Starting syslog-ng: Connection failed

[gormank]

I installed syslog-ng on a box, disabled, rsyslog, configured syslog-ng and I get a connection refused when starting. The syslog-ng config is from from my toy log server. http://192.168.242.147/nagioslogserver/ ... etup/linux. appended it to the existing syslog-ng.conf.
I don't see anything saying I need to add the sending host to the receiving host config. What am I missing?

Code: Select all

@include "scl.conf"
source s_nagios {
	system();
	internal();
};

destination d_nagios { 
    tcp("192.168.242.147" port(5544)); 
};

log { 
	source(s_nagios); 
	destination(d_nagios); 
};

Code: Select all

[root@localhost ~]# service syslog-ng restart
Stopping syslog-ng:                                        [FAILED]
Starting syslog-ng: Connection failed; fd='12', server='AF_INET(192.168.242.147:5544)', local='AF_INET(0.0.0.0:0)', error='Permission denied (13)'
Initiating connection failed, reconnecting; time_reopen='10'
                                                           [  OK  ]

[root@localhost ~]# service syslog-ng status
syslog-ng (pid  2853) is running...

Maybe it doesn't like the local='AF_INET(0.0.0.0:0), which should be 192.168.144...

Code: Select all

Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-29 14:50 CST
Nmap scan report for 192.168.242.147
Host is up (0.00029s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
5544/tcp open   unknown
MAC Address: 00:0C:29:1D:7E:DB (VMware)

[gormank]

Ah, I recall reading selinux can cause this.

Nov 29 15:18:36 localhost syslog-ng[2853]: Syslog connection established; fd='13', server='AF_INET(192.168.242.147:5544)', local='AF_INET(0.0.0.0:0)'

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce Permissive
[root@localhost ~]# getenforce
Permissive

Now I see the other host data is received.

Thanks!

[mcapra]

You're very welcome!

We actually haven't done much testing with syslog-ng, so this sort of stuff is awesome to have.

[gormank]

I think an exception in the selinux config is needed to allow it to enforce, but pass the data. Something else to figure out...

[mcapra]

I tested a few policies I found on Google and didn't have much luck. I might try my hand at writing a policy module if some of the others I haven't tested yet don't pan out.

[gormank]

I found this one, but decided to not use syslog-ng and switch to rsyslog. I need to duplicate app log sending and the people had built it on syslog-ng so I didn't want to reinvent the wheel but got so much static I figured out how to generate the configs for rsyslog. Nagios log server made it easy.

I suspect if I tighten selinux rsyslog will have the same problem, so I'll probably try the below general process for rsyslog...

Add policy to make selinux play together
http://www.linuxquestions.org/questions ... ike-34844/

Code: Select all

cd /root
mkdir selinux
cd selinux
man audit2allow
#you always want to look at the man page an understand the options before running any command
audit2allow -M syslog-ng-modified -l -i /var/log/audit/audit.log
ls
#syslog-ng-modified.pp and syslog-ng-modified.te show up in the directory
vim syslog-ng-modified.te
semodule -i syslog-ng-modified.pp

# to find the file
updatedb
locate syslog-ng-modified.pp

[mcapra]

We do have a KB article about some things regarding rsyslog and SELinux if you haven't viewed it yet:
https://support.nagios.com/kb/article.php?id=490

[gormank]

I hadn't seen that, or maybe I saw it sometimes since selinux popped into my mind...
I'd like to stick w/ 5544 since that's what I've asked to get opened in the network. I'll look into changing selinux too.

I think we've beat this one to death so you can close it if you want.

Thanks

[dwhitfield]

I'll go ahead and lock this up, but of course if you end up having a related issue, feel free to open another thread. Thanks!