Rsyslog 转发日志无法连接权限被拒绝

tag-icon tag-icon centos syslog selinux syslogd
Rsyslog 转发日志无法连接权限被拒绝

已配置 Rsyslog 通过 SSH 隧道将日志发送到远程位置。

然而 rsyslog 抱怨“权限被拒绝”:

rsyslogd[28412]: cannot connect to 127.0.0.1:10601: Permission denied [v8.2102.0-10.el8 try https://www.rsyslog.com/e/2027 ]

服务器是CentOS Stream 8

隧道已验证为已启动 - ss -lntp- 并且我能够使用 ie 通过它发送echo test | nc 127.0.0.1 601,并且测试显示在远程。

隧道通过autossh以非特权用户身份运行来维持,因此本地端口必须是非特权的(或者您bind [127.0.0.1]:601: Permission denied在设置隧道时获得)。

转发是通过 Rsyslogomfwd转发输出模块完成的

# /etc/rsyslog.d/00-forward.conf
# Forward to remote server through an ssh tunnel / autossh
*.info action(type="omfwd"
         queue.Type="LinkedList"
         queue.Filename="forward_queue_1"
         queue.MaxDiskSpace="3m"
         queue.SaveOnshutdown="on"
         action.ResumeRetryCount="-1"
         target="127.0.0.1" port="10601" protocol="tcp"
        )

答案1

Rsyslog 以 root 身份运行,因此通常不会出现权限被拒绝的情况。

深入研究/var/log/messages(或者/var/log/syslog在 Ubuntu 上)应该会提供一些线索。

grep 10601 /var/log/messages  # search for the port number
... setroubleshoot[29284]: SELinux is preventing /usr/sbin/rsyslogd from name_connect access on the tcp_socket port 10601. For complete SELinux messages run: sealert -l 005c986c-e0f9-481a-b3c6-0b45a9698ccd
... setroubleshoot[31103]: SELinux is preventing /usr/sbin/rsyslogd from name_connect access on the tcp_socket port 10601.#012#012*****  Plugin connect_ports (92.2 confidence) suggests   *********************#012#012If you want to allow /usr/sbin/rsyslogd to connect to network port 10601#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 10601#012    where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_port_t, kerberos_port_t, mysqld_port_t, ocsp_port_t, postgresql_port_t, rsh_port_t, syslog_tls_port_t, syslogd_port_t, wap_wsp_port_t.#012#012*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************#012#012If you want to

这就是:

rsyslog 已配置为发送到非标准端口,并且SELinux正在否认。

解决方案 - 如果您保留非标准端口 - 是在 SElinux 中允许该端口。

获取详细信息sealert -l 005c986c-e0f9-481a-b3c6-0b45a9698ccd- UUID 当然对您来说是唯一的。

If you want to allow /usr/sbin/rsyslogd to connect to network port 10601
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 10601
    where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_port_t, kerberos_port_t, mysqld_port_t, ocsp_port_t, postgresql_port_t, rsh_port_t, syslog_tls_port_t, syslogd_port_t, wap_wsp_port_t.

我声明我的端口是syslogd_port_t

semanage port -a -t syslogd_port_t -p tcp 10601

# Restart rsyslog for good measure
systemctl restart rsyslog  # or "pkill -HUP rsyslog"

日志现已发送。

相关内容