Re: Help ! No syslog anymore

[Bhasker C V <bhasker@unixindia.com>]

Thanks very  much.

Adding bind path did not help. I found that if I run rsyslog from command-line as unconfined_t, it works well. It is just the extra systemd locks which fail

I have since written a simple systemd unit file to make rsyslog work and it has started working

# /etc/systemd/system/user-rsyslog.service
[Unit]
Description=Simple Rsyslog service
After=network.target auditd.service

[Service]
Type=simple
ExecStart=pkill -9 -f rsyslogd;/usr/sbin/rsyslogd -n -iNONE

[Install]
WantedBy=multi-user.target

On Wed, Nov 8, 2023 at 4:47 PM Sven Joachim <svenjoac@gmx.de> wrote:

On 2023-11-08 08:26 +0000, Bhasker C V wrote:

>  I moved my syslog to a different location  '/tmp/server.log'

A rather strange decision, since /tmp is usually pruned on reboot.

> This was working all fine until I moved to selinux in enforcing mode.
>
> I have tried putting selinux in permissive state and that too did not help

Most likely your problem has nothing to do with selinux, but is rather
due to the hardening features implemented in rsyslog 8.2310.0-1.  Among
other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes
in rsyslog.service) which is not shared with other processes.

> Please could someone help ? Or if there is a procedure to move syslog file
> /var/log/syslog to a different location, I am happy to follow ...

If you insist on moving it to /tmp, one possibility is to use a bind
mount for /tmp/server.log.  Run "systemctl edit rsyslog.service" and put
the following two lines in the file:

[Service]
BindPaths=-/tmp/server.log

You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on
reboot if it does not exist.

Good luck,
Sven