• Help ! No syslog anymore

    From Bhasker C V@21:1/5 to All on Wed Nov 8 09:30:01 2023
    Hi,

    I moved my syslog to a different location '/tmp/server.log'
    This was working all fine until I moved to selinux in enforcing mode.

    I have the file context as system_u:object_r:syslogd_runtime_t:s0
    now, the file is empty
    Strangely ...
    lsof shows rsyslog is using this file

    rsyslogd 25561 root 4r CHR 1,9 0t0 18 /dev/urandom
    rsyslogd 25561 root 5r REG 0,44 0 4026532059 /proc/kmsg
    rsyslogd 25561 root 6u unix 0x00000000c5984619 0t0 136109 type=DGRAM (CONNECTED)
    rsyslogd 25561 root 7w REG 0,35 8952 4873 /tmp/server.log
    rsyslogd 25561 root 8w REG 0,35 8952 4873 /tmp/server.log
    rsyslogd 25561 root 9w REG 0,35 8952 4873 /tmp/server.log

    But, the file says it is not being used by rsyslog

    $ sudo lsof /tmp/server.log
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    tail 24848 bcv 3r REG 0,35 39 37 /tmp/server.log

    There are also no messages in the kernel which I can use to audit any access/deny issues for selinux.
    I have tried putting selinux in permissive state and that too did not help Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location, I am happy to follow ...

    <div dir="ltr"><div>Hi,</div><div><br></div><div> I moved my syslog to a different location  &#39;/tmp/server.log&#39; <br></div><div>This was working all fine until I moved to selinux in enforcing mode. <br></div><div><br></div><div>I have the file
    context as system_u:object_r:syslogd_runtime_t:s0</div><div>now, the file is empty</div><div>Strangely ...</div><div>lsof shows rsyslog is using this file <br></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:
    monospace">rsyslogd 25561 root    4r   CHR                1,9      0t0         18 /dev/urandom<br>rsyslogd 25561 root    5r   REG               0,44        0 4026532059 /proc/kmsg<br>rsyslogd 25561 root    6u  unix
    0x00000000c5984619      0t0     136109 type=DGRAM (CONNECTED)<br>rsyslogd 25561 root    7w   REG               0,35     8952       4873 /tmp/server.log<br>rsyslogd 25561 root    8w   REG               0,35     8952      
    4873 /tmp/server.log<br>rsyslogd 25561 root    9w   REG               0,35     8952       4873 /tmp/server.log</span></div><div><br></div><div>But, the file says it is not being used by rsyslog <br></div><div><span style="font-family:
    monospace"><br></span></div><div><span style="font-family:monospace"> $ sudo lsof /tmp/server.log<br>COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME<br>tail    24848  bcv    3r   REG   0,35       39   37 /tmp/server.log</span></
    <div><span style="font-family:monospace"><br></span></div><div><font face="arial,sans-serif">There are also no messages in the kernel which I can use to audit any access/deny issues for selinux.<br></font></div><div><span style="font-family:arial,
    sans-serif">I have tried putting selinux in permissive state and that too did not help <br></span></div><div><font face="arial,sans-serif">Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location,
    I am happy to follow ...<br></font></div><div><font face="arial,sans-serif"><br></font></div><div><font face="arial,sans-serif"><br></font></div><div><font face="arial,sans-serif"><br></font></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sven Joachim@21:1/5 to Bhasker C V on Wed Nov 8 17:50:01 2023
    On 2023-11-08 08:26 +0000, Bhasker C V wrote:

    I moved my syslog to a different location '/tmp/server.log'

    A rather strange decision, since /tmp is usually pruned on reboot.

    This was working all fine until I moved to selinux in enforcing mode.

    I have tried putting selinux in permissive state and that too did not help

    Most likely your problem has nothing to do with selinux, but is rather
    due to the hardening features implemented in rsyslog 8.2310.0-1. Among
    other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes
    in rsyslog.service) which is not shared with other processes.

    Please could someone help ? Or if there is a procedure to move syslog file /var/log/syslog to a different location, I am happy to follow ...

    If you insist on moving it to /tmp, one possibility is to use a bind
    mount for /tmp/server.log. Run "systemctl edit rsyslog.service" and put
    the following two lines in the file:

    [Service]
    BindPaths=-/tmp/server.log

    You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on
    reboot if it does not exist.

