Matias Barrios asked:
So I am trying to monitor the logs of a VM running Centos 7. Specifically the one giving problems is /var/log/messages. I have changed both the group ownership of the file ( made the pertaining change in logrotate.conf ) and manually on the already created file. Below you can see the permissions of it :
[[email protected]_7_VM ~]$ sudo ls -lh /var/log/messages -rw-rwx---+ 1 root zabbix 889K jul 25 10:53 /var/log/messages [[email protected]_7_VM ~]$ getfacl /var/log/messages getfacl: Removing leading '/' from absolute path names # file: var/log/messages # owner: root # group: zabbix user::rw- user:zabbix:rwx group::--- mask::rwx other::---
But even with all of those changes, the zabbix agent is getting permission denied to read that log. Is there something else blocking that process from reading the file?
993:20180725:062459.211 Starting Zabbix Agent [Centos_7_VM]. Zabbix 3.2.11 (revision 76339). 993:20180725:062459.256 **** Enabled features **** 993:20180725:062459.257 IPv6 support: YES 993:20180725:062459.257 TLS support: YES 993:20180725:062459.257 ************************** 993:20180725:062459.257 using configuration file: /etc/zabbix/zabbix_agentd.conf 993:20180725:062459.303 agent #0 started [main process] 999:20180725:062459.359 agent #1 started [collector] 1003:20180725:062459.396 agent #2 started [listener #1] 1004:20180725:062459.406 agent #3 started [listener #2] 1005:20180725:062459.413 agent #4 started [listener #3] 1007:20180725:062459.472 agent #5 started [active checks #1] 1007:20180725:105103.700 active check "log[/var/log/messages,(?i)error]" is not supported: Cannot open file "/var/log/messages":  Permission denied
It’s called SELinux.
Unfortunately the SELinux policy for the Zabbix agent is not well developed (yet) and almost anything you might want to monitor is going to be denied. I personally set the Zabbix agent type to permissive to work around this. This lets the Zabbix agent essentially bypass SELinux while it still applies to everything else on the system.
semanage permissive -a zabbix_agent_t
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.