Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Syslog not functioning on server, rsyslog logging being sent to /var/log/messages.

EDR: Syslog not functioning on server, rsyslog logging being sent to /var/log/messages.

Environment

  • EDR Server: All Versions
  • Linux: All Supported Versions

Symptoms

  • All logging for EDR that uses rsyslog is being sent to /var/log/messages
  • The /var/log/cb/notification directory only contains zero-length files.
  • The following messages appear in the /var/log/messages file:
    • kernel: Kernel logging (proc) stopped.
      rsyslogd: the last error occured in /etc/rsyslog.conf, line 31:"$IncludeConfig /etc/rsyslog.d/*.conf"
      rsyslogd-2124: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'.
  • Running the command /usr/share/cb/cbsyslog -f --event feed.storage.hit.binary is successful, but the 'cb-notifications-test' file does not get created

Cause

  • The /etc/rsyslog.d/cb-coreservices.conf file is failing to load due to incorrect selinux permissions. Rsyslog issues an error message on startup regarding the '$IncludeConfig' line in the /etc/rsyslog.conf file. Correcting the selinux permissions will allow the cb-coreservices.conf file to be loaded.

Resolution

Run following command to correct selinux permissions on cb-coreservices.conf 
  • semanage fcontext -a -t syslog_conf_t /etc/rsyslog.d/cb-coreservices.conf

Additional Notes

Changing the selinux permissions will create the entry below in the file_contexts.local file
  • # This file is auto-generated by libsemanage
    
    # Do not edit directly.
    
    /etc/rsyslog.d/cb-coreservices.conf   system_u:object_r:syslog_conf_t:s0

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-30-2017
Views:
2157
Contributors