    Good luck,
    Sven

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bhasker C V@21:1/5 to svenjoac@gmx.de on Fri Nov 10 09:10:01 2023
    Thanks very much.
    Adding bind path did not help. I found that if I run rsyslog from
    command-line as unconfined_t, it works well. It is just the extra systemd
    locks which fail
    I have since written a simple systemd unit file to make rsyslog work and it
    has started working

    # /etc/systemd/system/user-rsyslog.service
    [Unit]
    Description=Simple Rsyslog service
    After=network.target auditd.service

    [Service]
    Type=simple
    ExecStart=pkill -9 -f rsyslogd;/usr/sbin/rsyslogd -n -iNONE

    [Install]
    WantedBy=multi-user.target

    On Wed, Nov 8, 2023 at 4:47 PM Sven Joachim <svenjoac@gmx.de> wrote:

    On 2023-11-08 08:26 +0000, Bhasker C V wrote:

    I moved my syslog to a different location '/tmp/server.log'

    A rather strange decision, since /tmp is usually pruned on reboot.

    This was working all fine until I moved to selinux in enforcing mode.

    I have tried putting selinux in permissive state and that too did not
    help

    Most likely your problem has nothing to do with selinux, but is rather
    due to the hardening features implemented in rsyslog 8.2310.0-1. Among
    other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes
    in rsyslog.service) which is not shared with other processes.

    Please could someone help ? Or if there is a procedure to move syslog
    file
    /var/log/syslog to a different location, I am happy to follow ...

    If you insist on moving it to /tmp, one possibility is to use a bind
    mount for /tmp/server.log. Run "systemctl edit rsyslog.service" and put
    the following two lines in the file:

    [Service]
    BindPaths=-/tmp/server.log

    You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on
    reboot if it does not exist.

    Good luck,
    Sven



    <div dir="ltr"><div>Thanks very  much.</div><div>Adding bind path did not help. I found that if I run rsyslog from command-line as unconfined_t, it works well. It is just the extra systemd locks which fail</div><div>I have since written a simple systemd
    unit file to make rsyslog work and it has started working <br></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"># /etc/systemd/system/user-rsyslog.service<br>[Unit]<br>Description=Simple Rsyslog
    service<br>After=network.target auditd.service<br><br>[Service]<br>Type=simple<br>ExecStart=pkill -9 -f rsyslogd;/usr/sbin/rsyslogd -n -iNONE <br><br>[Install]<br>WantedBy=multi-user.target</span></div></div><br><div class="gmail_quote"><div dir="ltr"
    class="gmail_attr">On Wed, Nov 8, 2023 at 4:47 PM Sven Joachim &lt;<a href="mailto:svenjoac@gmx.de">svenjoac@gmx.de</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-
    left:1ex">On 2023-11-08 08:26 +0000, Bhasker C V wrote:<br>

    &gt;  I moved my syslog to a different location  &#39;/tmp/server.log&#39;<br>

    A rather strange decision, since /tmp is usually pruned on reboot.<br>

    &gt; This was working all fine until I moved to selinux in enforcing mode.<br> &gt;<br>
    &gt; I have tried putting selinux in permissive state and that too did not help<br>

    Most likely your problem has nothing to do with selinux, but is rather<br>
    due to the hardening features implemented in rsyslog 8.2310.0-1.  Among<br> other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes<br>
    in rsyslog.service) which is not shared with other processes.<br>

    &gt; Please could someone help ? Or if there is a procedure to move syslog file<br>
    &gt; /var/log/syslog to a different location, I am happy to follow ...<br>

    If you insist on moving it to /tmp, one possibility is to use a bind<br>
    mount for /tmp/server.log.  Run &quot;systemctl edit rsyslog.service&quot; and put<br>
    the following two lines in the file:<br>

    [Service]<br>
    BindPaths=-/tmp/server.log<br>

    You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on<br> reboot if it does not exist.<br>

    Good luck,<br>
    Sven<br>

    </blockquote></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bhasker C V@21:1/5 to biebl@debian.org on Sun Nov 12 08:20:02 2023
    Hi,
    I have tried removing PrivateTmp=no in the rsyslog service file and it
    still doesnt work
    I have removed the service file which I had created too.
    I found that when I run the daemon manually, it works well. Hence I have disabled rsyslog and I have put the daemon startup in my rc-local

    But yes, removing PrivateTmp doesnt help.
    I am happy to troubleshoot this if anyone wants me to be a QA for this.


    On Fri, Nov 10, 2023 at 3:55 PM Michael Biebl <biebl@debian.org> wrote:

    The service file you posted is not a good idea. Please remove it again.


