SLES10 syslog-ng and audit.log.

SUSE Product Topics SLES Configure-Administer
1

Good day,

I am trying to configure syslog-ng to send the audit.log file to a remote server. I always get a permission denied on the file unless i disable apparmor… I cannot disabler Apparmor since this config need to be put into production.

Here is my config:

source s_file {
file("/var/log/audit/audit.log");
};

destination d_local_audit {
file ("/var/log/local3.log");
};

log {
source (s_file);
destination(d_local_audit)
destination(d_remote_loghost3);
};

The local3.log is not getting populated by audit.logs and I cant figure out why. The remote host is not eceiving much either, but it receives some stuff (other logs . I checked with tcpdump -vvvnAXSs 1514 port 514)

I am willing to try other ways of doing this, like using named pipe, but I am not sure how this work.

Any help is greatly apreciated.

2

On 17/08/16 20:34, malarie 01 wrote:
[color=blue]

I am trying to configure syslog-ng to send the audit.log file to a
remote server. I always get a permission denied on the file unless i
disable apparmor… I cannot disabler Apparmor since this config need to
be put into production.

Here is my config:

source s_file {
file(“/var/log/audit/audit.log”);
};

destination d_local_audit {
file (“/var/log/local3.log”);
};

log {
source (s_file);
destination(d_local_audit)[/color]

Is the above line missing a semi-colon (:wink: at the end or is it a typo
when posting here?
[color=blue]

destination(d_remote_loghost3);
};

The local3.log is not getting populated by audit.logs and I cant figure
out why. The remote host is not eceiving much either, but it receives
some stuff (other logs . I checked with tcpdump -vvvnAXSs 1514 port
514)

I am willing to try other ways of doing this, like using named pipe, but
I am not sure how this work.[/color]

Is the AppArmor errror perhaps referring to the local d_local_audit
destination file rather than remote server? Or are you seeing the
AppArmor error on the remote server?

Can you post the syslog-ng configuration section for the
d_remote_loghost3? Are you saying that the on the same server using the
same d_remote_loghost3 configuration that you can send other logs to the
remote server?

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

3

Hi and thanks for the reply.

Its indeed a typo in the forum post, my apoligies.

destination file rather than remote server? Or are you seeing the
AppArmor error on the remote server?

A: I do not have access to the remote server, but all our SLES11 servers are sending to the remote log server. But since SLES 11 is using rsyslog, the config is not the same. This would be the 1st SLES 10 to send traffic to this loghost. When apparmor is running, i get a permission denied on the audit.log when restarting syslog.

Here is thge destination servers:
#---------------------------------------------------------------#

Remote destinations section.

#---------------------------------------------------------------#

remote syslog-ng servers: loghost, loghost2 and loghost3.

destination d_remote_loghost { tcp(“loghost” port(514)); };
destination d_remote_loghost2 { tcp(“loghost2” port(514)); };
destination d_remote_loghost3 { tcp(“loghost3” port(514)); };