Zabbix Agent unable to read /var/log/messages

Question

So I am trying to monitor the logs of a VM running Centos 7. Specifically the one giving problems is /var/log/messages. I have changed both the group ownership of the file ( made the pertaining change in logrotate.conf ) and manually on the already created file. Below you can see the permissions of it :

[matias@Centos_7_VM ~]$ sudo ls -lh /var/log/messages
-rw-rwx---+ 1 root zabbix 889K jul 25 10:53 /var/log/messages
[matias@Centos_7_VM ~]$ getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: zabbix
user::rw-
user:zabbix:rwx
group::---
mask::rwx
other::---

But even with all of those changes, the zabbix agent is getting permission denied to read that log. Is there something else blocking that process from reading the file?

Agent log

993:20180725:062459.211 Starting Zabbix Agent [Centos_7_VM]. Zabbix 3.2.11 (revision 76339).
   993:20180725:062459.256 **** Enabled features ****
   993:20180725:062459.257 IPv6 support:          YES
   993:20180725:062459.257 TLS support:           YES
   993:20180725:062459.257 **************************
   993:20180725:062459.257 using configuration file: /etc/zabbix/zabbix_agentd.conf
   993:20180725:062459.303 agent #0 started [main process]
   999:20180725:062459.359 agent #1 started [collector]
  1003:20180725:062459.396 agent #2 started [listener #1]
  1004:20180725:062459.406 agent #3 started [listener #2]
  1005:20180725:062459.413 agent #4 started [listener #3]
  1007:20180725:062459.472 agent #5 started [active checks #1]
  1007:20180725:105103.700 active check "log[/var/log/messages,(?i)error]" is not supported: Cannot open file "/var/log/messages": [13] Permission denied

score 2 · Accepted Answer · answered Jul 25 '18 at 15:35

2

It's called SELinux.

Unfortunately the SELinux policy for the Zabbix agent is not well developed (yet) and almost anything you might want to monitor is going to be denied. I personally set the Zabbix agent type to permissive to work around this. This lets the Zabbix agent essentially bypass SELinux while it still applies to everything else on the system.

semanage permissive -a zabbix_agent_t

answered Jul 25 '18 at 15:35

Michael Hampton

244,070
43
506
972

It worked flawlessly Micheal. Just one question, why the "_t" at the end of the command? – Matias Barrios Jul 25 '18 at 16:00
1

Because the name of the SELinux type is `zabbix_agent_t`. – Michael Hampton Jul 25 '18 at 16:00
@MatiasBarrios To be overly clear, the `_t` suffix in SELinux means type. You'll find that there are three suffixes like this: `_u` for User, `_r` for Role and `_t` for type. – gillytech Apr 08 '20 at 18:53

score 0 · Answer 2 · answered Apr 08 '20 at 19:08

If you prefer not to disable SELinux in any way:

You could check if it's SELinux by running audit2allow -a and check if there is any output which includes Zabbix. Also you could simply set permissive mode temporarily to verify the blockage:

sudo setenforce 0
Check if zabbix agent can do its thing
sudo setenforce 1

If it really is SELinux denying the agent, try the following:

Create a policy to allow whatever is denying Zabbix (as root or sudo):

grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix

This will pipe any Zabbix denials into audit2allow which creates a policy file and compiled binary in the directory that you are in. I usually do this in /root/selinux for cleanliness.

Then run semodule -i myzabbix.pp

This loads the policy into SELinux and it is permanent so no need to worry about reboots reversing policy.

Zabbix Agent unable to read /var/log/messages

Agent log

2 Answers2

Linked