rsyslog is denied for file read/write on /var/log/scsplog/ids_syslog.pipe file

book

Article ID: 159084

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

In Unix systems event with "File Write Denied for rsyslog on /var/log/scsplog/ids_syslog.pipe file" is generated when agent version is upgraded to 5.2.9 MP2 and above
 

File Write Denied for rsyslog on /var/log/scsplog/ids_syslog.pipe file

Cause

The file location for ids_syslog.pipe has been changed in SCSP version 5.2.9 MP2 from /opt/Symantec/scspagent/IDS/system/ids_syslog.pipe to /var/log/scsplog/ids_syslog.pipe.

 
The following entry is added in /etc/ryslog.conf file after installing the 5.2.9 MP2 and above agent version. 
 
# The following is required for Symantec Host IDS - Do not edit or remove 
*.info;mail.err;mark.none |/var/log/scsplog/ids_syslog.pipe 

 

Resolution

Whenever any agent version is updated to 5.2.9 MP2 and above, it is recommended to update the policy pack also to the same version. This update will get the default process set (syslogd_ps) applied and the file write for rsyslog on ids_syslog.pipe file located at /var/log/scsplog/ids_syslog.pipe will be allowed.