From nick at switchtower.org Sun Apr 14 05:25:12 2013 From: nick at switchtower.org (Nick Cappelletti) Date: Sat, 13 Apr 2013 19:25:12 +0000 (UTC) Subject: [netflow-tools] CentOS Logsocket Issues In-Reply-To: <1400990877.32246.1365880734777.JavaMail.root@switchtower.org> Message-ID: <182451418.32341.1365881112795.JavaMail.root@switchtower.org> Hey everyone, I hope someone can help me out here. I'm attempting to configure flowd to send the created flows to a socket on a CentOS 6.4 server, but I'm not having any success. I'm using version 0.9.1 and I've tested it on a Debian server, so I know the logsocket functionality works. Is there perhaps a package I need to install to get the logsocket functionality to work? Here is my configuration: #### pidfile "/var/run/flowd.pid" logsock "/var/log/flowdata.socket" logfile "/var/flowdata" listen on 0.0.0.0:9995 listen on [::]:9995 store ALL accept all #### Here is the output from when I run flowd in debug mode: #### read_config: entering child_get_config: entering drop_privs: dropping privs without chroot send_config: entering fd = 4 send_config: done child_get_config: child config done recv_config: entering fd = 3 recv_config: ready to receive config Listener for [0.0.0.0]:9995 fd = 3 Adjusted socket receive buffer from 229376 to 524288 Setting socket send buf to 1024 Listener for [::]:9995 fd = 4 Adjusted socket receive buffer from 229376 to 524288 Setting socket send buf to 1024 privsep_init: entering drop_privs: dropping privs with chroot init_pfd: entering (num_fds = 0) init_pfd: done (num_fds = 3) client_open_log: entering answer_open_log: entering client_open_socket: entering answer_open_socket: entering connect to logsock: No such file or directory receive_fd: recvmsg: expected received 1 got 0 ### Thanks for any help! --Nick Cappelletti -------------- next part -------------- An HTML attachment was scrubbed... URL: From craig.weinhold at cdw.com Sun Apr 14 08:00:11 2013 From: craig.weinhold at cdw.com (Craig Weinhold) Date: Sat, 13 Apr 2013 17:00:11 -0500 Subject: [netflow-tools] CentOS Logsocket Issues In-Reply-To: <182451418.32341.1365881112795.JavaMail.root@switchtower.org> References: <182451418.32341.1365881112795.JavaMail.root@switchtower.org> Message-ID: Not sure if this is what you're seeing, but I've had a bear of a time with selinux, the invisible security layer which is enabled by default in Centos. For example, if you configure /etc/syslog.conf with "$AddUnixListenSocket /var/empty/dev/log" and then launch rsyslogd by hand, it creates the unix socket fine and then you can have it process flowd's log messages. But if you launch rsyslogd from the /etc/init.d/rsyslog script, it can't create the unix socket and doesn't log any error message at all. Tat's selinux at work in the background. You can quickly disable selinux to see if that's the cause of your woes: echo 0 >/selinux/enforce If that is the problem, then you _should_ spend time to figure out how to make your stuff work with selinux. It's a headache. Use "ls -Z" to see what security characteristics each file has, and then use "chcon" to change the file type. For example, to fix the /etc/init.d/rsyslog script, I did this: chcon -t etc_t /etc/init.d/rsyslog -Craig On Sat, 13 Apr 2013, Nick Cappelletti wrote: > Hey everyone, > > I hope someone can help me out here. I'm attempting to configure flowd to send the created flows to a socket on a CentOS 6.4 server, but I'm not having any success. > > I'm using version 0.9.1 and I've tested it on a Debian server, so I know the logsocket functionality works. > > Is there perhaps a package I need to install to get the logsocket functionality to work? > > Here is my configuration: > > #### > > pidfile "/var/run/flowd.pid" > logsock "/var/log/flowdata.socket" > logfile "/var/flowdata" > listen on 0.0.0.0:9995 > listen on [::]:9995 > store ALL > accept all > > #### > > Here is the output from when I run flowd in debug mode: > > #### > > read_config: entering > child_get_config: entering > drop_privs: dropping privs without