RSyslog does not work with a log file located outside of /var/log
I am unable to get rsyslog to write to a log file located in a directory other than /var/log.
The server is RHELS 5.6 and for the most part with a default configuration. Other than the rsyslog specific changes (rules added to iptables, etc.)
It WORKS if I specify the following in /etc/rsyslog.conf:
local6.* /var/log/MyLog.log
However, it DOES NOT WORK if I were to create a log file at the location /Testing/MyLog.log, chmod -R 777 on it, and then update the configuration to:
local6.* /Testing/MyLog.log
I'm baffled because I set /Testing/MyLog.log (and the directory) with chown and chmod to have identical user:group and permissions as the log /var/log/MyLog.log (according to the output of ls -la).
What am I doing wrong? Is this even possible? I've even tried making a symbolic link in /var/log, nothing I've tried seems to work. I've played around with all sorts of configuration options documented on the rsyslog website.
SELinux will prevent processes that are labeled syslogd_t
to write to files that are (probably) labeled default_t
. You need to label the file with something syslogd_t
can write to. Files in /var/log
are mostly labeled var_log_t
, a type syslogd_t
can surely write to.
You should not just relabel the files in /Testing
to var_log_t
, because that's bound to break at some point, when somebody executes an autorelabel at the next boot or runs restorecon -FvR /
.
Instead, write a little policy that automatically and consistently labels your files in /Testing
. Something to get your started. Your policy file could look similar to this:
/Testing(/.*)? -- gen_context(system_u:object_r:var_log_t)
SELinux policy writing however, is a tad tricky. Which is why you should put stuff at the default location for that stuff.
However, I personally feel that logging should really go into /var/log
. It's there for a reason. No matter how good you think your reason is for writing to /Testing
, it's probably better to write to something like /var/log/testing
.
Edit: no, no, no, no, no. That won't do. That was silly. You do not want to write a policy to allow syslogd_t
to write to var_log_t
, because that is already allowed by the default policy. You need to write filecontext rules (a .fc file), like my new snippet above, to label /Testing
as var_log_t
if you must...