -5. The time now is 05:40 PM.