Whilst configuring a central syslog server using rsyslog on CentOS 6, I was experiencing issues with dynamic log filenames being created. I had created a new filesystem, mounted at /var/syslog, for my logs, and configured rsyslog.conf with the following:
|
1 2 3 4 |
... $template FILENAME,"/var/syslog/%HOSTNAME%/syslog.log" *.* ?FILENAME ... |
However, the dynamic logs were not being created, and instead the following error message was observed in the local /var/log/messages file (mars being the hostname):
|
1 |
Jun 13 23:30:01 mars rsyslogd-3000: Could not open dynamic file '/var/syslog/mars/syslog.log' [state -3000] - discarding message [try http://www.rsyslog.com/e/3000 ] |
A quick check of the SELinux context found the issue:
|
1 2 3 4 |
# ls -Zd /var/syslog drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /var/syslog # ls -Zd /var/log drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log |
chcon to the rescue, referencing /var/log:
|
1 |
# chcon --reference /var/log /var/syslog |
A restart of rsyslog later, and we were in business:
|
1 2 3 |
# ls -l /var/syslog/mars total 4 -rw-------. 1 root root 445 Jun 13 23:33 syslog.log |
Note: it’s worth noting here that I updated my dynamically created file rule to be as follows (including the date too) as one huge file per host is not very useful:
|
1 |
$template FILENAME,"/var/syslog/%FROMHOST%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" |