Currently I am working on a project to centralize all syslog entries into one server and have been running into issues due to the fact that I run SELinux and store the rsyslog.conf file in version control. By default you can tail the /var/log/audit/audit.log to see what’s going on, but the message is fairly encrypted and not easily understood. After some research there is an executable sealert which will parse the audit log and convert the messages into human readable format. sealert does not get installed by default on CentOS systems, so you have to do:

yum install setroubleshoot-server

After the install is completed, you can then analyze the audit log by issuing the following command:

sealert -a /var/log/audit/audit.log > /var/log/audit/audit_human_readable.log

It took a few seconds to analyze, but upon completion I was able to open the human readable version, and see entries like:


SELinux is preventing /sbin/rsyslogd from search access on the directory /home.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rsyslogd should be allowed search access on the home directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

So I was able to create the audit policy to allow rsyslogd the access it needed to the config file in order to run properly.