Rsyslog Not Connecting to Splunk on Non-Standard Port

I was puling my hair out the other day trying to figure out why some server logs weren’t shipping to our Splunk server. netstat -antp | grep 3514 yielded nothing, so this server was not even connecting to Splunk. I ran a tcpdump and it captured no packets. I scratched my head for a little while after I disabled iptables and the results were the same. It took me a little more time to realize that SELinux was the culprit so I needed to add a context for the non-standard syslog port I was using (3514 in this case).

First, I installed policycoreutils-python to get the semanage tool.

yum -y install policycoreutils-python

Next, I added the context to allow port 3514 and restart rsyslog

semanage port -a -t syslogd_port_t -p tcp 3514
sudo service rsyslog restart

Once I verified it worked on one server, I added this bit to my rsyslog Puppet class

        package {'policycoreutils-python': ensure=> 'installed',}

        exec {'semanage_syslog':
                command => 'semanage port -a -t syslogd_port_t -p tcp 3514',
                unless => "semanage port --list | /bin/grep '3514'",
                path => ['/usr/bin', '/sbin', '/bin', '/usr/sbin'],
                require => Package['policycoreutils-python'],
                notify => Service['rsyslog'],
        }

Leave a Reply

Your email address will not be published. Required fields are marked *