Update SELinux to allow for data collection in Splunk App for Infrastructure
You may encounter these issues when you try to deploy collectd on a system that's running SELinux:
- collectd's LogFile plug-in doesn't have permissions to write to its log.
- collectd can't establish a network connection and you see the
CURL failed with status 7
error.
If you're running SELinux and want to deploy collectd, follow one of the two following options so you don't encounter any failures.
Option 1
Run the collectd process type in permissive mode:
semanage permissive -a collectd_t
SELinux won't deny access to collectd anymore, but you may still see the SELinux denial message.
Option 2
- Fix the blocked network connection for collectd:
setsebool -P collectd_tcp_network_connect 1
- Fix the permission denied for the LogFile plug-in. collectd's log is also available from syslog, and shouldn't require any changes to access from there. Use
/var/log/collectd.log
incollectd.conf
for the LogFile plug-in. - Create
file mypolicy.te
with content:module mypolicy 1.0; require { type var_log_t; type collectd_t; class dir { add_name read write }; class file { create open write }; } #============= collectd_t ============== allow collectd_t var_log_t:dir { add_name write }; allow collectd_t var_log_t:file open; allow collectd_t var_log_t:file create;
- Compile
mypolicy.te
:$ checkmodule -M -m -o mypolicy.mod mypolicy.te $ semodule_package -o mypolicy.pp -m mypolicy.mod
- Apply the policy package
mypolicy.pp
to SELinux:$ semodule -i mypolicy.pp
collectd package sources, install commands, and locations | Collect Windows metrics and logs with Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only
Feedback submitted, thanks!