Systemd
syslog-ng 無法啟動,因為錯誤綁定套接字權限被拒絕
很長一段時間後,我最近重新啟動了我的一台機器,現在我在配置更改方面遇到了很多問題。
journactl 出現以下錯誤,syslog-ng 服務不再工作:
-- Unit syslog-ng.service has begun starting up. Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: syslog-ng.service: Got notification message from PID 18672, but reception only permitted for main PID 18670 Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.128987] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-con Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.129414] Error binding socket; addr='AF_INET(0.0.0.0:515)', error='Permission denied (13)' Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.129438] Error initializing message pipeline; Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed.這是服務配置:
Description=System Logger Daemon Documentation=man:syslog-ng(8) After=network.target [Service] Type=notify User=root Group=root ExecStart=/usr/sbin/syslog-ng -p /var/run/syslogd.pid ExecReload=/bin/kill -HUP $MAINPID EnvironmentFile=-/etc/syslog-ng EnvironmentFile=-/etc/default/syslog-ng EnvironmentFile=-/etc/sysconfig/syslog-ng StandardOutput=journal StandardError=journal Restart=on-failure [Install] WantedBy=multi-user.target因此,正如您所看到的,它應該以 root 身份執行,但它仍然返回一個
error='Permission denied (13)'. 有趣的是,如果我嘗試從控制台執行命令,/usr/sbin/syslog-ng -p /var/run/syslogd.pid那麼它可以完美執行而不會出現任何錯誤。編輯1:
正如我所說,當我嘗試手動執行命令時,埠 515 中沒有其他程序正在執行,它執行良好。
我正在添加系統日誌配置:
@version:3.7 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"來自 apache.conf 的配置
source s_net_t515 { network( transport("tcp") port(515) log-msg-size(2097152) max-connections(100) ); }; destination d_apachea { file("/opt/arcsight/logs/Apache/${HOST}.log"); }; destination d_apachee { file("/opt/arcsight/logs/Apache/error/${HOST}-error.log"); }; destination d_a { file("/opt/arcsight/logs/Apache/test.log"); }; filter f_apachea { (netmask(***.***.***.5/32) or netmask(***.***.***.6/32)) and not message('error]') and message('.*\d+\s\d+\s\".*') ; }; filter f_apachee { (netmask(***.***.***.5/32) or netmask(***.***.***.6/32)) and message('error]'); }; log { source(s_net_t515); filter(f_apachea); destination(d_apachea); }; log { source(s_net_t515); filter(f_apachee); destination(d_apachee); };
解決了!
正如@Alexander 指出的那樣,問題是 SELinux 阻塞了埠,但我收到了 515 中的日誌,所以我無法更改它。
解決方案是將 SELinux 從 設置
enforcing為permissivewithsetenforce 0。此外,我通過更改行更改了配置文件以在重新啟動後應用此配置SELINUX=permissive
我猜這個問題是埠號 515,被 SELinux 阻止了。預設系統日誌埠為 514。
# semanage port -l ... syslogd_port_t tcp 601, 20514 syslogd_port_t udp 514, 601, 20514 ... printer_port_t tcp 515如果要在不同的埠上執行 syslog-ng,則必須更改埠標籤。(
semanage port --help會幫助你)