Splunk® App for Infrastructure

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of InfraApp. Click here for the latest version.
Acrobat logo Download topic as PDF

Update SELinux to allow for data collection in Splunk App for Infrastructure

Admin permissions are required to perform these steps.

Systems with SELinux enabled can sometimes have the following known issues:

  • Permission denied when collectd’s logfile plugin tries to write the log.
  • Blocked network connection for collectd, leading to the error CURL failed with status 7.

If SELinux is enabled, update SELinux to allow for data collection. Use one of the two options in this section, using the command line, to prevent any failures.

Option 1

1. Run collectd domain in permissive mode to fix both CURL and logging issues.

semanage permissive -a collectd_t

Option 2

1. Fix the blocked network connection for collectd.

setsebool -P collectd_tcp_network_connect 1

2. Fix the permission denied for the logfile plugin.

collectd’s log is also available from syslog, and should not require any changes.

  • Use /var/log/collectd.log in collectd.conf for logfile plugin.
  • Create file mypolicy.te with content:
module mypolicy 1.0;

require {
type var_log_t;
type collectd_t;
class dir { add_name read write };
class file { create open write };
}

#============= collectd_t ==============

allow collectd_t var_log_t:dir { add_name write };
allow collectd_t var_log_t:file open;
allow collectd_t var_log_t:file create;
  • Compile mypolicy.te
$ checkmodule -M -m -o mypolicy.mod mypolicy.te
$ semodule_package -o mypolicy.pp -m mypolicy.mod
  • Apply policy package mypolicy.pp to SELinux:
$ semodule -i mypolicy.pp
Last modified on 04 January, 2019
PREVIOUS
Manually configure metrics collection for *nix on Splunk App for Infrastructure
  NEXT
Use custom metric indexes in Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure: 1.2.0, 1.2.1, 1.2.2, 1.2.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters