拒绝对rsyslog的访问

Question

早上好,

我试图用rsyslog将Zeek日志发送到本地网络上的另一个主机。

到目前为止，我在/etc/rsyAdd.1-.d中有一个配置文件，如下所示：

module(load="imfile")

#### Templates ####
template (name="zeek_Logs" type="string"
          string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %$!msg%\n"
         )

#### RULES for where to send Log Files ####
# Send messages over TCP using the ZEEK_Logs template
ruleset(name="send_zeek_logs") {
    if $msg startswith not "#" then {
        set $!msg = replace($msg, "|", "%7C"); # Handle existing pipe char
        set $!msg = replace($!msg, "\t", "|");

        action (
            type="omfwd"
            protocol="tcp"
            target="192.168.1.140"
            port="7000"
            template="zeek_Logs"
        )
    }
}

#### Inputs ####

input (
    type="imfile"
    File="/opt/zeek/logs/current/weird.log"
    Tag="zeek_weird"
    Facility="local7"
    Severity="info"
    RuleSet="send_zeek_logs"
)

input (
    type="imfile"
    File="/opt/zeek/logs/current/modbus_detailed.log"
    Tag="zeek_detailed"
    Facility="local7"
    Severity="info"
    RuleSet="send_zeek_logs"
)

但是，在启动rsyslog时，我会得到以下错误：

nov. 22 13:00:53 zeek rsyslogd[1442]: imfile: on startup file '/opt/zeek/logs/current/weird.log' does not exist but is configured in static file monitor - this may indicate a misconfiguration. If the file appears at a later time, it will automatically be processed. Reason: Permission denied [v8.2001.0]>
nov. 22 13:00:53 zeek rsyslogd[1442]: imfile: on startup file '/opt/zeek/logs/current/modbus_detailed.log' does not exist but is configured in static file monitor - this may indicate a misconfiguration. If the file appears at a later time, it will automatically be processed. Reason: Permission denied [v8.2001.0]>
nov. 22 13:00:53 zeek rsyslogd[1442]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="1442" x-info="https://www.rsyslog.com"] start

我试着给/opt/zeek/log目录提供读取权限，我还暂时禁用了设备，但没有工作。

我还少了什么？

谢谢你的帮助。

Answer 1

可能用户syslog缺乏对目录的读取权限，您可以用以下方法来测试它：

sudo -u syslog ls /opt/zeek/logs/current

当然，权限失败可能是因为目录位于树的较高位置。粗野的例子，如何找到哪里：

TESTDIR=/opt/zeek/logs/current
while [[ ${#TESTDIR} -gt 1 ]]; do
    sudo -u syslog ls "$TESTDIR" >/dev/null 2>&1 && \
    echo "syslog can read contents of $TESTDIR" || \
    echo "syslog cannot read contents of $TESTDIR"
    TESTDIR=$(dirname "$TESTDIR")
done