Feb 19 2022 09:35 AM
Greetings,
I was trying to set up the log forwarder for a fortinet firewall to ingest to Sentinel, however i can't seem to figure out why the script is failing to do what it normally does. I usually run on ubuntu machines and have no issues, but this time i had to do it on a Red Hat Enterprise Linux 8 machine.
To be more specific most of the script runs fine untill i get this message:
Job for rsyslog.service failed because the control process exited with error code.
See "systemctl status rsyslog.service" and "journalctl -xe" for details.
the systemctl status message contains the following:
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2022-02-19 18:17:44 CET; 3min 56s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Process: 92657 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited, status=1/FAILURE)
Main PID: 92657 (code=exited, status=1/FAILURE)
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Feb 19 18:17:44 machineName systemd[1]: Failed to start System Logging Service.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Service RestartSec=100ms expired, scheduling restart.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 7.
Feb 19 18:17:44 machineName systemd[1]: Stopped System Logging Service.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Start request repeated too quickly.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Feb 19 18:17:44 machineName systemd[1]: Failed to start System Logging Service.
Does anyone have a good idea for how this is not working?
This part of the script is, from what i understand, responsible for the syslog daemon, so it's quite important that it works.
Any help is much appreciated.
Feb 21 2022 01:28 AM
Feb 21 2022 04:34 AM
Jul 25 2022 10:29 AM
I had this exact issue, and it was caused by SELinux (Security-Enhanced Linux) blocking rsyslogd from accessing its own config files. The command "journalctl -xe" gave more info, and also helpfully provided the commands to generate a local policy module to allow access:
After this I was able to start rsyslog. Another problem came up after installing the Sentinel log forwarder. rsyslog was unable to parse /etc/rsyslog.conf due to some comments lacking the "#" to signify the line is meant to be a comment(!) Note below, the text "This only needs to be done once" should be commented out or removed entirely. I don't know why/what set this configuration.
# provides UDP syslog reception
module(load="imudp") This only needs to be done once
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp") This only needs to be done once
input(type="imtcp" port="514")
After this, I had to add a firewall rule to allow inbound traffic of port 514.
firewall-cmd --permanent --add-port 514/udp
firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload
Hope this helps!