Hi, I am setting up centralized logging from FreeIPA version 4.10.1 running on CentOs. I have tried to set up rsyslog, initially just reading the access log, using this config (with domain and ips obfuscated)
module(load="imfile") input(type="imfile" File="/var/log/dirsrv/slapd-MY_DOMAIN/access" Tag="ipa-security-log" Facility="local0") # Forward local facilities if $syslogfacility >= 16 then @my_ip_adress:514 When restarting rsyslog with this config , I get error message (with servername and domains obfuscated): Aug 29 10:46:28 myserver.mydomain.net systemd[1]: Starting System Logging Service... Aug 29 10:46:28 myserver.mydomain.net rsyslogd[12607]: imfile: on startup file '/var/log/dirsrv/slapd-MY-DOMAIN/access' does not exist but is configured in static file monitor - this may indicate a misconfiguration. If the file appears at a later time, it will automatically be processed. Reason: Permission denied [v8.2102.0-109.el9] I have observed the following, following tips on various threads and info found on internet. rsyslog is working as intended when exporting the standard linux logs rsyslog is running as root. There is no drop privileges configured. I have checked this in the /etc/rsyslog.conf, and I also see that rsyslog is running as root when using ps -ef | grep rsyslogd running as root should enable it to read any file, should´t it? I have tried to turn off SELinix, the problem remains the same. I have also checked logs , but there are no signs of SELinux being the cause of the problem. FreeIPA is using its system user dirsrv when creating the files. The ownership of the directories and files are as follows: drwxr-xr-x. 3 root root 28 Aug 23 15:23 dirsrv drwxrwx--x. 2 dirsrv dirsrv 4096 Aug 28 16:55 slapd-MY-DOMAIN -rw-------. 1 dirsrv dirsrv 6007159 Aug 29 10:56 access I have tried to manually change the access rights of the access file with chmod o+r access and set chmod o+x on the slapd-directory. This removes the error after restart of rsyslog, and rsyslog exports the logs as expected. However, due to the FreeIpa log rotation set-up, new files are created and rotated removing the read access for others, and the logging stops again. Has anyone seen anything similar, does anyone have any clues about what the cause of this could be? Is there anything I can do with the set-up of the FreeIPA server itself, to change the permissions? regards, Ole _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
