Zabbix Agent unable to read /var/log/messages

Matias Barrios asked:

So I am trying to monitor the logs of a VM running Centos 7. Specifically the one giving problems is /var/log/messages. I have changed both the group ownership of the file ( made the pertaining change in logrotate.conf ) and manually on the already created file. Below you can see the permissions of it :

[[email protected]_7_VM ~]$ sudo ls -lh /var/log/messages
-rw-rwx---+ 1 root zabbix 889K jul 25 10:53 /var/log/messages
[[email protected]_7_VM ~]$ getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: zabbix
user::rw-
user:zabbix:rwx
group::---
mask::rwx
other::---

But even with all of those changes, the zabbix agent is getting permission denied to read that log. Is there something else blocking that process from reading the file?

Agent log

993:20180725:062459.211 Starting Zabbix Agent [Centos_7_VM]. Zabbix 3.2.11 (revision 76339).
   993:20180725:062459.256 **** Enabled features ****
   993:20180725:062459.257 IPv6 support:          YES
   993:20180725:062459.257 TLS support:           YES
   993:20180725:062459.257 **************************
   993:20180725:062459.257 using configuration file: /etc/zabbix/zabbix_agentd.conf
   993:20180725:062459.303 agent #0 started [main process]
   999:20180725:062459.359 agent #1 started [collector]
  1003:20180725:062459.396 agent #2 started [listener #1]
  1004:20180725:062459.406 agent #3 started [listener #2]
  1005:20180725:062459.413 agent #4 started [listener #3]
  1007:20180725:062459.472 agent #5 started [active checks #1]
  1007:20180725:105103.700 active check "log[/var/log/messages,(?i)error]" is not supported: Cannot open file "/var/log/messages": [13] Permission denied

My answer:


It’s called SELinux.

Unfortunately the SELinux policy for the Zabbix agent is not well developed (yet) and almost anything you might want to monitor is going to be denied. I personally set the Zabbix agent type to permissive to work around this. This lets the Zabbix agent essentially bypass SELinux while it still applies to everything else on the system.

semanage permissive -a zabbix_agent_t

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.