Home / server / Questions / 923464
Accepted
Matias Barrios
Asked: 2018-07-26 06:59:21 +0800 CST

Zabbix Agent unable to read /var/log/messages

  • 772

So I am trying to monitor the logs of a VM running Centos 7. Specifically the one giving problems is /var/log/messages. I have changed both the group ownership of the file ( made the pertaining change in logrotate.conf ) and manually on the already created file. Below you can see the permissions of it :

[matias@Centos_7_VM ~]$ sudo ls -lh /var/log/messages
-rw-rwx---+ 1 root zabbix 889K jul 25 10:53 /var/log/messages
[matias@Centos_7_VM ~]$ getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: zabbix
user::rw-
user:zabbix:rwx
group::---
mask::rwx
other::---

But even with all of those changes, the zabbix agent is getting permission denied to read that log. Is there something else blocking that process from reading the file?

Agent log

993:20180725:062459.211 Starting Zabbix Agent [Centos_7_VM]. Zabbix 3.2.11 (revision 76339).
   993:20180725:062459.256 **** Enabled features ****
   993:20180725:062459.257 IPv6 support:          YES
   993:20180725:062459.257 TLS support:           YES
   993:20180725:062459.257 **************************
   993:20180725:062459.257 using configuration file: /etc/zabbix/zabbix_agentd.conf
   993:20180725:062459.303 agent #0 started [main process]
   999:20180725:062459.359 agent #1 started [collector]
  1003:20180725:062459.396 agent #2 started [listener #1]
  1004:20180725:062459.406 agent #3 started [listener #2]
  1005:20180725:062459.413 agent #4 started [listener #3]
  1007:20180725:062459.472 agent #5 started [active checks #1]
  1007:20180725:105103.700 active check "log[/var/log/messages,(?i)error]" is not supported: Cannot open file "/var/log/messages": [13] Permission denied
permissions

2 Answers

  1. Best Answer

    It's called SELinux.

    Unfortunately the SELinux policy for the Zabbix agent is not well developed (yet) and almost anything you might want to monitor is going to be denied. I personally set the Zabbix agent type to permissive to work around this. This lets the Zabbix agent essentially bypass SELinux while it still applies to everything else on the system.

    semanage permissive -a zabbix_agent_t
    • 2

  2. If you prefer not to disable SELinux in any way:

    You could check if it's SELinux by running audit2allow -a and check if there is any output which includes Zabbix. Also you could simply set permissive mode temporarily to verify the blockage:

    1. sudo setenforce 0
    2. Check if zabbix agent can do its thing
    3. sudo setenforce 1

    If it really is SELinux denying the agent, try the following:

    Create a policy to allow whatever is denying Zabbix (as root or sudo):

    grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix

    This will pipe any Zabbix denials into audit2allow which creates a policy file and compiled binary in the directory that you are in. I usually do this in /root/selinux for cleanliness.

    Then run semodule -i myzabbix.pp

    This loads the policy into SELinux and it is permanent so no need to worry about reboots reversing policy.

    • 0