rsyslog permission denied

[johnhk215]

syslog service can be started with error
rsyslog rsyslogd[2253]: imjournal: fopen() failed for path: '/var/lib/rsyslog/imjournal.state.tmp': Permission denied

Change log path to /opt/rsyslog

---------------------------------------------------------------
chcon --reference /var/log /opt/rsyslog

Rsyslog config
------------------------------------------------------------
$template RemoteLogs,"/opt/rsyslog/%HOSTNAME%/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log"
*.* ?RemoteLogs
& ~

#
# Set the default permissions for all log files.
#
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

# These may require root
$FileOwner syslog
$FileGroup syslog
$PrivDropToUser syslog
$PrivDropToGroup syslog

----------------------------------------------------------------

if #$PrivDropToUser syslog -> no permission denied but syslog user doesn't have /opt/rsyslog

Any advise?

Thanks.

[TrevorH]

Looks like your problem is caused by you trying to move it to /opt/rsyslog. Is there a reason why you'd try to do that?

[johnhk215]

Yes, It is central logging server and would like to put the data in to /opt/data instead of default path /var/log.
Can I ignore the permission denied message?

Thanks.

[pjsr2]

You cannot simply ignore the message.

There is a whole bunch of selinux context settings that apply to /var/log and the log files and subdirectories in it, written by various applications. If you move your log files from /var/log to /opt/log you need to get these selinux fcontext sorted out, which is a whole lot of work.

You should expect logging problems similar to the one you already observed from other applications, and they may not show up immediately as it may take time before applications feel the need to log something. Some applications don't care when they can't log. Other applications fail when they can't log. If applications cannot log, that may have security implications, as you may loose important warning signals.

[TrevorH]

If you moved it to give more space then I would suggest mounting that filesystem on /var/log to begin with (though that's more complicated than just that as you will need to copy the existing content over first and probably relabel the filesystem afterwards once it's mounted on /var/log).

As pjsr2 says, ther are numerous selinux rules set up to allow access and you would need to duplicate or set up equivalence rules for those

Code: Select all

# semanage fcontext -l | grep -c var_log
66

[johnhk215]

Thank you for yours information.
Can I change Rsyslog store log path to another path without change /var/log ?

[TrevorH]

I thought that's what we've been telling you is too complicated and that you shouldn't do? But maybe I misunderstood your question.

[johnhk215]

Got it. Thank you for your reply.