Splunk® App for Infrastructure

Administer Splunk App for Infrastructure

Download manual as PDF

Download topic as PDF

Update SELinux to allow for data collection in Splunk App for Infrastructure

You may encounter these issues when you try to deploy collectd on a system that's running SELinux:

  • collectd's LogFile plug-in doesn't have permissions to write to its log.
  • collectd can't establish a network connection and you see the CURL failed with status 7 error.

If you're running SELinux and want to deploy collectd, follow one of the two following options so you don't encounter any failures.

Option 1

Run the collectd process type in permissive mode:

semanage permissive -a collectd_t

SELinux won't deny access to collectd anymore, but you may still see the SELinux denial message.

Option 2

  1. Fix the blocked network connection for collectd:
    setsebool -P collectd_tcp_network_connect 1
    
  2. Fix the permission denied for the LogFile plug-in. collectd's log is also available from syslog, and shouldn't require any changes to access from there. Use /var/log/collectd.log in collectd.conf for the LogFile plug-in.
  3. Create file mypolicy.te with content:
    module mypolicy 1.0;
    
    require {
    type var_log_t;
    type collectd_t;
    class dir { add_name read write };
    class file { create open write };
    }
    
    #============= collectd_t ==============
    
    allow collectd_t var_log_t:dir { add_name write };
    allow collectd_t var_log_t:file open;
    allow collectd_t var_log_t:file create;
    
  4. Compile mypolicy.te:
    $ checkmodule -M -m -o mypolicy.mod mypolicy.te
    $ semodule_package -o mypolicy.pp -m mypolicy.mod
    
  5. Apply the policy package mypolicy.pp to SELinux:
    $ semodule -i mypolicy.pp
    
Last modified on 30 March, 2020
PREVIOUS
About using collectd
  NEXT
Collect Windows metrics and logs with Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure: 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters