[rsyslog-notify] Forum Thread: Re: elasticsearch module error on CentOS 6.5 - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Sun Mar 16 23:59:44 CET 2014
User: aaronc
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24390#p24390
Message:
----------
I think I solved the problem and will post my solution here in case someone
else has the same one.
My issue was SELinux policy. To test if if SELinux policy is the problem
check /var/log/audit/auditd.log. If you see a line like this:
[code:grmzw7jv]type=AVC msg=audit(1395007200.770:16197):
avc: denied { name_connect } for pid=29227
comm=72733A6D61696E20513A526567 dest=9200
scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket[/code:grmzw7jv]
then it is. The statement "dest=9200" is the elasticsearch port being
blocked by SELinux.
The solution is fairly simple (though I can't say if it is optimal). You
need to change the policy and allow rsyslog to use port 9200. First you
need SELinux policy tools. The steps are:
1. yum install policycoreutils-python
2. semanage port -a -t syslogd_port_t -p tcp 9200
3. service rsyslog restart
This worked for me and now I see the logs in elasticsearch. :)
--Aaron
<!-- m --><a class="postlink"
href="http://www.sharknet.us">http://www.sharknet.us</a><!-- m -->
More information about the rsyslog-notify
mailing list