[netflow-tools] CentOS Logsocket Issues

Nick Cappelletti nick at switchtower.org
Sun Apr 14 08:37:29 EST 2013

By default, selinux is turned off in the server kicks I have, but I did give it a try. I was also wrong about Debian, I /was/ having issues, but it was failing first on the PID file location. I think I was hopeful because the error was different. ;) 

I'll keep looking, but is there a chance the problems could be related to a kernel change? The 0.9.1 release hasn't been updated in some time, and even though it a great tool, could there be issues with something new in the OS's? 

--Nick Cappelletti 

----- Original Message -----

From: "Craig Weinhold" <craig.weinhold at cdw.com> 
To: "Nick Cappelletti" <nick at switchtower.org> 
Cc: netflow-tools at mindrot.org 
Sent: Saturday, April 13, 2013 6:00:11 PM 
Subject: Re: [netflow-tools] CentOS Logsocket Issues 

Not sure if this is what you're seeing, but I've had a bear of a time with selinux, the invisible security layer which is enabled by default in Centos. 

For example, if you configure /etc/syslog.conf with "$AddUnixListenSocket /var/empty/dev/log" and then launch rsyslogd by hand, it creates the unix socket fine and then you can have it process flowd's log messages. But if you launch rsyslogd from the /etc/init.d/rsyslog script, it can't create the unix socket and doesn't log any error message at all. Tat's selinux at work in the background. 

You can quickly disable selinux to see if that's the cause of your woes: 

echo 0 >/selinux/enforce 

If that is the problem, then you _should_ spend time to figure out how to make your stuff work with selinux. It's a headache. Use "ls -Z" to see what security characteristics each file has, and then use "chcon" to change the file type. For example, to fix the /etc/init.d/rsyslog script, I did this: 

chcon -t etc_t /etc/init.d/rsyslog 


On Sat, 13 Apr 2013, Nick Cappelletti wrote: 

> Hey everyone, 
> I hope someone can help me out here. I'm attempting to configure flowd to send the created flows to a socket on a CentOS 6.4 server, but I'm not having any success. 
> I'm using version 0.9.1 and I've tested it on a Debian server, so I know the logsocket functionality works. 
> Is there perhaps a package I need to install to get the logsocket functionality to work? 
> Here is my configuration: 
> #### 
> pidfile "/var/run/flowd.pid" 
> logsock "/var/log/flowdata.socket" 
> logfile "/var/flowdata" 
> listen on 
> listen on [::]:9995 
> store ALL 
> accept all 
> #### 
> Here is the output from when I run flowd in debug mode: 
> #### 
> read_config: entering 
> child_get_config: entering 
> drop_privs: dropping privs without chroot 
> send_config: entering fd = 4 
> send_config: done 
> child_get_config: child config done 
> recv_config: entering fd = 3 
> recv_config: ready to receive config 
> Listener for []:9995 fd = 3 
> Adjusted socket receive buffer from 229376 to 524288 
> Setting socket send buf to 1024 
> Listener for [::]:9995 fd = 4 
> Adjusted socket receive buffer from 229376 to 524288 
> Setting socket send buf to 1024 
> privsep_init: entering 
> drop_privs: dropping privs with chroot 
> init_pfd: entering (num_fds = 0) 
> init_pfd: done (num_fds = 3) 
> client_open_log: entering 
> answer_open_log: entering 
> client_open_socket: entering 
> answer_open_socket: entering 
> connect to logsock: No such file or directory 
> receive_fd: recvmsg: expected received 1 got 0 
> ### 
> Thanks for any help! 
> --Nick Cappelletti 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20130413/a6e0c4ce/attachment-0001.html>

More information about the netflow-tools mailing list