Linux syslog agent initial setup on RHEL 8 machine

%3CLINGO-SUB%20id%3D%22lingo-sub-3188118%22%20slang%3D%22en-US%22%3ELinux%20syslog%20agent%20initial%20setup%20on%20RHEL%208%20machine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3188118%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20trying%20to%20set%20up%20the%20log%20forwarder%20for%20a%20fortinet%20firewall%20to%20ingest%20to%20Sentinel%2C%20however%20i%20can't%20seem%20to%20figure%20out%20why%20the%20script%20is%20failing%20to%20do%20what%20it%20normally%20does.%20I%20usually%20run%20on%20ubuntu%20machines%20and%20have%20no%20issues%2C%20but%20this%20time%20i%20had%20to%20do%20it%20on%20a%20Red%20Hat%20Enterprise%20Linux%208%20machine.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20be%20more%20specific%20most%20of%20the%20script%20runs%20fine%20untill%20i%20get%20this%20message%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJob%20for%20rsyslog.service%20failed%20because%20the%20control%20process%20exited%20with%20error%20code.%3CBR%20%2F%3ESee%20%22systemctl%20status%20rsyslog.service%22%20and%20%22journalctl%20-xe%22%20for%20details.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20systemctl%20status%20message%20contains%20the%20following%3A%3C%2FP%3E%3CP%3E%E2%97%8F%20rsyslog.service%20-%20System%20Logging%20Service%3CBR%20%2F%3ELoaded%3A%20loaded%20(%2Fusr%2Flib%2Fsystemd%2Fsystem%2Frsyslog.service%3B%20enabled%3B%20vendor%20preset%3A%20enabled)%3CBR%20%2F%3EActive%3A%20failed%20(Result%3A%20exit-code)%20since%20Sat%202022-02-19%2018%3A17%3A44%20CET%3B%203min%2056s%20ago%3CBR%20%2F%3EDocs%3A%20man%3Arsyslogd(8)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rsyslog.com%2Fdoc%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.rsyslog.com%2Fdoc%2F%3C%2FA%3E%3CBR%20%2F%3EProcess%3A%2092657%20ExecStart%3D%2Fusr%2Fsbin%2Frsyslogd%20-n%20%24SYSLOGD_OPTIONS%20(code%3Dexited%2C%20status%3D1%2FFAILURE)%3CBR%20%2F%3EMain%20PID%3A%2092657%20(code%3Dexited%2C%20status%3D1%2FFAILURE)%3C%2FP%3E%3CP%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20rsyslog.service%3A%20Main%20process%20exited%2C%20code%3Dexited%2C%20status%3D1%2FFAILURE%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20rsyslog.service%3A%20Failed%20with%20result%20'exit-code'.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20Failed%20to%20start%20System%20Logging%20Service.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20rsyslog.service%3A%20Service%20RestartSec%3D100ms%20expired%2C%20scheduling%20restart.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20rsyslog.service%3A%20Scheduled%20restart%20job%2C%20restart%20counter%20is%20at%207.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20Stopped%20System%20Logging%20Service.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20rsyslog.service%3A%20Start%20request%20repeated%20too%20quickly.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20rsyslog.service%3A%20Failed%20with%20result%20'exit-code'.%3CBR%20%2F%3EFeb%2019%2018%3A17%3A44%20machineName%20systemd%5B1%5D%3A%20Failed%20to%20start%20System%20Logging%20Service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20a%20good%20idea%20for%20how%20this%20is%20not%20working%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20part%20of%20the%20script%20is%2C%20from%20what%20i%20understand%2C%20responsible%20for%20the%20syslog%20daemon%2C%20so%20it's%20quite%20important%20that%20it%20works.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20is%20much%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3192020%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20syslog%20agent%20initial%20setup%20on%20RHEL%208%20machine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3192020%22%20slang%3D%22en-US%22%3EAny%20insight%20much%20appreciated.%3C%2FLINGO-BODY%3E
Contributor

Greetings, 

 

I was trying to set up the log forwarder for a fortinet firewall to ingest to Sentinel, however i can't seem to figure out why the script is failing to do what it normally does. I usually run on ubuntu machines and have no issues, but this time i had to do it on a Red Hat Enterprise Linux 8 machine. 

 

To be more specific most of the script runs fine untill i get this message:

 

Job for rsyslog.service failed because the control process exited with error code.
See "systemctl status rsyslog.service" and "journalctl -xe" for details.

 

the systemctl status message contains the following:

● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2022-02-19 18:17:44 CET; 3min 56s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Process: 92657 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited, status=1/FAILURE)
Main PID: 92657 (code=exited, status=1/FAILURE)

Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Feb 19 18:17:44 machineName systemd[1]: Failed to start System Logging Service.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Service RestartSec=100ms expired, scheduling restart.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Scheduled restart job, restart counter is at 7.
Feb 19 18:17:44 machineName systemd[1]: Stopped System Logging Service.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Start request repeated too quickly.
Feb 19 18:17:44 machineName systemd[1]: rsyslog.service: Failed with result 'exit-code'.
Feb 19 18:17:44 machineName systemd[1]: Failed to start System Logging Service.

 

Does anyone have a good idea for how this is not working? 

This part of the script is, from what i understand, responsible for the syslog daemon, so it's quite important that it works. 

 

Any help is much appreciated. 

2 Replies
Any insight much appreciated.
Hello Stian,

Did you try to upgrade the rsyslog?

I've found this article: https://access.redhat.com/solutions/6259271
You need to create an account to access it, but there is a tag "SOLUTION VERIFIED".
If you create an account on redhat this article would probably help you.