chroot > send_config: entering fd = 4 > send_config: done > child_get_config: child config done > recv_config: entering fd = 3 > recv_config: ready to receive config > Listener for [0.0.0.0]:9995 fd = 3 > Adjusted socket receive buffer from 229376 to 524288 > Setting socket send buf to 1024 > Listener for [::]:9995 fd = 4 > Adjusted socket receive buffer from 229376 to 524288 > Setting socket send buf to 1024 > privsep_init: entering > drop_privs: dropping privs with chroot > init_pfd: entering (num_fds = 0) > init_pfd: done (num_fds = 3) > client_open_log: entering > answer_open_log: entering > client_open_socket: entering > answer_open_socket: entering > connect to logsock: No such file or directory > receive_fd: recvmsg: expected received 1 got 0 > > ### > > Thanks for any help! > > --Nick Cappelletti > From nick at switchtower.org Sun Apr 14 08:37:29 2013 From: nick at switchtower.org (Nick Cappelletti) Date: Sat, 13 Apr 2013 22:37:29 +0000 (UTC) Subject: [netflow-tools] CentOS Logsocket Issues In-Reply-To: References: <182451418.32341.1365881112795.JavaMail.root@switchtower.org> Message-ID: <516080781.32536.1365892649878.JavaMail.root@switchtower.org> By default, selinux is turned off in the server kicks I have, but I did give it a try. I was also wrong about Debian, I /was/ having issues, but it was failing first on the PID file location. I think I was hopeful because the error was different. ;) I'll keep looking, but is there a chance the problems could be related to a kernel change? The 0.9.1 release hasn't been updated in some time, and even though it a great tool, could there be issues with something new in the OS's? --Nick Cappelletti ----- Original Message ----- From: "Craig Weinhold" To: "Nick Cappelletti" Cc: netflow-tools at mindrot.org Sent: Saturday, April 13, 2013 6:00:11 PM Subject: Re: [netflow-tools] CentOS Logsocket Issues Not sure if this is what you're seeing, but I've had a bear of a time with selinux, the invisible security layer which is enabled by default in Centos. For example, if you configure /etc/syslog.conf with "$AddUnixListenSocket /var/empty/dev/log" and then launch rsyslogd by hand, it creates the unix socket fine and then you can have it process flowd's log messages. But if you launch rsyslogd from the /etc/init.d/rsyslog script, it can't create the unix socket and doesn't log any error message at all. Tat's selinux at work in the background. You can quickly disable selinux to see if that's the cause of your woes: echo 0 >/selinux/enforce If that is the problem, then you _should_ spend time to figure out how to make your stuff work with selinux. It's a headache. Use "ls -Z" to see what security characteristics each file has, and then use "chcon" to change the file type. For example, to fix the /etc/init.d/rsyslog script, I did this: chcon -t etc_t /etc/init.d/rsyslog -Craig On Sat, 13 Apr 2013, Nick Cappelletti wrote: > Hey everyone, > > I hope someone can help me out here. I'm attempting to configure flowd to send the created flows to a socket on a CentOS 6.4 server, but I'm not having any success. > > I'm using version 0.9.1 and I've tested it on a Debian server, so I know the logsocket functionality works. > > Is there perhaps a package I need to install to get the logsocket functionality to work? > > Here is my configuration: > > #### > > pidfile "/var/run/flowd.pid" > logsock "/var/log/flowdata.socket" > logfile "/var/flowdata" > listen on 0.0.0.0:9995 > listen on [::]:9995 > store ALL > accept all > > #### > > Here is the output from when I run flowd in debug mode: > > #### > > read_config: entering > child_get_config: entering > drop_privs: dropping privs without chroot > send_config: entering fd = 4 > send_config: done > child_get_config: child config done > recv_config: entering fd = 3 > recv_config: ready to receive config > Listener for [0.0.0.0]:9995 fd = 3 > Adjusted socket receive buffer from 229376 to 524288 > Setting socket send buf to 1024 > Listener for [::]:9995 fd = 4 > Adjusted socket receive buffer from 229376 