Zabbix Trigger for SELinux (type=AVC) Errors

Posted by Kevin Soviero on Server Fault See other posts from Server Fault or by Kevin Soviero
Published on 2013-04-20T20:30:20Z Indexed on 2013/11/09 4:01 UTC
Read the original article Hit count: 478

Filed under:

centos

|

selinux

|

zabbix

I would like to create a trigger in Zabbix to alert me anytime a type=AVC error appears in a CentOS 6 server's /var/log/audit/audit.log file.

I've already tried creating a basic log scrape. E.g.:

log[/var/log/audit/audit.log,type=AVC,"UTF-8",100]

However, it does not work. I believe this is due to the /var/log/audit/audit.log and it's parent folder using the following permissions:

drwxr-x---.  2 root root    4096 Apr 20 04:29 .
drwxr-xr-x. 13 root root    4096 Apr 14 12:07 ..
-rw-------.  1 root root 5948185 Apr 20 15:27 audit.log
-r--------.  1 root root 6291566 Apr 20 04:29 audit.log.1
-r--------.  1 root root 6291704 Apr 19 16:56 audit.log.2
-r--------.  1 root root 6291499 Apr 19 05:22 audit.log.3
-r--------.  1 root root 6291552 Apr 18 17:48 audit.log.4

I would prefer not to change the permissions for security reasons.

Has anyone done log monitoring of /var/log/audit/audit.log using Zabbix? And if so, how?

© Server Fault or respective owner

Related posts about centos

Problems with repositories on CentOS 3.9

as seen on Super User - Search for 'Super User'
Hello, I have CentOS 3.9 for i386. When I try to instal some thing with yum, i.e: yum install firefox or yum install firefox* or yum list firefox and so on, I get: +++++++++++++++++++ yum info firefox Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 -… >>> More
Problems with repositories on CentOS 3.9

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, I have CentOS 3.9 for i386. When I try to instal some thing with yum, i.e: yum install firefox or yum install firefox* or yum list firefox and so on, I get: +++++++++++++++++++ yum info firefox Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 -… >>> More
centos yum problems

as seen on Server Fault - Search for 'Server Fault'
I am really new to using linux and have just formatted my centos 5.2 vps and am trying to install links by using the command yum install links. But the following error gets displayed: [root@inverses ~]# yum install links Loading "fastestmirror" plugin Loading mirror speeds from cached hostfile *… >>> More
Networking issues with Linux server (CentOS 5.3)

as seen on Server Fault - Search for 'Server Fault'
I have a Linux server hosting our bug tracking software (CentOS 5.2 Kernel 2.6.18-128.4.1.el5) that I have having some strange network problems with. The machine is configured with two NICS, one for the public interface and the other for our server back end network. The problem is that after doing… >>> More
Networking issues with Linux server (CentOS 5.3)

as seen on Server Fault - Search for 'Server Fault'
I have a Linux server hosting our bug tracking software (CentOS 5.2 Kernel 2.6.18-128.4.1.el5) that I have having some strange network problems with. The machine is configured with two NICS, one for the public interface and the other for our server back end network. The problem is that after doing… >>> More

Related posts about selinux

AD GIT SELinux RHEL 6 : Can not get SELinux to allow connetion to git

as seen on Server Fault - Search for 'Server Fault'
I have a problem with SELinux! I have installed git on Red Hat Enterprise 6 with AD group control and SSL Cert . Everything works fine if I do setenforce 0 ( set SELinux in detection only mode ) or if I do semanage permissive -a httpd_t (Set httpd_t in detection only mode) I do not want to use… >>> More
How do I enable SELinux when booting a ramdisk from a CD/DVD?

as seen on Server Fault - Search for 'Server Fault'
I have a bootable DVD which boots the same Kernel as the Hard Drive (which uses SELinux). I have copied /etc/selinux and all kernel modules to my ramdisk, and have tried various combinations of selinux=1 and selinux 1 with enforcing 1 and enforcing 0. as Kernel boot parameters. All files contained… >>> More
How do I enable SELinux when booting from a CD/DVD?

as seen on Server Fault - Search for 'Server Fault'
I have a bootable DVD which boots the same Kernel as the Hard Drive (which uses SELinux). I have copied /etc/selinux and all the kernel modules to my ramdisk, and have tried both selinux=1 and selinux 1 as Kernel boot parameters. After the system boots, I check dmesg: % dmesg | grep -i selinux Kernel… >>> More
How does SELinux affect the /home directory?

as seen on Server Fault - Search for 'Server Fault'
Hi everyone. I'm migrating a CentOS 5.3 system from MySQL to PostgreSQL. The way our machine is set up is that the biggest disk partition is mounted to /home. This is out of my control and is managed by the hosting provider. Anyway, we obviously want the database files to be on /home for this… >>> More
Question regarding the SELinux type enforcement file

as seen on Server Fault - Search for 'Server Fault'
In my SElinux te file, I define two new types called voice_t and data_t which certain directories will be classified in the fc file (/data/ will be of type data_t and /voice/ will be of type voice_t). I would like the one SELinux policy to be used for all servers in my network, but, some servers… >>> More