Unable to get directadmin logs into syslogd

[roop]

Hi,

New VPS built running CloudLinux Server release 6.6 (based on CentOS 6 i believe), running default rsyslogd v5.8.10 which is working for everything except DA logs.

I did the following:

To enable this, add:
use_syslogd=1
to your directadmin.conf file.

as per http://www.directadmin.com/features.php?id=517, restarted directadmin + rsyslogd (and subsequently the entire VPS) but nothing has appeared in syslog. All of the directadmin logging in /var/log/directadmin/ has stopped since I edited the config file above, so I suspect DA has taken the command.


I do have csf installed, and RESTRICT_SYSLOG = "3" + RESTRICT_SYSLOG_GROUP = "mysyslog" set as recommended, but I manually added the 'directadmin' user to mysyslog group (using vi /etc/group) and that hasn't helped, and I've also tried disabling csf (csf -x) and that hasn't worked, so while I haven't ruled out CSF 100%, I'm not sure if it's causing the issue.


Can anyone please provide any advice how to fix or troubleshoot further, as I'm out of ideas at this point. One specific question I have is 'does DA support for syslogd specifically mean it will only work on the traditional syslogd, or should it work on rsyslogd as well?'


Let me know if you need any more info/details, and thanks for your help!

Rupert

 

[SeLLeRoNe]

Have you tryed to start directadmin in debug mode to try understand why isnt writing logs?

Regards

 

[roop]

Have you tryed to start directadmin in debug mode to try understand why isnt writing logs?

Hi Andrea,

Sorry I missed your reply but thanks for the suggestion. I've just tried running DA in Debug mode and creating / deleting an admin user (which I assume should be logged in DA logs) and although I can see the output (below), nothing appears to be log/syslog/network related.

actual host domain name has been replaced with myhostdomain.tld for security. admintest was the account I created/deleted.

