cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Linux syslog agent initial setup on RHEL 8 machine

stianhoydal
Brass Contributor

‎Feb 19 2022 09:35 AM

‎Feb 19 2022 09:35 AM

Linux syslog agent initial setup on RHEL 8 machine

Greetings, 

 

I was trying to set up the log forwarder for a fortinet firewall to ingest to Sentinel, however i can't seem to figure out why the script is failing to do what it normally does. I usually run on ubuntu machines and have no issues, but this time i had to do it on a Red Hat Enterprise Linux 8 machine. 

 

To be more specific most of the script runs fine untill i get this message:

 

Job for rsyslog.service failed because the control process exited with error code.
See "systemctl status rsyslog.service" and "journalctl -xe" for details.

 

the systemctl status message contains the following:

● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2022-02-19 18:17:44 CET; 3min 56s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Process: 92657 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited, status=1/FAILURE)
Main PID: 92657 (code=exited, status=1/FAILURE)

Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Feb 19 18:17:44 machineName systemd[1]: Failed to start System Logging Service.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Service RestartSec=100ms expired, scheduling restart.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 7.
Feb 19 18:17:44 machineName systemd[1]: Stopped System Logging Service.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Start request repeated too quickly.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Feb 19 18:17:44 machineName systemd[1]: Failed to start System Logging Service.

 

Does anyone have a good idea for how this is not working? 

This part of the script is, from what i understand, responsible for the syslog daemon, so it's quite important that it works. 

 

Any help is much appreciated. 

5,024 Views
0 Likes
3 Replies
Reply
3 Replies
stianhoydal

‎Feb 21 2022 01:28 AM

‎Feb 21 2022 01:28 AM

Re: Linux syslog agent initial setup on RHEL 8 machine

Any insight much appreciated.
0 Likes
Reply
mikhailf

‎Feb 21 2022 04:34 AM

‎Feb 21 2022 04:34 AM

Re: Linux syslog agent initial setup on RHEL 8 machine

Hello Stian,

Did you try to upgrade the rsyslog?

I've found this article: https://access.redhat.com/solutions/6259271
You need to create an account to access it, but there is a tag "SOLUTION VERIFIED".
If you create an account on redhat this article would probably help you.
0 Likes
Reply
dpeekevout

‎Jul 25 2022 10:29 AM

‎Jul 25 2022 10:29 AM

Re: Linux syslog agent initial setup on RHEL 8 machine

I had this exact issue, and it was caused by SELinux (Security-Enhanced Linux) blocking rsyslogd from accessing its own config files.  The command "journalctl -xe" gave more info, and also helpfully provided the commands to generate a local policy module to allow access:

dpeekevout_0-1658769685888.png

After this I was able to start rsyslog.  Another problem came up after installing the Sentinel log forwarder.  rsyslog was unable to parse /etc/rsyslog.conf due to some comments lacking the "#" to signify the line is meant to be a comment(!)  Note below, the text "This only needs to be done once" should be commented out or removed entirely.  I don't know why/what set this configuration.

 

# provides UDP syslog reception
module(load="imudp")    This only needs to be done once
input(type="imudp" port="514")



# provides TCP syslog reception
module(load="imtcp")      This only needs to be done once
input(type="imtcp" port="514")

 

After this, I had to add a firewall rule to allow inbound traffic of port 514.

firewall-cmd --permanent --add-port 514/udp
firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload

 

Hope this helps!

 

0 Likes
Reply