    If moving the log file out of /tmp is not an option, please run
    systemctl edit rsyslog.service
    and disable PrivateTmp via

    [Service]
    PrivateTmp=no


    <div dir="ltr"><div>Hi,</div><div>I have tried removing PrivateTmp=no in the rsyslog service file and it still doesnt work</div><div>I  have removed the service file which I had created too.</div><div>I found that when I run the daemon manually, it
    works well. Hence I have disabled rsyslog and I have put the daemon startup in my rc-local</div><div><br></div><div>But yes, removing PrivateTmp doesnt help. <br></div><div>I am happy to troubleshoot this if anyone wants me to be a QA for this. <br></div>
    <div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 10, 2023 at 3:55 PM Michael Biebl &lt;<a href="mailto:biebl@debian.org">biebl@debian.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="
    margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The service file you posted is not a good idea. Please remove it again.<br>


    If moving the log file out of /tmp is not an option, please run<br>
    systemctl edit rsyslog.service<br>
    and disable PrivateTmp via<br>

    [Service]<br>
    PrivateTmp=no<br>
    </blockquote></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bhasker C V@21:1/5 to biebl@debian.org on Thu Nov 16 12:50:01 2023
    Michael,
    You are a star.
    I dont know what I did before but I re-installed rsyslog and changed the PrivateTmp to no
    It works now.
    I can see /tmp/server.log is now pushing syslog contents
    Thank you very much.

    On Mon, Nov 13, 2023 at 10:24 AM Michael Biebl <biebl@debian.org> wrote:

    Am 13.11.23 um 10:13 schrieb Bhasker C V:
    I forgot to answer the question on why I am doing this
    I am experimenting on a no-log system where there is no writes
    what-so-ever to /var/log (except for mails) or systemd journal
    (currently kept volatile)
    /tmp/ is tmpfs mounted
    Attached is the rsyslog config as-it-is being used now.


    With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log
    to /run/server.log correctly (verified locally).

    I can only assume you didn't follow my instructions properly.

    Please make sure after following my instruction that you have afterwards
    # systemctl show -P PrivateTmp rsyslog.service
    no

    Btw, for your use case, a subdirectory in /run would be more suitable,
    like say /run/syslog/.

    Also, you currently have
    *.* -/tmp/server.log
    *and*
    *.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,audit,news.none -/tmp/server.log

    This doesn't make any sense.
    This will basically duplicate the log messages in /tmp/server.log and interleave them.

    Either you split up the logs facilities and log them to separate files
    or you only keep a single log rule like

    *.* -/tmp/server.log

    which simply logs everything to /tmp/server.log



    <div dir="ltr"><div>Michael,</div><div>You are a star.</div><div>I dont know what I did before but I re-installed rsyslog and changed the PrivateTmp to no</div><div>It works now. <br></div><div>I can see /tmp/server.log is now pushing syslog contents <br>
    </div><div>Thank you very much.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 13, 2023 at 10:24 AM Michael Biebl &lt;<a href="mailto:biebl@debian.org">biebl@debian.org</a>&gt; wrote:<br></div><blockquote
    class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Am 13.11.23 um 10:13 schrieb Bhasker C V:<br>
    &gt; I forgot to answer the question on why I am doing this<br>
    &gt; I am experimenting on a no-log system where there is no writes <br>
    &gt; what-so-ever to /var/log (except for mails) or systemd journal <br>
    &gt; (currently kept volatile)<br>
    &gt; /tmp/ is tmpfs mounted<br>
    &gt; Attached is the rsyslog config as-it-is being used now.<br>
    &gt; <br>

    With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log <br>
    to /run/server.log correctly (verified locally).<br>

    I can only assume you didn&#39;t follow my instructions properly.<br>

    Please make sure after following my instruction that you have afterwards<br>
    # systemctl show -P PrivateTmp rsyslog.service<br>
    no<br>

    Btw, for your use case, a subdirectory in /run would be more suitable, <br> like say /run/syslog/.<br>

    Also, you currently have<br>
    *.*                             -/tmp/server.log<br>
    *and*<br>
    *.=info;*.=notice;*.=warn;\<br>
            auth,authpriv.none;\<br>
            cron,daemon.none;\<br>
            mail,audit,news.none            -/tmp/server.log<br>

    This doesn&#39;t make any sense.<br>
    This will basically duplicate the log messages in /tmp/server.log and <br> interleave them.<br>

    Either you split up the logs facilities and log them to separate files <br>
    or you only keep a single log rule like<br>

    *.*                             -/tmp/server.log<br>

    which simply logs everything to /tmp/server.log<br>

    </blockquote></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)