/CMD_ADMIN_SHOW
 0: Accept-Encoding: gzip, deflate
 1: Accept-Language: en-US,en;q=0.5
 2: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 3: Connection: keep-alive
 4: Cookie: session=DlCg8RqNwMSPlgZne9IpuBEpfnAr5adIJnwSFln97FZqu8dYGtM83YxiM5XPdAgx
 5: Host: c-sbh-da1.mywebhostdomain.tld:2222
 6: Referer: https://c-sbh-da1.mywebhostdomain.tld:2222/
 7: User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Checking referer https://c-sbh-da1.mywebhostdomain.tld:2222/ to c-sbh-da1.mywebhostdomain.tld:2222
Referer check passed: c-sbh-da1.mywebhostdomain.tld=c-sbh-da1.mywebhostdomain.tld 2222/=2222
Command::doCommand(/CMD_ADMIN_SHOW)
Command::doCommand(/CMD_ADMIN_SHOW) : finished
Command::run: finished /CMD_ADMIN_SHOW
Sockets::handshake - begin
Sockets::handshake - end
/CMD_SELECT_USERS
GET string: select1=admintest&reason=none&delete=Delete&location=CMD_ADMIN_SHOW
 0: Accept-Encoding: gzip, deflate
 1: Accept-Language: en-US,en;q=0.5
 2: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 3: Connection: keep-alive
 4: Cookie: session=DlCg8RqNwMSPlgZne9IpuBEpfnAr5adIJnwSFln97FZqu8dYGtM83YxiM5XPdAgx
 5: Host: c-sbh-da1.mywebhostdomain.tld:2222
 6: Referer: https://c-sbh-da1.mywebhostdomain.tld:2222/CMD_ADMIN_SHOW
 7: User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Checking referer https://c-sbh-da1.mywebhostdomain.tld:2222/CMD_ADMIN_SHOW to c-sbh-da1.mywebhostdomain.tld:2222
Referer check passed: c-sbh-da1.mywebhostdomain.tld=c-sbh-da1.mywebhostdomain.tld 2222/CMD_ADMIN_=2222
Command::doCommand(/CMD_SELECT_USERS)
Command::doCommand(/CMD_SELECT_USERS) : finished
Command::run: finished /CMD_SELECT_USERS
Sockets::handshake - begin
Sockets::handshake - end
/CMD_SELECT_USERS
GET string: select0=admintest&confirmed=Confirm&delete=yes
 0: Accept-Encoding: gzip, deflate
 1: Accept-Language: en-US,en;q=0.5
 2: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 3: Connection: keep-alive
 4: Cookie: session=DlCg8RqNwMSPlgZne9IpuBEpfnAr5adIJnwSFln97FZqu8dYGtM83YxiM5XPdAgx
 5: Host: c-sbh-da1.mywebhostdomain.tld:2222
 6: Referer: https://c-sbh-da1.mywebhostdomain.tld:2222/CMD_SELECT_USERS?select1=admintest&reason=none&delete=Delete&location=CMD_ADMIN_SHOW
 7: User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Checking referer https://c-sbh-da1.mywebhostdomain.tld:2222/CMD_SELECT_USERS?select1=admintest&reason=none&delete=Delete&location=CMD_ADMIN_SHOW to c-sbh-da1.mywebhostdomain.tld:2222
Referer check passed: c-sbh-da1.mywebhostdomain.tld=c-sbh-da1.mywebhostdomain.tld 2222/CMD_SELECT=2222
Command::doCommand(/CMD_SELECT_USERS)
Tally::get_bandwidth_breakdown(ConfigFile &data, int cache=1, int year=0, int month=0): file=./data/users/admintest/bandwidth.tally.cache
no crontab for admintest
IP::removeFromIP(54.171.46.252, skip_if_owned=0)
Apache::get_cb_apache_ver == 2.4
IP::writeFile. Current list:
listType: 1
 0: 54.171.46.252
 1: 172.31.44.100
Dynamic(api=0, error=0):
        text='Users deleted'
        result='User admintest Removed<br>
<br>
Admin deleted<br>
Reseller's package directory removed.<br>
<br>
Reseller deleted<br>
User removed from SSH<br>
Users's domains directory removed.<br>
<br>
Unix User removed from the server<br>
User's config files deleted<br>
User's data directory removed.<br>
Removed user from admin's list<br>
<br>
<br>
'
Command::doCommand(/CMD_SELECT_USERS) : finished
Command::run: finished /CMD_SELECT_USERS
Tally::dumpShowAllUsersCache(Config *conf, ListFile *users=140736889292864 (1), add_created_users=0)
Tally::dumpShowAllUsersCache(Config *conf, ListFile *users=140736889292864 (1), add_created_users=0): DONE
dumpPhpSafeModeCache(Config *conf, ConfigFile *domains=0 (0), ListFile *update_users=-599064048 (1))
dumpPhpSafeModeCache(Config *conf, ConfigFile *domains=0 (0), ListFile *update_users=-599064048 (1)): DONE.

If there is anything else that anyone can suggest I'd be very grateful.

Many thanks,

Rupert

 

[zEitEr]

I do have csf installed, and RESTRICT_SYSLOG = "3" + RESTRICT_SYSLOG_GROUP = "mysyslog" set as recommended, but I manually added the 'directadmin' user to mysyslog group (using vi /etc/group) and that hasn't helped

Hello,

That should be user and group diradmin. I've tested on my end, that's CSF/LFD which prevents directadmin from writing into syslog file. I've got a line

*.*                                                     /var/log/all.log

in /etc/rsyslog.conf and

mysyslog:x:491:mailnull,named,mail,dovecot,daemon,ntp,smmsp,mysql,diradmin,nobody

and still Directadmin can't bypass restriction "RESTRICT_SYSLOG" of LFD.

Isn't directadmin writing logs as diradmin user? We probably need to debug unless John could clarify it.

 

[roop]

Hi Alex,

That should be user and group diradmin.

Thanks for the spot that fixed it for me. CSF is now allowing 'diradmin' user and I'm getting directadmin entries in my /var/log/messages file and they're being sent to my remote syslog, even with csf set up with RESTRICT_SYSLOG = "3"

Jan  1 15:38:31 c-sbh-da1 directadmin[1045384]: 93.186.148.26 GET / HTTP/1.1 admin

I really appreciate your help! Happy New Year!

Cheers, Rupert