to 524288 > Setting socket send buf to 1024 > privsep_init: entering > drop_privs: dropping privs with chroot > init_pfd: entering (num_fds = 0) > init_pfd: done (num_fds = 3) > client_open_log: entering > answer_open_log: entering > client_open_socket: entering > answer_open_socket: entering > connect to logsock: No such file or directory > receive_fd: recvmsg: expected received 1 got 0 > > ### > > Thanks for any help! > > --Nick Cappelletti > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nick at switchtower.org Sun Apr 14 23:55:53 2013 From: nick at switchtower.org (Nick Cappelletti) Date: Sun, 14 Apr 2013 09:55:53 -0400 Subject: [netflow-tools] CentOS Logsocket Issues In-Reply-To: References: <182451418.32341.1365881112795.JavaMail.root@switchtower.org> Message-ID: By default, selinux is turned off in the server kicks I have, but I did give it a try. I was also wrong about Debian, I /was/ having issues, but it was failing first on the pid file location. I think I was hopeful because the error was different. ;) I'll keep looking, but is there a chance the problems could be related to a kernel change? The 0.9.1 release hasn't been updated in some time, and even though it a great tool, could there be issues with something new in the OS's? --Nick Cappelletti On Apr 13, 2013, at 6:00 PM, Craig Weinhold wrote: > Not sure if this is what you're seeing, but I've had a bear of a time with selinux, the invisible security layer which is enabled by default in Centos. > > For example, if you configure /etc/syslog.conf with "$AddUnixListenSocket /var/empty/dev/log" and then launch rsyslogd by hand, it creates the unix socket fine and then you can have it process flowd's log messages. But if you launch rsyslogd from the /etc/init.d/rsyslog script, it can't create the unix socket and doesn't log any error message at all. Tat's selinux at work in the background. > > You can quickly disable selinux to see if that's the cause of your woes: > > echo 0 >/selinux/enforce > > If that is the problem, then you _should_ spend time to figure out how to make your stuff work with selinux. It's a headache. Use "ls -Z" to see what security characteristics each file has, and then use "chcon" to change the file type. For example, to fix the /etc/init.d/rsyslog script, I did this: > > chcon -t etc_t /etc/init.d/rsyslog > > -Craig > > > > > On Sat, 13 Apr 2013, Nick Cappelletti wrote: > >> Hey everyone, >> >> I hope someone can help me out here. I'm attempting to configure flowd to send the created flows to a socket on a CentOS 6.4 server, but I'm not having any success. >> >> I'm using version 0.9.1 and I've tested it on a Debian server, so I know the logsocket functionality works. >> >> Is there perhaps a package I need to install to get the logsocket functionality to work? >> >> Here is my configuration: >> >> #### >> >> pidfile "/var/run/flowd.pid" >> logsock "/var/log/flowdata.socket" >> logfile "/var/flowdata" >> listen on 0.0.0.0:9995 >> listen on [::]:9995 >> store ALL >> accept all >> >> #### >> >> Here is the output from when I run flowd in debug mode: >> >> #### >> >> read_config: entering >> child_get_config: entering >> drop_privs: dropping privs without chroot >> send_config: entering fd = 4 >> send_config: done >> child_get_config: child config done >> recv_config: entering fd = 3 >> recv_config: ready to receive config >> Listener for [0.0.0.0]:9995 fd = 3 >> Adjusted socket receive buffer from 229376 to 524288 >> Setting socket send buf to 1024 >> Listener for [::]:9995 fd = 4 >> Adjusted socket receive buffer from 229376 to 524288 >> Setting socket send buf to 1024 >> privsep_init: entering >> drop_privs: dropping privs with chroot >> init_pfd: entering (num_fds = 0) >> init_pfd: done (num_fds = 3) >> client_open_log: entering >> answer_open_log: entering >> client_open_socket: entering >> answer_open_socket: entering >> connect to logsock: No such file or directory >> receive_fd: recvmsg: expected received 1 got 0 >> >> ### >> >> Thanks for any help! >> >> --Nick Cappelletti >>