Forum Discussion

stianhoydal's avatar
stianhoydal
Brass Contributor
Feb 19, 2022

Linux syslog agent initial setup on RHEL 8 machine

Greetings,    I was trying to set up the log forwarder for a fortinet firewall to ingest to Sentinel, however i can't seem to figure out why the script is failing to do what it normally does. I usu...
dpeekevout's avatar
dpeekevout
Copper Contributor
Jul 25, 2022

I had this exact issue, and it was caused by SELinux (Security-Enhanced Linux) blocking rsyslogd from accessing its own config files.  The command "journalctl -xe" gave more info, and also helpfully provided the commands to generate a local policy module to allow access:

After this I was able to start rsyslog.  Another problem came up after installing the Sentinel log forwarder.  rsyslog was unable to parse /etc/rsyslog.conf due to some comments lacking the "#" to signify the line is meant to be a comment(!)  Note below, the text "This only needs to be done once" should be commented out or removed entirely.  I don't know why/what set this configuration.

 

# provides UDP syslog reception
module(load="imudp")    This only needs to be done once
input(type="imudp" port="514")



# provides TCP syslog reception
module(load="imtcp")      This only needs to be done once
input(type="imtcp" port="514")

 

After this, I had to add a firewall rule to allow inbound traffic of port 514.

firewall-cmd --permanent --add-port 514/udp
firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload

 

Hope this helps!

 

Resources